commons-configuration2 is vulnerable to arbitrary code execution. The library allows instantiation of classes when parsing YAML files. This allows an attacker to execute arbitrary code via a malicious YAML file containing special statements that creates arbitrary Java objects.
CPE | Name | Operator | Version |
---|---|---|---|
apache commons configuration | le | 2.6 |
github.com/apache/commons-configuration/commit/add7375cf37fd316d4838c6c56b054fc293b4641
lists.apache.org/thread.html/d0e00f2e147a9e9b13a6829133092f349b2882bf6860397368a52600@%3Cannounce.tomcat.apache.org%3E
lists.apache.org/thread.html/r16a2e949e35780c8974cf66104e812410f3904f752df6b66bf292269@%3Ccommits.servicecomb.apache.org%3E
lists.apache.org/thread.html/rde2186ad6ac0d6ed8d51af7509244adcf1ce0f9a3b7e1d1dd3b64676@%3Ccommits.camel.apache.org%3E
www.oracle.com/security-alerts/cpuoct2020.html