Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2020-1953

Apache Commons Configuration uses a third-party library to parse YAML files which by default allows the instantiation of classes if the YAML includes special statements. Apache Commons Configuration versions 2.2, 2.3, 2.4, 2.5, 2.6 did not change the default settings of this library. So if a YAML file was loaded from an untrusted source, it could therefore load and execute code out of the control of the host application.

Published

2020-03-13T15:15:11.373

Last Modified

2024-11-21T05:11:43.567

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 10.0 (CRITICAL)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: PARTIAL

Exploitability Score

10.0

Impact Score

6.4

Weaknesses

Type: Primary
NVD-CWE-noinfo

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	apache	commons_configuration	2.2	Yes
Application	apache	commons_configuration	2.3	Yes
Application	apache	commons_configuration	2.4	Yes
Application	apache	commons_configuration	2.5	Yes
Application	apache	commons_configuration	2.6	Yes
Application	oracle	database_server	11.2.0.4	Yes
Application	oracle	database_server	12.1.0.2	Yes
Application	oracle	database_server	12.2.0.1	Yes
Application	oracle	database_server	18c	Yes
Application	oracle	database_server	19c	Yes
Application	oracle	healthcare_foundation	7.1.1	Yes
Application	oracle	healthcare_foundation	7.2.0	Yes
Application	oracle	healthcare_foundation	7.2.1	Yes
Application	oracle	healthcare_foundation	7.3.0	Yes

References

https://lists.apache.org/thread.html/d0e00f2e147a9e9b13a6829133092f349b2882bf6860397368a52600%40%3Cannounce.tomcat.apache.org%3E ([email protected])
https://lists.apache.org/thread.html/r16a2e949e35780c8974cf66104e812410f3904f752df6b66bf292269%40%3Ccommits.servicecomb.apache.org%3E ([email protected])
https://lists.apache.org/thread.html/rde2186ad6ac0d6ed8d51af7509244adcf1ce0f9a3b7e1d1dd3b64676%40%3Ccommits.camel.apache.org%3E ([email protected])
https://www.oracle.com/security-alerts/cpuoct2020.html Third Party Advisory ([email protected])
https://lists.apache.org/thread.html/d0e00f2e147a9e9b13a6829133092f349b2882bf6860397368a52600%40%3Cannounce.tomcat.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/r16a2e949e35780c8974cf66104e812410f3904f752df6b66bf292269%40%3Ccommits.servicecomb.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/rde2186ad6ac0d6ed8d51af7509244adcf1ce0f9a3b7e1d1dd3b64676%40%3Ccommits.camel.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpuoct2020.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)