cbcvebase.
CVE-2020-1947
published 2020-03-11

CVE-2020-1947: In Apache ShardingSphere(incubator) 4.0.0-RC3 and 4.0.0, the ShardingSphere's web console uses the SnakeYAML library for parsing YAML inputs to load datasource…

PriorityP267critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
33.92%
98.2th percentile
In Apache ShardingSphere(incubator) 4.0.0-RC3 and 4.0.0, the ShardingSphere's web console uses the SnakeYAML library for parsing YAML inputs to load datasource configuration. SnakeYAML allows to unmarshal data to a Java type By using the YAML tag. Unmarshalling untrusted data can lead to security flaws of RCE.

Affected

3 ranges
VendorProductVersion rangeFixed in
apacheshardingsphere
apache_software_foundationapache_shardingsphere
apache_software_foundationapache_shardingsphere

Detection & IOCsextracted from sources · hover to see the quote

urlPOST /api/schema HTTP/1.1
path/api/schema
othercom.sun.rowset.JdbcRowSetImpl
snort
alert http1 any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Apache ShardingSphere RCE Attempt (CVE-2020-1947) (PoC Based)"; flow:established,to_server; http.request_line; content:"POST|20|/api/schema|20|HTTP/1.1"; http.request_body; content:"ruleConfiguration"; nocase; content:"encryptor"; nocase; content:"|22|dataSourceConfiguration|22 3a 20 22 21 21|com|2e|sun|2e|rowset|2e|JdbcRowSetImpl|5c|n"; nocase; fast_pattern; content:"dataSourceName:"; nocase; content:"Object"; nocase; within:60; reference:cve,2020-1947; classtype:attempted-admin; sid:2035008; rev:4;)
bytes
|22|dataSourceConfiguration|22 3a 20 22 21 21|com|2e|sun|2e|rowset|2e|JdbcRowSetImpl|5c|n
  • Exploit payload is delivered via HTTP POST to /api/schema (the ShardingSphere web console datasource configuration endpoint). Look for POST requests to this path.
  • Request body will contain the keywords 'ruleConfiguration' and 'encryptor', characteristic of the datasource config manipulation used in the exploit.
  • The SnakeYAML gadget chain is triggered via the YAML tag '!!' followed by 'com.sun.rowset.JdbcRowSetImpl' in the dataSourceConfiguration field. Detect the literal string '"dataSourceConfiguration": "!!com.sun.rowset.JdbcRowSetImpl' in the POST body.
  • The body also contains 'dataSourceName:' and 'Object' within 60 bytes of each other, which can serve as an additional co-occurrence filter to reduce false positives.
  • The RCE is achieved by unmarshalling untrusted YAML input using SnakeYAML's '!!' type tag feature, which allows instantiation of arbitrary Java classes. Monitor for YAML payloads containing '!!' type coercions in any user-supplied input to ShardingSphere.
  • ·The Snort/ET rule is explicitly PoC-based (derived from a known proof-of-concept). Real-world exploit payloads may vary in structure, field ordering, or encoding, potentially evading this signature.
  • ·Affected versions are specifically 4.0.0-RC3 and 4.0.0 of Apache ShardingSphere (incubator). Ensure version scoping is applied when deploying detections to avoid noise on patched instances.
  • ·The ET rule targets both perimeter and internal deployments, reflecting that the ShardingSphere web console may be exposed internally. Ensure $HOME_NET and $HTTP_SERVERS variables are correctly scoped in your sensor configuration.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.