Date: Wed, 11 Mar 2020 12:32:54 +0800 From: Chen QingYang <chenqingyang@...che.org> To: oss-security@...ts.openwall.com Subject: [CVE-2020-1947] Apache ShardingSphere(incubator) deserialization vulnerability CVE-2020-1947: Apache ShardingSphere(incubator) deserialization vulnerability Severity: low Vendor: The Apache Software Foundation Versions Affected: ShardingSphere 4.0.0-RC3, 4.0.0 Description: Apache ShardingSphere's web console uses the SnakeYAML library for parsing YAML inputs to load datasource configuration. SnakeYAML allows to unmarshal data to a Java type By using the YAML tag. Unmarshalling untrusted data can lead to security flaws of RCE. Mitigation: 4.0.0-RC3 and 4.0.0 users should upgrade to 4.0.1 Example: An attacker can use untrusted data to fill in the DataSource Config after login the sharding-ui. Credit: This issue was discovered by WuXiong of QI`ANXIN YUNYING Labs. References: https://shardingsphere.apache.org/community/en/security/ Chen QingYang Apache ShardingSphere
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.