|
|
|||
| Rule General Information |
|---|
| Release Date: | 2024-01-30 | |
| Rule Name: | Apache Commons Configuration Deserialization Vulnerability (CVE-2020-1953) | |
| Severity: | ||
| CVE ID: | ||
| Rule Protection Details |
|---|
| Description: | Apache Commons Configuration uses a third-party library to parse YAML files which by default allows the instantiation of classes if the YAML includes special statements. Apache Commons Configuration versions 2.2, 2.3, 2.4, 2.5, 2.6 did not change the default settings of this library. So if a YAML file was loaded from an untrusted source, it could therefore load and execute code out of the control of the host application. | |
| Impact: | An attacker can carefully construct malicious serialized data and pass it to the application, and execute the malicious code constructed by the attacker when the application deserializes the object. | |
| Affected OS: | Windows, Linux, Others | |
| Reference: | https://lists.apache.org/thread.html/rde2186ad6ac0d6ed8d51af7509244adcf1ce0f9a3b7e1d1dd3b64676 https://lists.apache.org/thread.html/r16a2e949e35780c8974cf66104e812410f3904f752df6b66bf292269 https://lists.apache.org/thread.html/d0e00f2e147a9e9b13a6829133092f349b2882bf6860397368a52600 https://www.oracle.com/security-alerts/cpuoct2020.html |
|
| Solutions |
|---|
| Refer to the announcement or patch by the vendor: https://lists.apache.org/thread.html/d0e00f2e147a9e9b13a6829133092f349b2882bf6860397368a52600 |