CVE-2022-33980

CRITICAL

Apache Commons Configuration <2.8 - RCE

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 5 public exploits for CVE-2022-33980. PoCs published by tangxiaofeng7, HKirito, sammwyy.

AI-analyzed exploit summary This repository contains a functional PoC for CVE-2022-33980, demonstrating RCE in Apache Commons Configuration via script interpolation. The exploit leverages the `ConfigurationInterpolator` to execute arbitrary JavaScript code, triggering command execution.

Description

Apache Commons Configuration performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.configuration2.interpol.Lookup that performs the interpolation. Starting with version 2.4 and continuing through 2.7, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Configuration 2.8.0, which disables the problematic interpolators by default.

Exploits (5)

nomisec WORKING POC 44 stars
by tangxiaofeng7 · poc
https://github.com/tangxiaofeng7/CVE-2022-33980-Apache-Commons-Configuration-RCE

This repository contains a functional PoC for CVE-2022-33980, demonstrating RCE in Apache Commons Configuration via script interpolation. The exploit leverages the `ConfigurationInterpolator` to execute arbitrary JavaScript code, triggering command execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Apache Commons Configuration (versions before 2.8.0)
No auth needed
Prerequisites: Target application using vulnerable Apache Commons Configuration library
MITRE ATT&CK
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 32 stars
by HKirito · poc
https://github.com/HKirito/CVE-2022-33980

This repository contains a functional exploit PoC for CVE-2022-33980, demonstrating RCE via Apache Commons Configuration's interpolation features. The code leverages script, URL, and DNS lookups to execute arbitrary commands, such as launching the macOS Calculator app.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Apache Commons Configuration 2.x
No auth needed
Prerequisites: Target system with vulnerable Apache Commons Configuration library · Ability to send crafted input to the application
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 5 stars
by sammwyy · poc
https://github.com/sammwyy/CVE-2022-33980-POC

This repository contains a functional PoC for CVE-2022-33980, demonstrating a script interpolation vulnerability in Apache Commons Configuration that allows arbitrary code execution via crafted input strings. The Java code includes a loop to accept user input and process it using the vulnerable interpolator.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Apache Commons Configuration (versions before 2.8.0)
No auth needed
Prerequisites: Target application using vulnerable Apache Commons Configuration library
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 1 stars
by joseluisinigo · poc
https://github.com/joseluisinigo/riskootext4shell

This repository contains a functional Python exploit for CVE-2022-42889 (Apache Commons Text RCE). The script generates a reverse shell payload using msfvenom, delivers it via a crafted HTTP request leveraging the vulnerable string interpolation feature, and executes it on the target system.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache Commons Text versions 1.5 through 1.9
No auth needed
Prerequisites: Target system must have Apache Commons Text 1.5-1.9 · Target must have curl/wget and bash installed · Attacker must have a reachable IP/port for reverse shell
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by P0lar1ght · poc
https://github.com/P0lar1ght/CVE-2022-33980-POC

This repository contains a functional PoC for CVE-2022-33980, demonstrating a remote code execution vulnerability in Apache Commons Configuration via unsafe interpolation. The exploit leverages a Spring Boot application to expose an endpoint that triggers the vulnerability.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache Commons Configuration (versions affected by CVE-2022-33980)
No auth needed
Prerequisites: Network access to the vulnerable endpoint · Apache Commons Configuration with vulnerable interpolation enabled
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (5)

Core 5
Core References
Mailing List, Third Party Advisory mailing-list
http://www.openwall.com/lists/oss-security/2022/07/06/5
Mailing List, Third Party Advisory mailing-list
http://www.openwall.com/lists/oss-security/2022/11/15/4
Third Party Advisory vendor-advisory
https://www.debian.org/security/2022/dsa-5290

Scores

CVSS v3 9.8
EPSS 0.8666
EPSS Percentile 99.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

Status published
Products (4)
apache/commons_configuration 2.4 - 2.8
debian/debian_linux 11.0
netapp/snapcenter
org.apache.commons/commons-configuration2 2.4 - 2.8.0Maven
Published Jul 06, 2022
Tracked Since Feb 18, 2026