CVE-2020-1947
published 2020-03-11CVE-2020-1947: In Apache ShardingSphere(incubator) 4.0.0-RC3 and 4.0.0, the ShardingSphere's web console uses the SnakeYAML library for parsing YAML inputs to load datasource…
PriorityP267critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
33.92%
98.2th percentile
In Apache ShardingSphere(incubator) 4.0.0-RC3 and 4.0.0, the ShardingSphere's web console uses the SnakeYAML library for parsing YAML inputs to load datasource configuration. SnakeYAML allows to unmarshal data to a Java type By using the YAML tag. Unmarshalling untrusted data can lead to security flaws of RCE.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | shardingsphere | — | — |
| apache_software_foundation | apache_shardingsphere | — | — |
| apache_software_foundation | apache_shardingsphere | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlPOST /api/schema HTTP/1.1
path/api/schema
othercom.sun.rowset.JdbcRowSetImpl
snort
alert http1 any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Apache ShardingSphere RCE Attempt (CVE-2020-1947) (PoC Based)"; flow:established,to_server; http.request_line; content:"POST|20|/api/schema|20|HTTP/1.1"; http.request_body; content:"ruleConfiguration"; nocase; content:"encryptor"; nocase; content:"|22|dataSourceConfiguration|22 3a 20 22 21 21|com|2e|sun|2e|rowset|2e|JdbcRowSetImpl|5c|n"; nocase; fast_pattern; content:"dataSourceName:"; nocase; content:"Object"; nocase; within:60; reference:cve,2020-1947; classtype:attempted-admin; sid:2035008; rev:4;)
bytes
|22|dataSourceConfiguration|22 3a 20 22 21 21|com|2e|sun|2e|rowset|2e|JdbcRowSetImpl|5c|n
- →Exploit payload is delivered via HTTP POST to /api/schema (the ShardingSphere web console datasource configuration endpoint). Look for POST requests to this path.
- →Request body will contain the keywords 'ruleConfiguration' and 'encryptor', characteristic of the datasource config manipulation used in the exploit.
- →The SnakeYAML gadget chain is triggered via the YAML tag '!!' followed by 'com.sun.rowset.JdbcRowSetImpl' in the dataSourceConfiguration field. Detect the literal string '"dataSourceConfiguration": "!!com.sun.rowset.JdbcRowSetImpl' in the POST body.
- →The body also contains 'dataSourceName:' and 'Object' within 60 bytes of each other, which can serve as an additional co-occurrence filter to reduce false positives.
- →The RCE is achieved by unmarshalling untrusted YAML input using SnakeYAML's '!!' type tag feature, which allows instantiation of arbitrary Java classes. Monitor for YAML payloads containing '!!' type coercions in any user-supplied input to ShardingSphere. ↗
- ·The Snort/ET rule is explicitly PoC-based (derived from a known proof-of-concept). Real-world exploit payloads may vary in structure, field ordering, or encoding, potentially evading this signature.
- ·Affected versions are specifically 4.0.0-RC3 and 4.0.0 of Apache ShardingSphere (incubator). Ensure version scoping is applied when deploying detections to avoid noise on patched instances. ↗
- ·The ET rule targets both perimeter and internal deployments, reflecting that the ShardingSphere web console may be exposed internally. Ensure $HOME_NET and $HTTP_SERVERS variables are correctly scoped in your sensor configuration.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Deserialization of Untrusted Data in Apache ShardingSphere
ghsa·2022-02-10
CVE-2020-1947 [HIGH] CWE-502 Deserialization of Untrusted Data in Apache ShardingSphere
Deserialization of Untrusted Data in Apache ShardingSphere
In Apache ShardingSphere(incubator) 4.0.0-RC3 and 4.0.0, the ShardingSphere's web console uses the SnakeYAML library for parsing YAML inputs to load datasource configuration. SnakeYAML allows to unmarshal data to a Java type By using the YAML tag. Unmarshalling untrusted data can lead to security flaws of RCE.
OSV
Deserialization of Untrusted Data in Apache ShardingSphere
osv·2022-02-10
CVE-2020-1947 [HIGH] Deserialization of Untrusted Data in Apache ShardingSphere
Deserialization of Untrusted Data in Apache ShardingSphere
In Apache ShardingSphere(incubator) 4.0.0-RC3 and 4.0.0, the ShardingSphere's web console uses the SnakeYAML library for parsing YAML inputs to load datasource configuration. SnakeYAML allows to unmarshal data to a Java type By using the YAML tag. Unmarshalling untrusted data can lead to security flaws of RCE.
Suricata
ET EXPLOIT Possible Apache ShardingSphere RCE Attempt (CVE-2020-1947) (PoC Based)
suricata·2022-01-28·CVSS 9.8
CVE-2020-1947 [CRITICAL] ET EXPLOIT Possible Apache ShardingSphere RCE Attempt (CVE-2020-1947) (PoC Based)
ET EXPLOIT Possible Apache ShardingSphere RCE Attempt (CVE-2020-1947) (PoC Based)
Rule: alert http1 any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Apache ShardingSphere RCE Attempt (CVE-2020-1947) (PoC Based)"; flow:established,to_server; http.request_line; content:"POST|20|/api/schema|20|HTTP/1.1"; http.request_body; content:"ruleConfiguration"; nocase; content:"encryptor"; nocase; content:"|22|dataSourceConfiguration|22 3a 20 22 21 21|com|2e|sun|2e|rowset|2e|JdbcRowSetImpl|5c|n"; nocase; fast_pattern; content:"dataSourceName:"; nocase; content:"Object"; nocase; within:60; reference:cve,2020-1947; classtype:attempted-admin; sid:2035008; rev:4; metadata:attack_target Server, created_at 2022_01_28, cve CVE_2020_1947, deployment Perimeter, deployment Internal, confidence
Suricata
ET WEB_SPECIFIC_APPS Possible Apache Tomcat Host Manager Cross Site Scripting Attempt
suricata·2010-07-30
CVE-2008-1947 ET WEB_SPECIFIC_APPS Possible Apache Tomcat Host Manager Cross Site Scripting Attempt
ET WEB_SPECIFIC_APPS Possible Apache Tomcat Host Manager Cross Site Scripting Attempt
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Apache Tomcat Host Manager Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/host-manager/html/add"; nocase; content:"method="; nocase; pcre:"/(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/i"; reference:url,www.securityfocus.com/bid/29502/info; reference:cve,2008-1947; classtype:web-application-attack; sid:2010146; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, cve CVE_2008_1947, deployment Datacenter, confidence Medium, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_1
No writeups or analysis indexed.
2020-03-11
Published