CVE-2022-33980
Published: 06 July 2022
Summary
CVE-2022-33980 is a critical-severity an unspecified weakness vulnerability in Apache Commons Configuration. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Apache Commons Configuration versions 2.4 through 2.7 contain a vulnerability in their variable interpolation mechanism. The library supports property expansion using the "${prefix:name}" syntax, and the affected releases shipped with default Lookup implementations for the "script", "dns", and "url" prefixes. These interpolators permit execution of arbitrary expressions via the JVM script engine, DNS record resolution, or retrieval of values from arbitrary URLs, including remote servers.
An attacker who can supply or influence configuration data processed by an affected application can trigger remote code execution or force unintended outbound connections. The flaw is exploitable over the network without authentication or user interaction, consistent with its CVSS 9.8 rating.
Public advisories, including the Apache announcement and downstream notices from Debian and NetApp, direct users to upgrade to Commons Configuration 2.8.0, which disables the dangerous interpolators by default. The listed references also contain coordinated disclosure threads and distribution-specific remediation guidance.
EPSS scores have remained elevated near 0.87 since disclosure, indicating sustained exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-6450
Vulnerability details
Apache Commons Configuration performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.configuration2.interpol.Lookup that performs the interpolation. Starting with version 2.4 and…
more
continuing through 2.7, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Configuration 2.8.0, which disables the problematic interpolators by default.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.