The form at Mitre was just submitted, so I assume that the issue will be visible soon.
Oliver Am 12.03.20 um 19:18 schrieb Gary Gregory: > Note that https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-1953 is not > "live" yet. > > Gary > > On Thu, Mar 12, 2020 at 1:53 PM Oliver Heger <ohe...@apache.org> wrote: > >> CVE-2020-1953: Uncontrolled class instantiation when loading YAML files >> in Apache Commons Configuration >> >> Severity: Moderate >> >> Vendor: >> The Apache Software Foundation >> >> Versions Affected: >> 2.2 to 2.6 >> >> Description: >> Apache Commons Configuration uses a third-party library to parse YAML >> files which by default allows the instantiation of classes if the YAML >> includes special statements. If a YAML file is from an untrusted source, >> it can therefore load and execute code out of the control of the host >> application. >> >> Mitigation: >> Users should upgrade to to 2.7, which prevents class instantiation by >> the YAML processor. >> >> Credit: >> This issue was discovered by Daniel Kalinowski of ISEC.pl Research Team >> >> Oliver Heger >> on behalf of the Apache Commons PMC >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org >> For additional commands, e-mail: dev-h...@commons.apache.org >> >> > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
