CVE-2020-1947: Deserialization of Untrusted Data

March 11, 2020 (updated March 13, 2020)

In Apache ShardingSphere, the web console uses the SnakeYAML library for parsing YAML inputs to load datasource configuration. SnakeYAML allows unmarshalling data to a Java type by using the YAML tag. Unmarshalling untrusted data could lead to security flaws such as Remote Code Execution (RCE).

References

nvd.nist.gov/vuln/detail/CVE-2020-1947

Detect and mitigate CVE-2020-1947 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →