org.apache.commons:commons-configuration2 2.6 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.apache.commons:commons-configuration2 package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
H Out-of-Bounds Write org.apache.commons:commons-configuration2 is a group of tools to assist in the reading of configuration/preferences files in various formats. Affected versions of this package are vulnerable to Out-of-Bounds Write due to the improper handling of certain configurations in the `AbstractListDelimiterHandler.flattenIterator` method. An attacker can trigger a stack overflow by submitting a crafted configuration file or input, leading to a denial of service condition. How to fix Out-of-Bounds Write? Upgrade `org.apache.commons:commons-configuration2` to version 2.10.1 or higher.	[2.0.0,2.10.1)
H Out-of-Bounds Write org.apache.commons:commons-configuration2 is a group of tools to assist in the reading of configuration/preferences files in various formats. Affected versions of this package are vulnerable to Out-of-Bounds Write due to the improper handling of a cyclical object tree when calling the `ListDelimiterHandler.flatten` method. An attacker can trigger a StackOverflowError and potentially cause a denial of service condition by submitting a specially crafted configuration object. How to fix Out-of-Bounds Write? Upgrade `org.apache.commons:commons-configuration2` to version 2.10.1 or higher.	[2.0.0,2.10.1)
H Arbitrary Code Execution org.apache.commons:commons-configuration2 is a group of tools to assist in the reading of configuration/preferences files in various formats. Affected versions of this package are vulnerable to Arbitrary Code Execution via the `Lookup` functionality due to the ability to use certain insecure lookups that perform interpolation. These lookups are: `script` execute expressions using the JVM script execution engine (`javax.script`). `dns` resolve DNS records. `url` load values from URLs, including from remote servers. CVSS Score Explanation: This module is designed for secure configuration management. This implies that the files it handles should have limited access, whether local or remote. Remote attacks require basic privileges and server setup for remote commands. This aligns with AC:H and PR:L How to fix Arbitrary Code Execution? Upgrade `org.apache.commons:commons-configuration2` to version 2.8 or higher.	[2.4,2.8)
H Remote Code Execution (RCE) org.apache.commons:commons-configuration2 is a group of tools to assist in the reading of configuration/preferences files in various formats. Affected versions of this package are vulnerable to Remote Code Execution (RCE). It uses a third-party library to parse YAML files (`org.yaml:snakeyaml`) which by default allows the instantiation of classes if the YAML includes special statements. Apache Commons Configuration did not change the default settings of this library. Therefore if a YAML file was loaded from an untrusted source, it could therefore load and execute code out of the control of the host application. How to fix Remote Code Execution (RCE)? Upgrade `org.apache.commons:commons-configuration2` to version 2.7 or higher.	[2.2,2.7)

Vulnerability

Vulnerable Version

Out-of-Bounds Write

org.apache.commons:commons-configuration2 is a group of tools to assist in the reading of configuration/preferences files in various formats.

Affected versions of this package are vulnerable to Out-of-Bounds Write due to the improper handling of certain configurations in the AbstractListDelimiterHandler.flattenIterator method. An attacker can trigger a stack overflow by submitting a crafted configuration file or input, leading to a denial of service condition.

How to fix Out-of-Bounds Write?

Upgrade org.apache.commons:commons-configuration2 to version 2.10.1 or higher.

[2.0.0,2.10.1)

Out-of-Bounds Write

org.apache.commons:commons-configuration2 is a group of tools to assist in the reading of configuration/preferences files in various formats.

Affected versions of this package are vulnerable to Out-of-Bounds Write due to the improper handling of a cyclical object tree when calling the ListDelimiterHandler.flatten method. An attacker can trigger a StackOverflowError and potentially cause a denial of service condition by submitting a specially crafted configuration object.

How to fix Out-of-Bounds Write?

Upgrade org.apache.commons:commons-configuration2 to version 2.10.1 or higher.

[2.0.0,2.10.1)

Arbitrary Code Execution

org.apache.commons:commons-configuration2 is a group of tools to assist in the reading of configuration/preferences files in various formats.

Affected versions of this package are vulnerable to Arbitrary Code Execution via the Lookup functionality due to the ability to use certain insecure lookups that perform interpolation.

These lookups are:

script execute expressions using the JVM script execution engine (javax.script).
dns resolve DNS records.
url load values from URLs, including from remote servers.

CVSS Score Explanation:

This module is designed for secure configuration management. This implies that the files it handles should have limited access, whether local or remote. Remote attacks require basic privileges and server setup for remote commands. This aligns with AC:H and PR:L

How to fix Arbitrary Code Execution?

Upgrade org.apache.commons:commons-configuration2 to version 2.8 or higher.

[2.4,2.8)

Remote Code Execution (RCE)

org.apache.commons:commons-configuration2 is a group of tools to assist in the reading of configuration/preferences files in various formats.

Affected versions of this package are vulnerable to Remote Code Execution (RCE). It uses a third-party library to parse YAML files (org.yaml:snakeyaml) which by default allows the instantiation of classes if the YAML includes special statements. Apache Commons Configuration did not change the default settings of this library. Therefore if a YAML file was loaded from an untrusted source, it could therefore load and execute code out of the control of the host application.

How to fix Remote Code Execution (RCE)?

Upgrade org.apache.commons:commons-configuration2 to version 2.7 or higher.

[2.2,2.7)

org.apache.commons:commons-configuration2@2.6 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package manager

Direct Vulnerabilities

How to fix?