CVE-2022-33980

Apache Commons Configuration insecure interpolation defaults

Description

Apache Commons Configuration performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.configuration2.interpol.Lookup that performs the interpolation. Starting with version 2.4 and continuing through 2.7, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Configuration 2.8.0, which disables the problematic interpolators by default.

Remediation

Workaround:

  • Upgrade to version Apache Commons Configuration 2.8.0
9.8
CVSS
Severity: Critical
CVSS 3.1 •
CVSS 2.0 •
EPSS 88.32% Top 5%
Vendor Advisory debian.org Vendor Advisory apache.org
Affected: Apache Software Foundation Apache Commons Configuration
Published at:
Updated at:

References

Link Tags
https://lists.apache.org/thread/tdf5n7j80lfxdhs2764vn0xmpfodm87s mailing list vendor advisory
http://www.openwall.com/lists/oss-security/2022/07/06/5 third party advisory mailing list
https://security.netapp.com/advisory/ntap-20221028-0015/ third party advisory
http://www.openwall.com/lists/oss-security/2022/11/15/4 third party advisory mailing list
https://www.debian.org/security/2022/dsa-5290 third party advisory vendor advisory

Frequently Asked Questions

What is the severity of CVE-2022-33980?
CVE-2022-33980 has been scored as a critical severity vulnerability.
How to fix CVE-2022-33980?
As a workaround for remediating CVE-2022-33980: Upgrade to version Apache Commons Configuration 2.8.0
Is CVE-2022-33980 being actively exploited in the wild?
It is possible that CVE-2022-33980 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~88% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2022-33980?
CVE-2022-33980 affects Apache Software Foundation Apache Commons Configuration.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.