CVE-2022-33980

CRITICAL

Apache Commons Configuration <2.8 - RCE

Title source: llm

Description

Apache Commons Configuration performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.configuration2.interpol.Lookup that performs the interpolation. Starting with version 2.4 and continuing through 2.7, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Configuration 2.8.0, which disables the problematic interpolators by default.

Exploits (6)

nomisec WORKING POC 44 stars
by tangxiaofeng7 · poc
https://github.com/tangxiaofeng7/CVE-2022-33980-Apache-Commons-Configuration-RCE
nomisec WORKING POC 32 stars
by HKirito · poc
https://github.com/HKirito/CVE-2022-33980
nomisec WORKING POC 5 stars
by sammwyy · poc
https://github.com/sammwyy/CVE-2022-33980-POC
nomisec WORKING POC 1 stars
by joseluisinigo · poc
https://github.com/joseluisinigo/riskootext4shell
nomisec WORKING POC
by P0lar1ght · poc
https://github.com/P0lar1ght/CVE-2022-33980-POC

References (5)

Scores

CVSS v3 9.8
EPSS 0.8666
EPSS Percentile 99.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

Status published
Products (4)
apache/commons_configuration 2.4 - 2.8
debian/debian_linux 11.0
netapp/snapcenter
org.apache.commons/commons-configuration2 2.4 - 2.8.0Maven
Published Jul 06, 2022
Tracked Since Feb 18, 2026