CVE-2020-1953

CRITICAL

Apache Commons Configuration <2.7 - Code Injection

Title source: llm

Description

Apache Commons Configuration uses a third-party library to parse YAML files which by default allows the instantiation of classes if the YAML includes special statements. Apache Commons Configuration versions 2.2, 2.3, 2.4, 2.5, 2.6 did not change the default settings of this library. So if a YAML file was loaded from an untrusted source, it could therefore load and execute code out of the control of the host application.

References (4)

Core 4

Core References

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/rde2186ad6ac0d6ed8d51af7509244adcf1ce0f9a3b7e1d1dd3b64676%40%3Ccommits.camel.apache.org%3E

Mailing List x_refsource_misc

https://lists.apache.org/thread.html/d0e00f2e147a9e9b13a6829133092f349b2882bf6860397368a52600%40%3Cannounce.tomcat.apache.org%3E

Third Party Advisory x_refsource_misc

https://www.oracle.com/security-alerts/cpuoct2020.html

Mailing List x_refsource_misc

https://lists.apache.org/thread.html/r16a2e949e35780c8974cf66104e812410f3904f752df6b66bf292269%40%3Ccommits.servicecomb.apache.org%3E

Scores

CVSS v3 10.0

EPSS 0.0273

EPSS Percentile 86.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Details

Status published

Products (15)

apache/commons_configuration 2.2

apache/commons_configuration 2.3

apache/commons_configuration 2.4

apache/commons_configuration 2.5

apache/commons_configuration 2.6

oracle/database_server 11.2.0.4

oracle/database_server 12.1.0.2

oracle/database_server 12.2.0.1

oracle/database_server 18c

oracle/database_server 19c

... and 5 more

Published Mar 13, 2020

Tracked Since Feb 18, 2026