CVE-2022-33980Injection in Software Foundation Apache Commons Configuration

CWE-74Injection12 documents8 sources
Severity
9.8CRITICALNVD
EPSS
86.7%
top 0.58%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Apache Software Foundation Apache Commons ConfigurationApache Commons ConfigurationDebian Linux
Timeline
PublishedJul 6
Latest updateOct 15

Description

Apache Commons Configuration performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.configuration2.interpol.Lookup that performs the interpolation. Starting with version 2.4 and continuing through 2.7, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote serv

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

CVEListV5apache_software_foundation/apache_commons_configurationApache Commons Configuration2.8.0

Also affects: Debian Linux 11.0

🔴Vulnerability Details

4
OSV
Code injection in Apache Commons Configuration2022-07-07
GHSA
Code injection in Apache Commons Configuration2022-07-07
CVEList
Apache Commons Configuration insecure interpolation defaults2022-07-06
OSV
CVE-2022-33980: Apache Commons Configuration performs variable interpolation, allowing properties to be dynamically evaluated and expanded2022-07-06

📋Vendor Advisories

7
Oracle
Oracle Oracle Financial Services Applications Risk Matrix: UI (Apache Commons Configuration) — CVE-2022-339802023-10-15
Oracle
Oracle Oracle Fusion Middleware Risk Matrix: Third Party (Apache Commons Configuration) — CVE-2022-339802023-04-15
Oracle
Oracle Oracle Communications Applications Risk Matrix: Cloud native deployment (Apache Commons Configuration) — CVE-2022-339802023-01-15
Jenkins
Jenkins Security Advisory 2022-11-152022-11-15
Oracle
Oracle Oracle Fusion Middleware Risk Matrix: BI Application Archive (Apache Commons Configuration) — CVE-2022-339802022-10-15
CVE-2022-33980 — Injection | cvebase