GHSA-xj57-8qj4-c4m6 · Severity: critical · Ecosystem: maven — Code injection in Apache Commons Configuration
Apache Commons Configuration performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.configuration2.interpol.Lookup that performs the interpolation. Starting with version 2.4 and continuing through 2.7, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Configuration 2.8.0, which disables the problematic interpolators by default.
Conclusion & alert: CVE-2022-33980 is rated High Risk (73/100): CVSS Critical severity, with high exploitation likelihood (EPSS 86.66%, 99th percentile). Core evidence: EPSS ranks this CVE among the most likely to be exploited in the near term. Mandatory action: High exploitation likelihood—assess exposure and prioritize remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-01-15 | 87.66% | 86.66% | -1.00% |
| 2 | 2025-11-21 | 89.59% | 87.66% | -1.93% |
| 3 | 2025-11-18 | — | 89.59% | — |
Full EPSS history (35 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 9.8 | 3.1 | CRITICAL |
|
3.9 | 5.9 | [email protected] |
| 7.5 | 2.0 | HIGH |
|
10.0 | 6.4 | [email protected] |
GHSA-xj57-8qj4-c4m6 · Severity: critical · Ecosystem: maven — Code injection in Apache Commons Configuration
| vendor | priority | summary | link |
|---|---|---|---|
debian
|
not yet assigned | CVE-2022-33980 not yet assigned priority: Debian including 1 source packages (commons-configuration2), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. | https://security-tracker.debian.org/tracker/CVE-2022-33980 |
redhat
|
medium | — | https://access.redhat.com/security/cve/CVE-2022-33980 |
suse
|
high | — | https://www.suse.com/security/cve/CVE-2022-33980/ |
ubuntu
|
medium | CVE-2022-33980 medium priority: Ubuntu including 1 source packages (commons-configuration2), 13 status rows across 13 suites (bionic, focal, jammy, kinetic, lunar, mantic, noble, oracular, plucky, questing, trusty, upstream, xenial): not-affected 7, needs-triage 3, DNE 2, released 1. | https://ubuntu.com/security/CVE-2022-33980 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| apache | commons_configuration | >= 2.4, < 2.8 | cpe:2.3:a:apache:commons_configuration:*:*:*:*:*:*:*:* |
| netapp | snapcenter | — | cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:* |
| debian | debian_linux | 11.0 | cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:* |
| URL | Tags |
|---|---|
| http://www.openwall.com/lists/oss-security/2022/07/06/5 | Mailing List Third Party Advisory |
| http://www.openwall.com/lists/oss-security/2022/11/15/4 | Mailing List Third Party Advisory |
| https://lists.apache.org/thread/tdf5n7j80lfxdhs2764vn0xmpfodm87s | Mailing List Vendor Advisory |
| https://security.netapp.com/advisory/ntap-20221028-0015/ | Third Party Advisory |
| https://www.debian.org/security/2022/dsa-5290 | Third Party Advisory |