====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN160
_____________________________________________________________________

DATE                : 25/03/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Commons versions prior to
                                            2.7.

=====================================================================
http://mail-archives.apache.org/mod_mbox/www-announce/202003.mbox/%3c0c661bbe-4e91-d4b1-8bda-c19df1970b3a@apache.org%3e
_____________________________________________________________________

CVE-2020-1953: Uncontrolled class instantiation when loading YAML files
in Apache Commons Configuration

Severity: Moderate

Vendor:
The Apache Software Foundation

Versions Affected:
2.2 to 2.6

Description:
Apache Commons Configuration uses a third-party library to parse YAML
files which by default allows the instantiation of classes if the YAML
includes special statements. If a YAML file is from an untrusted source,
it can therefore load and execute code out of the control of the host
application.

Mitigation:
Users should upgrade to to 2.7, which prevents class instantiation by
the YAML processor.

Credit:
This issue was discovered by Daniel Kalinowski of ISEC.pl Research Team

Oliver Heger
on behalf of the Apache Commons PMC


=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================