A flaw was found in the Apache Commons Configuration, where it uses a third-party library to process YAML files, which by default, allows the instantiation of classes if the YAML includes special statements. Apache Commons Configuration versions 2.2, 2.3, 2.4, 2.5, 2.6 did not change the default settings of this library. If a YAML file was loaded from an untrusted source, it could load and execute code out of the control of the host application.
There is currently no mitigation available for this vulnerability.
bugzilla.redhat.com/show_bug.cgi?id=1815212
github.com/apache/commons-configuration/commit/add7375cf37fd316d4838c6c56b054fc293b4641
lists.apache.org/thread.html/rde2186ad6ac0d6ed8d51af7509244adcf1ce0f9a3b7e1d1dd3b64676@%3Ccommits.camel.apache.org%3E
nvd.nist.gov/vuln/detail/CVE-2020-1953
www.cve.org/CVERecord?id=CVE-2020-1953