GHSA-xjp4-hw94-mvp5 · Severity: medium · Ecosystem: maven — Apache Commons Configuration: StackOverflowError adding property in AbstractListDelimiterHandler.flattenIterator()
Out-of-bounds Write vulnerability in Apache Commons Configuration.This issue affects Apache Commons Configuration: from 2.0 before 2.10.1. Users are recommended to upgrade to version 2.10.1, which fixes the issue.
Conclusion & alert: CVE-2024-29131 is rated Moderate Risk (46.4/100): CVSS High severity, with low exploitation likelihood (EPSS 0.26%). Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-05-22 | 0.20% | 0.26% | +0.05% |
| 2 | 2025-11-21 | 3.38% | 0.20% | -3.18% |
| 3 | 2025-11-18 | — | 3.38% | — |
Full EPSS history (14 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 7.3 | 3.1 | HIGH |
|
3.9 | 3.4 | 134c704f-9b21-4f2e-91b3-4a467353bcc0 |
GHSA-xjp4-hw94-mvp5 · Severity: medium · Ecosystem: maven — Apache Commons Configuration: StackOverflowError adding property in AbstractListDelimiterHandler.flattenIterator()
| vendor | priority | summary | link |
|---|---|---|---|
debian
|
not yet assigned | CVE-2024-29131 not yet assigned priority: Debian including 1 source packages (commons-configuration2), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 3, open 2. | https://security-tracker.debian.org/tracker/CVE-2024-29131 |
redhat
|
low | — | https://access.redhat.com/security/cve/CVE-2024-29131 |
suse
|
medium | CVE-2024-29131 severity moderate: SUSE including 9 source package names (3.3.2-2.3:apache-commons-configuration-1.10-150200.3.11.1, apache-commons-configuration-1.10-150200.3.11.1, …), 30 product×package rows across 20 product lines (Container containers/apache-pulsar, SUSE Enterprise Storage 7.1, … (20 product lines)): Fixed 30. | https://www.suse.com/security/cve/CVE-2024-29131/ |
ubuntu
|
medium | CVE-2024-29131 medium priority: Ubuntu including 1 source packages (commons-configuration2), 8 status rows across 8 suites (bionic, focal, jammy, noble, oracular, plucky, questing, upstream): needs-triage 4, not-affected 3, released 1. | https://ubuntu.com/security/CVE-2024-29131 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| apache | commons_configuration | >= 2.0, < 2.10.1 | cpe:2.3:a:apache:commons_configuration:*:*:*:*:*:*:*:* |
| fedoraproject | fedora | 39 | cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:* |
| fedoraproject | fedora | 40 | cpe:2.3:o:fedoraproject:fedora:40:*:*:*:*:*:*:* |
| netapp | ontap_tools | 10 | cpe:2.3:a:netapp:ontap_tools:10:*:*:*:*:vmware_vsphere:*:* |
| netapp | snapcenter | — | cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:* |
| URL | Tags |
|---|---|
| http://www.openwall.com/lists/oss-security/2024/03/20/4 | Mailing List Third Party Advisory |
| https://lists.apache.org/thread/03nzzzjn4oknyw5y0871tw7ltj0t3r37 | Mailing List Vendor Advisory |
| https://lists.fedoraproject.org/archives/list/[email protected]/message/SNKDKEEKZNL5FGCTZKJ6CFXFVWFL5FJ7/ | Third Party Advisory |
| https://lists.fedoraproject.org/archives/list/[email protected]/message/YD4AFTIIQW662LUAQRMWS6BBKYSZG3YS/ | Third Party Advisory |
| https://security.netapp.com/advisory/ntap-20241213-0001/ | Third Party Advisory |