Vulnerability Description
Apache Commons Configuration uses a third-party library to parse YAML files which by default allows the instantiation of classes if the YAML includes special statements. Apache Commons Configuration versions 2.2, 2.3, 2.4, 2.5, 2.6 did not change the default settings of this library. So if a YAML file was loaded from an untrusted source, it could therefore load and execute code out of the control of the host application.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Commons Configuration | 2.2 |
| Oracle | Database Server | 11.2.0.4 |
| Oracle | Healthcare Foundation | 7.1.1 |
References
- https://lists.apache.org/thread.html/d0e00f2e147a9e9b13a6829133092f349b2882bf686
- https://lists.apache.org/thread.html/r16a2e949e35780c8974cf66104e812410f3904f752
- https://lists.apache.org/thread.html/rde2186ad6ac0d6ed8d51af7509244adcf1ce0f9a3b
- https://www.oracle.com/security-alerts/cpuoct2020.htmlThird Party Advisory
- https://lists.apache.org/thread.html/d0e00f2e147a9e9b13a6829133092f349b2882bf686
- https://lists.apache.org/thread.html/r16a2e949e35780c8974cf66104e812410f3904f752
- https://lists.apache.org/thread.html/rde2186ad6ac0d6ed8d51af7509244adcf1ce0f9a3b
- https://www.oracle.com/security-alerts/cpuoct2020.htmlThird Party Advisory
FAQ
What is CVE-2020-1953?
CVE-2020-1953 is a vulnerability with a CVSS score of 10.0 (CRITICAL). Apache Commons Configuration uses a third-party library to parse YAML files which by default allows the instantiation of classes if the YAML includes special statements. Apache Commons Configuration v...
How severe is CVE-2020-1953?
CVE-2020-1953 has been rated CRITICAL with a CVSS base score of 10.0/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2020-1953?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Commons Configuration, Oracle Database Server, Oracle Healthcare Foundation.