CVE-2022-33980

Apache Commons Configuration performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.configuration2.interpol.Lookup that performs the interpolation. Starting with version 2.4 and continuing through 2.7, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Configuration 2.8.0, which disables the problematic interpolators by default.

CVSS v3 9.8 CRITICAL
CVSS v2.0 7.5 HIGH

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

7.5^/10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://www.openwall.com/lists/oss-security/2022/07/06/5	Mailing List Third Party Advisory
http://www.openwall.com/lists/oss-security/2022/11/15/4	Mailing List Third Party Advisory
https://lists.apache.org/thread/tdf5n7j80lfxdhs2764vn0xmpfodm87s	Mailing List Vendor Advisory
https://security.netapp.com/advisory/ntap-20221028-0015/	Third Party Advisory
https://www.debian.org/security/2022/dsa-5290	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:commons_configuration:*:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*

Configuration 3 (hide)

cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*

History

28 Nov 2022, 22:15

Type	Values Removed	Values Added
References		(DEBIAN) https://www.debian.org/security/2022/dsa-5290 - (MLIST) http://www.openwall.com/lists/oss-security/2022/07/06/5 - (CONFIRM) https://security.netapp.com/advisory/ntap-20221028-0015/ - (MLIST) http://www.openwall.com/lists/oss-security/2022/11/15/4 -

14 Jul 2022, 17:15

Type	Values Removed	Values Added
CWE		NVD-CWE-noinfo
CPE		cpe:2.3:a:apache:commons_configuration::::::::
References	~~(CONFIRM) https://lists.apache.org/thread/tdf5n7j80lfxdhs2764vn0xmpfodm87s -~~	(CONFIRM) https://lists.apache.org/thread/tdf5n7j80lfxdhs2764vn0xmpfodm87s - Mailing List, Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : 7.5 v3 : 9.8

06 Jul 2022, 14:15

Type	Values Removed	Values Added
Summary	Apache Commons Configuration performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.configuration2.interpol.Lookup that performs the interpolation. Starting with version 2.4 and continuing through 2.7, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Configuration 2.8.0, which disables the problematic interpolators by default.	Apache Commons Configuration performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.configuration2.interpol.Lookup that performs the interpolation. Starting with version 2.4 and continuing through 2.7, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Configuration 2.8.0, which disables the problematic interpolators by default.

06 Jul 2022, 13:50

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-07-06 13:15

Updated : 2024-02-04 22:51

NVD link : CVE-2022-33980

Mitre link : CVE-2022-33980

CVE.ORG link : CVE-2022-33980

JSON object : View

Products Affected

debian

debian_linux

apache

commons_configuration

netapp

snapcenter

CWE

NVD-CWE-noinfo

9.8 /10