Vulnerability in Apache Commons Configuration

CVE-2020-1953

Apache Commons Configuration uses a third-party library to parse YAML files which by default allows the instantiation of classes if the YAML includes special statements. Apache Commons Configuration versions 2.2, 2.3, 2.4, 2.5, 2.6 did not…

EPSS: 0.027 (86.3th percentile) — read the EPSS interpretation.

Affected products

Apache Commons Configuration — versions 2.2, 2.3, 2.4

References

[camel-commits] 20200313 [camel] branch camel-3.1.x updated: Update Commons Configuration 2 due to CVE-2020-1953 (mailing-list, x_refsource_MLIST)
lists.apache.org/thread.html/d0e00f2e147a9e9b13a6829133092f349b2882bf6860397368… (x_refsource_MISC)
www.oracle.com/security-alerts/cpuoct2020.html (x_refsource_MISC)
lists.apache.org/thread.html/r16a2e949e35780c8974cf66104e812410f3904f752df6b66b… (x_refsource_MISC)