CVE-2020-1953

Apache Commons Configuration uses a third-party library to parse YAML files which by default allows the instantiation of classes if the YAML includes special statements. Apache Commons Configuration versions 2.2, 2.3, 2.4, 2.5, 2.6 did not change the default settings of this library. So if a YAML file was loaded from an untrusted source, it could therefore load and execute code out of the control of the host application.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
10 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
apacheCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 86%
VendorProductVersion
apachecommons_configuration
2.2
apachecommons_configuration
2.3
apachecommons_configuration
2.4
apachecommons_configuration
2.5
apachecommons_configuration
2.6
oracledatabase_server
11.2.0.4
oracledatabase_server
12.1.0.2
oracledatabase_server
12.2.0.1
oraclehealthcare_foundation
7.1.1
oraclehealthcare_foundation
7.2.0
oraclehealthcare_foundation
7.2.1
oraclehealthcare_foundation
7.3.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
commons-configuration2
bullseye (security)
2.8.0-1~deb11u1
fixed
bullseye
2.8.0-1~deb11u1
fixed
bookworm
2.8.0-2
fixed
sid
2.11.0-2
fixed
trixie
2.11.0-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
commons-configuration2
noble
not-affected
mantic
not-affected
lunar
not-affected
kinetic
not-affected
jammy
not-affected
impish
not-affected
hirsute
not-affected
groovy
not-affected
focal
needed
eoan
ignored
bionic
needed
xenial
dne
trusty
dne
References
https://lists.apache.org/thread.html/d0e00f2e147a9e9b13a6829133092f349b2882bf6860397368a52600%40%3Cannounce.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r16a2e949e35780c8974cf66104e812410f3904f752df6b66bf292269%40%3Ccommits.servicecomb.apache.org%3E
https://lists.apache.org/thread.html/rde2186ad6ac0d6ed8d51af7509244adcf1ce0f9a3b7e1d1dd3b64676%40%3Ccommits.camel.apache.org%3E
https://www.oracle.com/security-alerts/cpuoct2020.html
https://lists.apache.org/thread.html/d0e00f2e147a9e9b13a6829133092f349b2882bf6860397368a52600%40%3Cannounce.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r16a2e949e35780c8974cf66104e812410f3904f752df6b66bf292269%40%3Ccommits.servicecomb.apache.org%3E
https://lists.apache.org/thread.html/rde2186ad6ac0d6ed8d51af7509244adcf1ce0f9a3b7e1d1dd3b64676%40%3Ccommits.camel.apache.org%3E
https://www.oracle.com/security-alerts/cpuoct2020.html