Candidate: CVE-2020-1953
PublicDate: 2020-03-13 15:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1953
 https://www.openwall.com/lists/oss-security/2020/03/13/1
 https://lists.apache.org/thread.html/d0e00f2e147a9e9b13a6829133092f349b2882bf6860397368a52600@%3Cannounce.tomcat.apache.org%3E
 https://lists.apache.org/thread.html/rde2186ad6ac0d6ed8d51af7509244adcf1ce0f9a3b7e1d1dd3b64676@%3Ccommits.camel.apache.org%3E
Description:
 Apache Commons Configuration uses a third-party library to parse YAML files
 which by default allows the instantiation of classes if the YAML includes
 special statements. Apache Commons Configuration versions 2.2, 2.3, 2.4,
 2.5, 2.6 did not change the default settings of this library. So if a YAML
 file was loaded from an untrusted source, it could therefore load and
 execute code out of the control of the host application.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H [10.0 CRITICAL]


Patches_commons-configuration2:
upstream_commons-configuration2: released (2.7-1)
precise/esm_commons-configuration2: DNE
trusty_commons-configuration2: ignored (out of standard support)
trusty/esm_commons-configuration2: DNE
xenial_commons-configuration2: DNE
bionic_commons-configuration2: needed
eoan_commons-configuration2: ignored (reached end-of-life)
focal_commons-configuration2: needed
groovy_commons-configuration2: not-affected (2.7-2)
hirsute_commons-configuration2: not-affected (2.7-2)
impish_commons-configuration2: not-affected (2.7-2)
jammy_commons-configuration2: not-affected (2.7-2)
devel_commons-configuration2: not-affected (2.7-2)