Remote Code Execution (RCE) Affecting org.apache.commons:commons-configuration2 package, versions [2.2, 2.7)

Attack Complexity

High
User Interaction

Required
Confidentiality

High
Integrity

High
Availability

High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

snyk-id

SNYK-JAVA-ORGAPACHECOMMONS-560326
published

15 Mar 2020
disclosed

13 Mar 2020
credit

Unknown

Report a new vulnerability Found a mistake?

Introduced: 13 Mar 2020

CVE-2020-1953 Open this link in a new tab CWE-94 Open this link in a new tab

How to fix?

Upgrade org.apache.commons:commons-configuration2 to version 2.7 or higher.

Overview

org.apache.commons:commons-configuration2 is a group of tools to assist in the reading of configuration/preferences files in various formats.

Affected versions of this package are vulnerable to Remote Code Execution (RCE). It uses a third-party library to parse YAML files (org.yaml:snakeyaml) which by default allows the instantiation of classes if the YAML includes special statements. Apache Commons Configuration did not change the default settings of this library. Therefore if a YAML file was loaded from an untrusted source, it could therefore load and execute code out of the control of the host application.

References

GitHub Commit

Remote Code Execution (RCE) Affecting org.apache.commons:commons-configuration2 package, versions [2.2, 2.7)

Attack Complexity

User Interaction

Confidentiality

Integrity

Availability

snyk-id

published

disclosed

credit

Introduced: 13 Mar 2020

How to fix?

Overview

References