CVE-2020-1953: Input Validation
First published: Fri Mar 13 2020(Updated: )
A flaw was found in the Apache Commons Configuration, where it uses a third-party library to process YAML files, which by default, allows the instantiation of classes if the YAML includes special statements. Apache Commons Configuration versions 2.2, 2.3, 2.4, 2.5, 2.6 did not change the default settings of this library. If a YAML file was loaded from an untrusted source, it could load and execute code out of the control of the host application.
Credit: security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/commons-configuration | <2.7 | 2.7 |
| Apache Commons Configuration | =2.2 | |
| Apache Commons Configuration | =2.3 | |
| Apache Commons Configuration | =2.4 | |
| Apache Commons Configuration | =2.5 | |
| Apache Commons Configuration | =2.6 | |
| Oracle Database | =11.2.0.4 | |
| Oracle Database | =12.1.0.2 | |
| Oracle Database | =12.2.0.1 | |
| Oracle Database | =18c | |
| Oracle Database | =19c | |
| Oracle Healthcare Foundation | =7.1.1 | |
| Oracle Healthcare Foundation | =7.2.0 | |
| Oracle Healthcare Foundation | =7.2.1 | |
| Oracle Healthcare Foundation | =7.3.0 |
Remedy
There is currently no mitigation available for this vulnerability.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2020-1953 https://nvd.nist.gov/vuln/detail/CVE-2020-1953 https://github.com/apache/commons-configuration/commit/add7375cf37fd316d4838c6c56b054fc293b4641 https://lists.apache.org/thread.html/rde2186ad6ac0d6ed8d51af7509244adcf1ce0f9a3b7e1d1dd3b64676@%3Ccommits.camel.apache.org%3E
- https://bugzilla.redhat.com/show_bug.cgi?id=1815212
- https://access.redhat.com/errata/RHSA-2020:2751
- https://access.redhat.com/errata/RHSA-2020:3133
- https://access.redhat.com/errata/RHSA-2020:3192
- https://access.redhat.com/security/cve/cve-2020-1953
- https://lists.apache.org/thread.html/d0e00f2e147a9e9b13a6829133092f349b2882bf6860397368a52600@%3Cannounce.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r16a2e949e35780c8974cf66104e812410f3904f752df6b66bf292269@%3Ccommits.servicecomb.apache.org%3E
- https://lists.apache.org/thread.html/rde2186ad6ac0d6ed8d51af7509244adcf1ce0f9a3b7e1d1dd3b64676@%3Ccommits.camel.apache.org%3E
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1815213
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1815214
- https://access.redhat.com/support/policy/updates/jboss_notes
- https://github.com/apache/commons-configuration/commit/add7375cf37fd316d4838c6c56b054fc293b4641
- https://lists.apache.org/thread.html/rde2186ad6ac0d6ed8d51af7509244adcf1ce0f9a3b7e1d1dd3b64676%40%3Ccommits.camel.apache.org%3E
- https://lists.apache.org/thread.html/d0e00f2e147a9e9b13a6829133092f349b2882bf6860397368a52600%40%3Cannounce.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r16a2e949e35780c8974cf66104e812410f3904f752df6b66bf292269%40%3Ccommits.servicecomb.apache.org%3E
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is the vulnerability ID for this flaw in Apache Commons Configuration?
The vulnerability ID for this flaw in Apache Commons Configuration is CVE-2020-1953.
What is the severity level of CVE-2020-1953?
CVE-2020-1953 has a severity level of critical (10).
Which versions of Apache Commons Configuration are affected by CVE-2020-1953?
Apache Commons Configuration versions 2.2, 2.3, 2.4, 2.5, 2.6 are affected by CVE-2020-1953.
How can I fix the vulnerability CVE-2020-1953?
To fix the vulnerability CVE-2020-1953, upgrade Apache Commons Configuration to version 2.7.
Where can I find more information about CVE-2020-1953?
You can find more information about CVE-2020-1953 in the references section of the vulnerability description.
- collector/redhat-cve
- agent/type
- agent/first-publish-date
- agent/softwarecombine
- agent/author
- agent/severity
- agent/remedy
- agent/weakness
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2020-1953
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/last-modified-date
- agent/description
- agent/event
- agent/trending
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/redhat
- vendor/apache
- canonical/apache commons configuration
- version/apache commons configuration/2.2
- version/apache commons configuration/2.3
- version/apache commons configuration/2.4
- version/apache commons configuration/2.5
- version/apache commons configuration/2.6
- vendor/oracle
- canonical/oracle database
- version/oracle database/11.2.0.4
- version/oracle database/12.1.0.2
- version/oracle database/12.2.0.1
- version/oracle database/18c
- version/oracle database/19c
- canonical/oracle healthcare foundation
- version/oracle healthcare foundation/7.1.1
- version/oracle healthcare foundation/7.2.0
- version/oracle healthcare foundation/7.2.1
- version/oracle healthcare foundation/7.3.0