Lucene search

K
veracodeVeracode Vulnerability DatabaseVERACODE:36282
HistoryJul 07, 2022 - 3:50 a.m.

Arbitrary Code Execution

2022-07-0703:50:48
Veracode Vulnerability Database
sca.analysiscenter.veracode.com
29
arbitrary code execution
commons-configuration2
getdefaultprefixlookups
configurationinterpolator.java
variable interpolation
malicious code

EPSS

0.215

Percentile

96.5%

commons-configuration2 is vulnerable to Arbitrary Code Execution. The vulnerability exists because the getDefaultPrefixLookups function of ConfigurationInterpolator.java does not properly disable the default interpolation prefix lookups such as dns, url, and script during variable interpolation, allowing an attacker to inject and execute malicious code through the default lookup instances.