Attacker Value

Unknown

(0 users assessed)

Exploitability

Unknown

(0 users assessed)

User Interaction

CVE-2022-33980

Disclosure Date: July 06, 2022 •

CVE-2022-33980 CVSS v3 Base Score: 9.8

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Apache Commons Configuration performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is “${prefix:name}”, where “prefix” is used to locate an instance of org.apache.commons.configuration2.interpol.Lookup that performs the interpolation. Starting with version 2.4 and continuing through 2.7, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: – “script” – execute expressions using the JVM script execution engine (javax.script) – “dns” – resolve dns records – “url” – load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Configuration 2.8.0, which disables the problematic interpolators by default.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

9.8 Critical

Impact Score:

5.9

Exploitability Score:

3.9

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV):

Network

Attack Complexity (AC):

Low

Privileges Required (PR):

None

User Interaction (UI):

None

Scope (S):

Unchanged

Confidentiality (C):

High

Integrity (I):

High

Availability (A):

High

Vendors

apache,
debian,
netapp

Products

commons configuration,
debian linux 11.0,
snapcenter -

References

Canonical

CVE-2022-33980 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33980)

Advisory

https://lists.apache.org/thread/tdf5n7j80lfxdhs2764vn0xmpfodm87s

[oss-security] 20220706 CVE-2022-33980: Apache Commons Configuration insecure interpolation defaults (http://www.openwall.com/lists/oss-security/2022/07/06/5)

https://security.netapp.com/advisory/ntap-20221028-0015/

[oss-security] 20221115 Multiple vulnerabilities in Jenkins plugins (http://www.openwall.com/lists/oss-security/2022/11/15/4)

Exploit

The following exploit POCs have not been verified by Rapid7 researchers, but are sourced from: nomi-sec/PoC-in-GitHub.
Additional sources will be added here as they become relevant.
Notes: We will only add the top 3 POCs for a given CVE. POCs added here must have at least 2 GitHub stars.

CVE-2022-33980-Apache-Commons-Configuration-RCE (https://github.com/tangxiaofeng7/CVE-2022-33980-Apache-Commons-Configuration-RCE)

CVE-2022-33980 (https://github.com/HKirito/CVE-2022-33980)

Rapid7

Hello Everyone! We have made some updates to AttackerKB in the last few months.

New tags:

New workers:

Unknown

CVE-2022-33980

Unknown

Unknown

None

None

Network

CVE-2022-33980

Description

Add Assessment

CVSS V3 Severity and Metrics

General Information

Vendors

Products

References

Canonical

Advisory

Exploit

Additional Info

Technical Analysis

Hello Everyone! We have made some updates to AttackerKB in the last few months.

New tags:

New workers:

Unknown

CVE-2022-33980

Unknown

Unknown

None

None

Network

CVE-2022-33980

Description

Add Assessment

CVSS V3 Severity and Metrics

General Information

Vendors

Products

References

Canonical

Advisory

Exploit

Additional Info

Technical Analysis

Quick Cookie Notification