Commons Configuration Apache Commons Configuration

Do you want an email whenever new security vulnerabilities are reported in Apache Commons Configuration?

By the Year

In 2023 there have been 0 vulnerabilities in Apache Commons Configuration . Last year Commons Configuration had 1 security vulnerability published. Right now, Commons Configuration is on track to have less security vulnerabilities in 2023 than it did last year.

Year Vulnerabilities Average Score
2023 0 0.00
2022 1 9.80
2021 0 0.00
2020 1 10.00
2019 0 0.00
2018 0 0.00

It may take a day or so for new Commons Configuration vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Apache Commons Configuration Security Vulnerabilities

Apache Commons Configuration performs variable interpolation, allowing properties to be dynamically evaluated and expanded

CVE-2022-33980 9.8 - Critical - July 06, 2022

Apache Commons Configuration performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.configuration2.interpol.Lookup that performs the interpolation. Starting with version 2.4 and continuing through 2.7, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Configuration 2.8.0, which disables the problematic interpolators by default.

Apache Commons Configuration uses a third-party library to parse YAML files which by default

CVE-2020-1953 10 - Critical - March 13, 2020

Apache Commons Configuration uses a third-party library to parse YAML files which by default allows the instantiation of classes if the YAML includes special statements. Apache Commons Configuration versions 2.2, 2.3, 2.4, 2.5, 2.6 did not change the default settings of this library. So if a YAML file was loaded from an untrusted source, it could therefore load and execute code out of the control of the host application.

Improper Input Validation

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Oracle Database Server or by Apache? Click the Watch button to subscribe.

Apache
Vendor

subscribe