Apache Commons Configuration insecure interpolation defaults
Description
Apache Commons Configuration 2.4 through 2.7 includes default interpolators (script, dns, url) that can lead to arbitrary code execution or server-side request forgery when processing untrusted configuration values.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Commons Configuration 2.4 through 2.7 includes default interpolators (script, dns, url) that can lead to arbitrary code execution or server-side request forgery when processing untrusted configuration values.
Vulnerability
Overview Apache Commons Configuration versions 2.4 to 2.7 include variable interpolation defaults that can be abused to achieve remote code execution or make unintended network requests. The library processes ${prefix:name} expressions, where the prefix selects a Lookup instance. By default, the "script" Lookup executes arbitrary code via the JVM script engine (javax.script), the "dns" Lookup resolves DNS records, and the "url" Lookup fetches content from remote URLs [1][2]. Applications that interpolate untrusted configuration values using these defaults are at risk.
Exploitation and
Attack Surface Exploitation requires an attacker to inject a malicious ${script:...}, ${dns:...}, or ${url:...} expression into a configuration value that the application subsequently evaluates. No special privileges beyond the ability to supply configuration input (such as environment variables, system properties, or configuration files) are needed. The vulnerability is reachable through any application path that uses Commons Configuration's default interpolation capability [2][3].
Impact
A successful exploit can lead to full remote code execution on the server running the application, enabling data theft, lateral movement, or further compromise. Additionally, the url Lookup can be used to perform server-side request forgery (SSRF), potentially accessing internal services or exfiltrating data. The dns Lookup may be used for data exfiltration or reconnaissance [1][2].
Mitigation
Users should upgrade to Apache Commons Configuration 2.8.0 or later, which disables the dangerous interpolators by default. No workaround is provided for earlier versions; upgrading is the recommended course of action [2][3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.commons:commons-configuration2Maven | >= 2.4, < 2.8.0 | 2.8.0 |
Affected products
3- ghsa-coords2 versionspkg:maven/org.apache.commons/commons-configuration2pkg:rpm/opensuse/apache-commons-configuration2&distro=openSUSE%20Tumbleweed
>= 2.4, < 2.8.0+ 1 more
- (no CPE)range: >= 2.4, < 2.8.0
- (no CPE)range: < 2.9.0-1.1
- Range: Apache Commons Configuration
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
11- github.com/advisories/GHSA-xj57-8qj4-c4m6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-33980ghsaADVISORY
- www.debian.org/security/2022/dsa-5290ghsavendor-advisoryWEB
- www.openwall.com/lists/oss-security/2022/07/06/5ghsamailing-listWEB
- www.openwall.com/lists/oss-security/2022/11/15/4ghsamailing-listWEB
- commons.apache.org/proper/commons-configuration/changes-report.htmlghsaWEB
- issues.apache.org/jira/browse/CONFIGURATION-753ghsaWEB
- issues.apache.org/jira/browse/CONFIGURATION-764ghsaWEB
- lists.apache.org/thread/tdf5n7j80lfxdhs2764vn0xmpfodm87sghsaWEB
- security.netapp.com/advisory/ntap-20221028-0015ghsaWEB
- security.netapp.com/advisory/ntap-20221028-0015/mitre
News mentions
1- Jenkins Security Advisory 2022-11-15Jenkins Security Advisories · Nov 15, 2022