Vulnerability Details CVE-2020-1947
In Apache ShardingSphere(incubator) 4.0.0-RC3 and 4.0.0, the ShardingSphere's web console uses the SnakeYAML library for parsing YAML inputs to load datasource configuration. SnakeYAML allows to unmarshal data to a Java type By using the YAML tag. Unmarshalling untrusted data can lead to security flaws of RCE.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.89
EPSS Ranking 99.5%
CVSS Severity
CVSS v3 Score 9.8
CVSS v2 Score 7.5
References
Products affected by CVE-2020-1947
-
cpe:2.3:a:apache:shardingsphere:4.0.0