Django REST framework

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

Vulnerability_idVCID-mbst-3bec-ykcq
Summary
Code injection in Apache Commons Configuration
Apache Commons Configuration performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.configuration2.interpol.Lookup that performs the interpolation. Starting with version 2.4 and continuing through 2.7, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Configuration 2.8.0, which disables the problematic interpolators by default.
Aliases
0
alias CVE-2022-33980
1
alias GHSA-xj57-8qj4-c4m6
Fixed_packages
0
url pkg:deb/debian/commons-configuration2@2.8.0-1~deb11u1?distro=trixie
purl pkg:deb/debian/commons-configuration2@2.8.0-1~deb11u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-7dw4-pssj-dqf8
1
vulnerability VCID-y9pv-wgb6-mfa7
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/commons-configuration2@2.8.0-1~deb11u1%3Fdistro=trixie
1
url pkg:deb/debian/commons-configuration2@2.8.0-1~deb11u1
purl pkg:deb/debian/commons-configuration2@2.8.0-1~deb11u1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-7dw4-pssj-dqf8
1
vulnerability VCID-y9pv-wgb6-mfa7
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/commons-configuration2@2.8.0-1~deb11u1
2
url pkg:deb/debian/commons-configuration2@2.8.0-1?distro=trixie
purl pkg:deb/debian/commons-configuration2@2.8.0-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/commons-configuration2@2.8.0-1%3Fdistro=trixie
3
url pkg:deb/debian/commons-configuration2@2.8.0-2?distro=trixie
purl pkg:deb/debian/commons-configuration2@2.8.0-2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-7dw4-pssj-dqf8
1
vulnerability VCID-y9pv-wgb6-mfa7
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/commons-configuration2@2.8.0-2%3Fdistro=trixie
4
url pkg:deb/debian/commons-configuration2@2.11.0-2?distro=trixie
purl pkg:deb/debian/commons-configuration2@2.11.0-2?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/commons-configuration2@2.11.0-2%3Fdistro=trixie
5
url pkg:deb/debian/commons-configuration2@2.11.0-3?distro=trixie
purl pkg:deb/debian/commons-configuration2@2.11.0-3?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/commons-configuration2@2.11.0-3%3Fdistro=trixie
6
url pkg:maven/org.apache.commons/commons-configuration2@2.8.0
purl pkg:maven/org.apache.commons/commons-configuration2@2.8.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-7dw4-pssj-dqf8
1
vulnerability VCID-y9pv-wgb6-mfa7
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.commons/commons-configuration2@2.8.0
Affected_packages
0
url pkg:deb/debian/commons-configuration2@2.2-1%2Bdeb10u1
purl pkg:deb/debian/commons-configuration2@2.2-1%2Bdeb10u1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-cy9f-u66u-6ben
1
vulnerability VCID-mbst-3bec-ykcq
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/commons-configuration2@2.2-1%252Bdeb10u1
1
url pkg:maven/org.apache.commons/commons-configuration2@2.4
purl pkg:maven/org.apache.commons/commons-configuration2@2.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-7dw4-pssj-dqf8
1
vulnerability VCID-cy9f-u66u-6ben
2
vulnerability VCID-mbst-3bec-ykcq
3
vulnerability VCID-y9pv-wgb6-mfa7
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.commons/commons-configuration2@2.4
2
url pkg:maven/org.apache.commons/commons-configuration2@2.5
purl pkg:maven/org.apache.commons/commons-configuration2@2.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-7dw4-pssj-dqf8
1
vulnerability VCID-cy9f-u66u-6ben
2
vulnerability VCID-mbst-3bec-ykcq
3
vulnerability VCID-y9pv-wgb6-mfa7
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.commons/commons-configuration2@2.5
3
url pkg:maven/org.apache.commons/commons-configuration2@2.6
purl pkg:maven/org.apache.commons/commons-configuration2@2.6
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-7dw4-pssj-dqf8
1
vulnerability VCID-cy9f-u66u-6ben
2
vulnerability VCID-mbst-3bec-ykcq
3
vulnerability VCID-y9pv-wgb6-mfa7
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.commons/commons-configuration2@2.6
4
url pkg:maven/org.apache.commons/commons-configuration2@2.7
purl pkg:maven/org.apache.commons/commons-configuration2@2.7
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-7dw4-pssj-dqf8
1
vulnerability VCID-mbst-3bec-ykcq
2
vulnerability VCID-y9pv-wgb6-mfa7
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.commons/commons-configuration2@2.7
5
url pkg:rpm/redhat/candlepin@4.2.13-1?arch=el8sat
purl pkg:rpm/redhat/candlepin@4.2.13-1?arch=el8sat
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2cup-9gdn-yyhk
1
vulnerability VCID-4nu3-fknt-puej
2
vulnerability VCID-6354-p39b-zbhp
3
vulnerability VCID-9h46-72hw-bkcr
4
vulnerability VCID-dmkc-42vj-gbhc
5
vulnerability VCID-fb8u-g65k-hffs
6
