CVE-2022-33980 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2022-33980 Interim 1 11 2026-03-05T04:39:55Z current 2022-07-07T23:45:15Z 2026-03-05T04:39:55Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2022-33980 Apache Commons Configuration performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.configuration2.interpol.Lookup that performs the interpolation. Starting with version 2.4 and continuing through 2.7, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Configuration 2.8.0, which disables the problematic interpolators by default. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://www.suse.com/support/security/rating/ SUSE Security Ratings SUSE Enterprise Storage 7 SUSE Linux Enterprise Module for Development Tools 15 SP3 SUSE Linux Enterprise Module for Development Tools 15 SP3 SUSE Linux Enterprise Module for Development Tools 15 SP4 SUSE Linux Enterprise Module for Development Tools 15 SP6 SUSE Linux Enterprise Module for Development Tools 15 SP7 SUSE Linux Enterprise High Performance Computing 15 SP2-ESPOS SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS SUSE Linux Enterprise Module for Development Tools 15 SP3 SUSE Linux Enterprise Module for Development Tools 15 SP4 SUSE Linux Enterprise Module for Development Tools 15 SP6 SUSE Linux Enterprise Module for Development Tools 15 SP7 SUSE Linux Enterprise Server 15 SP2-LTSS SUSE Linux Enterprise Module for Development Tools 15 SP3 SUSE Linux Enterprise Module for Development Tools 15 SP4 SUSE Linux Enterprise Module for Development Tools 15 SP6 SUSE Linux Enterprise Module for Development Tools 15 SP7 SUSE Linux Enterprise Server 16.0 SUSE Linux Enterprise Server Business Critical Linux 15 SP2 SUSE Linux Enterprise Server for SAP Applications 15 SP2 SUSE Linux Enterprise Module for Development Tools 15 SP3 SUSE Linux Enterprise Module for Development Tools 15 SP4 SUSE Linux Enterprise Module for Development Tools 15 SP6 SUSE Linux Enterprise Module for Development Tools 15 SP7 SUSE Manager Proxy 4.1 SUSE Linux Enterprise Module for Development Tools 15 SP3 SUSE Linux Enterprise Module for Development Tools 15 SP4 SUSE Manager Retail Branch Server 4.1 SUSE Linux Enterprise Module for Development Tools 15 SP3 SUSE Linux Enterprise Module for Development Tools 15 SP4 SUSE Manager Server 4.1 SUSE Linux Enterprise Module for Development Tools 15 SP3 SUSE Linux Enterprise Module for Development Tools 15 SP4 openSUSE Tumbleweed apache-commons-configuration apache-commons-configuration2-2.10.1-150200.5.8.1 apache-commons-configuration2-2.10.1-160000.2.2 apache-commons-configuration2-2.9.0-1.1 apache-commons-configuration2-javadoc-2.10.1-160000.2.2 apache-commons-configuration2-javadoc-2.9.0-1.1 apache-commons-configuration2-2.10.1-150200.5.8.1 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP6 apache-commons-configuration2-2.10.1-150200.5.8.1 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP7 apache-commons-configuration2-2.10.1-160000.2.2 as a component of SUSE Linux Enterprise Server 16.0 apache-commons-configuration2-javadoc-2.10.1-160000.2.2 as a component of SUSE Linux Enterprise Server 16.0 apache-commons-configuration2-2.9.0-1.1 as a component of openSUSE Tumbleweed apache-commons-configuration2-javadoc-2.9.0-1.1 as a component of openSUSE Tumbleweed apache-commons-configuration as a component of SUSE Enterprise Storage 7 apache-commons-configuration as a component of SUSE Linux Enterprise High Performance Computing 15 SP2-ESPOS apache-commons-configuration as a component of SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS apache-commons-configuration as a component of SUSE Linux Enterprise Module for Development Tools 15 SP3 apache-commons-configuration as a component of SUSE Linux Enterprise Module for Development Tools 15 SP4 apache-commons-configuration as a component of SUSE Linux Enterprise Server 15 SP2-LTSS apache-commons-configuration as a component of SUSE Linux Enterprise Server Business Critical Linux 15 SP2 apache-commons-configuration as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP2 apache-commons-configuration as a component of SUSE Manager Proxy 4.1 apache-commons-configuration as a component of SUSE Manager Retail Branch Server 4.1 apache-commons-configuration as a component of SUSE Manager Server 4.1 Apache Commons Configuration performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.configuration2.interpol.Lookup that performs the interpolation. Starting with version 2.4 and continuing through 2.7, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Configuration 2.8.0, which disables the problematic interpolators by default. CVE-2022-33980 SUSE Linux Enterprise Module for Development Tools 15 SP6:apache-commons-configuration2-2.10.1-150200.5.8.1 SUSE Linux Enterprise Module for Development Tools 15 SP7:apache-commons-configuration2-2.10.1-150200.5.8.1 SUSE Linux Enterprise Server 16.0:apache-commons-configuration2-2.10.1-160000.2.2 SUSE Linux Enterprise Server 16.0:apache-commons-configuration2-javadoc-2.10.1-160000.2.2 openSUSE Tumbleweed:apache-commons-configuration2-2.9.0-1.1 openSUSE Tumbleweed:apache-commons-configuration2-javadoc-2.9.0-1.1 SUSE Enterprise Storage 7:apache-commons-configuration SUSE Linux Enterprise High Performance Computing 15 SP2-ESPOS:apache-commons-configuration SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:apache-commons-configuration SUSE Linux Enterprise Module for Development Tools 15 SP3:apache-commons-configuration SUSE Linux Enterprise Module for Development Tools 15 SP4:apache-commons-configuration SUSE Linux Enterprise Server 15 SP2-LTSS:apache-commons-configuration SUSE Linux Enterprise Server Business Critical Linux 15 SP2:apache-commons-configuration SUSE Linux Enterprise Server for SAP Applications 15 SP2:apache-commons-configuration SUSE Manager Proxy 4.1:apache-commons-configuration SUSE Manager Retail Branch Server 4.1:apache-commons-configuration SUSE Manager Server 4.1:apache-commons-configuration important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L