CVE-2022-33980

Apache Commons Configuration performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.configuration2.interpol.Lookup that performs the interpolation. Starting with version 2.4 and continuing through 2.7, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Configuration 2.8.0, which disables the problematic interpolators by default.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
apacheCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 99%
VendorProductVersion
apachecommons_configuration
2.4 ≤
𝑥
< 2.8
netappsnapcenter
-
debiandebian_linux
11.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
commons-configuration2
bullseye (security)
2.8.0-1~deb11u1
fixed
bullseye
2.8.0-1~deb11u1
fixed
buster
not-affected
bookworm
2.8.0-2
fixed
sid
2.11.0-2
fixed
trixie
2.11.0-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
commons-configuration2
noble
not-affected
mantic
not-affected
lunar
not-affected
kinetic
not-affected
jammy
needs-triage
focal
needs-triage
bionic
needs-triage
xenial
dne
trusty
dne
References
http://www.openwall.com/lists/oss-security/2022/07/06/5
http://www.openwall.com/lists/oss-security/2022/11/15/4
https://lists.apache.org/thread/tdf5n7j80lfxdhs2764vn0xmpfodm87s
https://security.netapp.com/advisory/ntap-20221028-0015/
https://www.debian.org/security/2022/dsa-5290
http://www.openwall.com/lists/oss-security/2022/07/06/5
http://www.openwall.com/lists/oss-security/2022/11/15/4
https://lists.apache.org/thread/tdf5n7j80lfxdhs2764vn0xmpfodm87s
https://security.netapp.com/advisory/ntap-20221028-0015/
https://www.debian.org/security/2022/dsa-5290