CVE-2020-1953

Name of the Vulnerable Software and Affected Versions Apache Commons Configuration versions 2.2 through 2.6

Description The issue is related to the parsing of YAML files by a third-party library used in Apache Commons Configuration. By default, this library allows the instantiation of classes if the YAML includes special statements. This could lead to the execution of code out of the control of the host application if a YAML file is loaded from an untrusted source. The vulnerability is also associated with insufficient input validation, which could allow a remote attacker to execute arbitrary code.

Recommendations For Apache Commons Configuration versions 2.2 through 2.6, consider disabling the loading of YAML files from untrusted sources as a temporary workaround until a patch is available. Restrict access to the YAML parsing functionality to minimize the risk of exploitation. Avoid using the YAML parsing library with untrusted input until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.