<p>Upgrade <code>org.apache.commons:commons-configuration2</code> to version 2.8 or higher.</p>

Arbitrary Code Execution Affecting org.apache.commons:commons-configuration2 package, versions [2.4,2.8)

Snyk CVSS

Attack Complexity High

Confidentiality High

Integrity High

Availability High

Threat Intelligence

Exploit Maturity Mature

EPSS 34.54% (98^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-JAVA-ORGAPACHECOMMONS-2944970
published 8 Jul 2022
disclosed 7 Jul 2022
credit Unknown

Report a new vulnerability Found a mistake?

Introduced: 7 Jul 2022

CVE-2022-33980 Open this link in a new tab CWE-94 Open this link in a new tab

How to fix?

Upgrade org.apache.commons:commons-configuration2 to version 2.8 or higher.

Overview

org.apache.commons:commons-configuration2 is a group of tools to assist in the reading of configuration/preferences files in various formats.

Affected versions of this package are vulnerable to Arbitrary Code Execution via the Lookup functionality due to the ability to use certain insecure lookups that perform interpolation.

These lookups are:

script execute expressions using the JVM script execution engine (javax.script).
dns resolve DNS records.
url load values from URLs, including from remote servers.

CVSS Score Explanation:

This module is designed for secure configuration management. This implies that the files it handles should have limited access, whether local or remote. Remote attacks require basic privileges and server setup for remote commands. This aligns with AC:H and PR:L