CVE-2020-1953: Uncontrolled class instantiation when loading YAML files in Apache Commons Configuration
Severity: Moderate Vendor: The Apache Software Foundation Versions Affected: 2.2 to 2.6 Description: Apache Commons Configuration uses a third-party library to parse YAML files which by default allows the instantiation of classes if the YAML includes special statements. If a YAML file is from an untrusted source, it can therefore load and execute code out of the control of the host application. Mitigation: Users should upgrade to to 2.7, which prevents class instantiation by the YAML processor. Credit: This issue was discovered by Daniel Kalinowski of ISEC.pl Research Team Oliver Heger on behalf of the Apache Commons PMC --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
