CVE-2020-1947

Name of the Vulnerable Software and Affected Versions Apache ShardingSphere(incubator) versions 4.0.0-RC3 through 4.0.0

Description The ShardingSphere's web console uses the SnakeYAML library for parsing YAML inputs to load datasource configuration. SnakeYAML allows unmarshalling data to a Java type by using the YAML tag. Unmarshalling untrusted data can lead to security flaws of Remote Code Execution (RCE).

Recommendations For Apache ShardingSphere(incubator) versions 4.0.0-RC3 through 4.0.0, consider disabling the use of the SnakeYAML library for parsing YAML inputs until a patch is available. Restrict access to the web console to minimize the risk of exploitation. Avoid using untrusted YAML inputs in the datasource configuration until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.