Commons Configuration
CVE-2022-33980
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1Blast Radius
ecosystem impact- 562 maven packages depend on org.apache.commons:commons-configuration2 (70 direct, 492 indirect)
Ecosystem-wide dependent count for version 2.4.
DescriptionNVD
Apache Commons Configuration performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.configuration2.interpol.Lookup that performs the interpolation. Starting with version 2.4 and continuing through 2.7, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Configuration 2.8.0, which disables the problematic interpolators by default.
AnalysisAI
Apache Commons Configuration performs variable interpolation, allowing properties to be dynamically evaluated and expanded. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Technical ContextAI
Apache Commons Configuration performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.configuration2.interpol.Lookup that performs the interpolation. Starting with version 2.4 and continuing through 2.7, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Configuration 2.8.0, which disables the problematic interpolators by default. Affected products include: Apache Commons Configuration, Netapp Snapcenter, Debian Debian Linux. Version information: version 2.4.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
More in Commons Configuration
View allApache Commons Configuration uses a third-party library to parse YAML files which by default allows the instantiation of
Out-of-bounds Write vulnerability in Apache Commons Configuration.0 before 2.10.1. Rated high severity (CVSS 7.3), this
Out-of-bounds Write vulnerability in Apache Commons Configuration.0 before 2.10.1. Rated medium severity (CVSS 5.4), thi
Uncontrolled Resource Consumption vulnerability in Apache Commons Configuration 1.x. Rated medium severity (CVSS 6.5), t
Share
External POC / Exploit Code
Leaving vuln.today