CVE-2020-1947

CRITICAL LAB

Apache ShardingSphere 4.0.0-RC3-4.0.0 - Remote Code Execution via SnakeYAML Deserialization

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 4 public exploits for CVE-2020-1947. PoCs published by jas502n, wsfengfan, StarkChristmas.

AI-analyzed exploit summary This repository provides a proof-of-concept for CVE-2020-1947, a YAML deserialization vulnerability in Apache ShardingSphere UI 4.0.0. The exploit leverages a malicious YAML payload to achieve remote code execution via LDAP reference injection.

Description

In Apache ShardingSphere(incubator) 4.0.0-RC3 and 4.0.0, the ShardingSphere's web console uses the SnakeYAML library for parsing YAML inputs to load datasource configuration. SnakeYAML allows to unmarshal data to a Java type By using the YAML tag. Unmarshalling untrusted data can lead to security flaws of RCE.

Exploits (4)

nomisec WORKING POC 31 stars
by jas502n · poc
https://github.com/jas502n/CVE-2020-1947

This repository provides a proof-of-concept for CVE-2020-1947, a YAML deserialization vulnerability in Apache ShardingSphere UI 4.0.0. The exploit leverages a malicious YAML payload to achieve remote code execution via LDAP reference injection.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache ShardingSphere UI 4.0.0
Auth required
Prerequisites: Access to the target application · Valid credentials (default: admin/admin) · LDAP server for payload delivery
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 4 stars
by wsfengfan · poc
https://github.com/wsfengfan/CVE-2020-1947

This PoC exploits a deserialization vulnerability in Apache ShardingSphere by sending a malicious payload via the `/api/schema` endpoint, leveraging the `JdbcRowSetImpl` gadget to trigger an LDAP-based RCE. The exploit requires authentication and a crafted LDAP server to execute arbitrary commands.

Classification
Working Poc 90%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Reliable
Target: Apache ShardingSphere (versions affected by CVE-2020-1947)
Auth required
Prerequisites: Valid Access-Token · LDAP server hosting malicious payload
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by StarkChristmas · poc
https://github.com/StarkChristmas/CVE-2020-1947

This repository contains a proof-of-concept exploit for CVE-2020-1947, a deserialization vulnerability in Apache ShardingSphere UI. The exploit leverages SnakeYAML's unsafe deserialization to achieve remote code execution via a malicious YAML payload.

Classification
Working Poc 90%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Reliable
Target: Apache ShardingSphere UI 4.0.0-RC3, 4.0.0
Auth required
Prerequisites: Access to the target's API endpoint · LDAP server for payload delivery
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by shadowsock5 · poc
https://github.com/shadowsock5/ShardingSphere_CVE-2020-1947

This PoC exploits CVE-2020-1947 by implementing a malicious ScriptEngineFactory that executes arbitrary code during class initialization. It demonstrates RCE by triggering a ping command to a remote domain.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Apache ShardingSphere (versions affected by CVE-2020-1947)
No auth needed
Prerequisites: Target must be running a vulnerable version of Apache ShardingSphere with the malicious class loaded
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Scores

CVSS v3 9.8
EPSS 0.3392
EPSS Percentile 98.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Lab Environment

COMMUNITY
Community Lab
docker pull lazychristmas/cve-2020-1947:v3.0
+1 more repos

Details

CWE
CWE-502
Status published
Products (2)
apache/shardingsphere 4.0.0 (2 CPE variants)
org.apache.shardingsphere/shardingsphere 4.0.0-RC3 - 4.0.1Maven
Published Mar 11, 2020
Tracked Since Feb 18, 2026