Vulnerability in Apache Software Foundation Commons Configuration
CVE-2022-33980
Apache Commons Configuration performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apac…
EPSS: 0.867 (99.4th percentile) — read the EPSS interpretation.
Affected products
- Apache Software Foundation Commons Configuration — versions Apache Commons Configuration
Public proof-of-concept exploits
References
- lists.apache.org/thread/tdf5n7j80lfxdhs2764vn0xmpfodm87s
- [oss-security] 20220706 CVE-2022-33980: Apache Commons Configuration insecure interpolation defaults (mailing-list)
- security.netapp.com/advisory/ntap-20221028-0015/
- [oss-security] 20221115 Multiple vulnerabilities in Jenkins plugins (mailing-list)
- DSA-5290 (vendor-advisory)
Frequently asked questions
- What is CVE-2022-33980?
- CVE-2022-33980 is a vulnerability in Apache Software Foundation Commons Configuration. Published 2022-07-06.
- Is CVE-2022-33980 known to be exploited?
- 32 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.