vulnerability VCID-j986-mtma-b3bw
7
vulnerability VCID-mbst-3bec-ykcq
8
vulnerability VCID-mm3e-4pej-byed
9
vulnerability VCID-qub7-qp14-uqcg
10
vulnerability VCID-qxfs-sq38-jfad
11
vulnerability VCID-v2pq-1qhm-4qb9
resource_url http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/candlepin@4.2.13-1%3Farch=el8sat
References
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-33980.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-33980.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-33980
reference_id
reference_type
scores
0
value 0.86659
scoring_system epss
scoring_elements 0.9943
published_at 2026-05-14T12:55:00Z
1
value 0.86659
scoring_system epss
scoring_elements 0.99426
published_at 2026-05-07T12:55:00Z
2
value 0.86659
scoring_system epss
scoring_elements 0.99429
published_at 2026-05-12T12:55:00Z
3
value 0.86659
scoring_system epss
scoring_elements 0.99427
published_at 2026-05-11T12:55:00Z
4
value 0.86659
scoring_system epss
scoring_elements 0.99414
published_at 2026-04-02T12:55:00Z
5
value 0.86659
scoring_system epss
scoring_elements 0.99417
published_at 2026-04-07T12:55:00Z
6
value 0.86659
scoring_system epss
scoring_elements 0.99418
published_at 2026-04-08T12:55:00Z
7
value 0.86659
scoring_system epss
scoring_elements 0.99419
published_at 2026-04-09T12:55:00Z
8
value 0.86659
scoring_system epss
scoring_elements 0.9942
published_at 2026-04-11T12:55:00Z
9
value 0.86659
scoring_system epss
scoring_elements 0.99421
published_at 2026-04-12T12:55:00Z
10
value 0.86659
scoring_system epss
scoring_elements 0.99422
published_at 2026-04-13T12:55:00Z
11
value 0.86659
scoring_system epss
scoring_elements 0.99424
published_at 2026-04-16T12:55:00Z
12
value 0.86659
scoring_system epss
scoring_elements 0.99423
published_at 2026-04-21T12:55:00Z
13
value 0.86659
scoring_system epss
scoring_elements 0.99425
published_at 2026-04-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-33980
2
reference_url https://commons.apache.org/proper/commons-configuration/changes-report.html#a2.8.0
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://commons.apache.org/proper/commons-configuration/changes-report.html#a2.8.0
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33980
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33980
4
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
5
reference_url https://github.com/apache/commons-configuration
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/apache/commons-configuration
6
reference_url https://issues.apache.org/jira/browse/CONFIGURATION-753
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://issues.apache.org/jira/browse/CONFIGURATION-753
7
reference_url https://issues.apache.org/jira/browse/CONFIGURATION-764
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://issues.apache.org/jira/browse/CONFIGURATION-764
8
reference_url https://lists.apache.org/thread/tdf5n7j80lfxdhs2764vn0xmpfodm87s
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread/tdf5n7j80lfxdhs2764vn0xmpfodm87s
9
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-33980
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-33980
10
reference_url https://security.netapp.com/advisory/ntap-20221028-0015
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20221028-0015
11
reference_url https://security.netapp.com/advisory/ntap-20221028-0015/
reference_id
reference_type
scores
url https://security.netapp.com/advisory/ntap-20221028-0015/
12
reference_url https://www.debian.org/security/2022/dsa-5290
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://www.debian.org/security/2022/dsa-5290
13
reference_url http://www.openwall.com/lists/oss-security/2022/07/06/5
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2022/07/06/5
14
reference_url http://www.openwall.com/lists/oss-security/2022/11/15/4
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2022/11/15/4
15
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014960
reference_id 1014960
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014960
16
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2105067
reference_id 2105067
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2105067
17
reference_url https://github.com/advisories/GHSA-xj57-8qj4-c4m6
reference_id GHSA-xj57-8qj4-c4m6
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-xj57-8qj4-c4m6
18
reference_url https://access.redhat.com/errata/RHSA-2022:6916
reference_id RHSA-2022:6916
reference_type
scores
url https://access.redhat.com/errata/RHSA-2022:6916
19
reference_url https://access.redhat.com/errata/RHSA-2022:8652
reference_id RHSA-2022:8652
reference_type
scores
url https://access.redhat.com/errata/RHSA-2022:8652
20
reference_url https://access.redhat.com/errata/RHSA-2023:2097
reference_id RHSA-2023:2097
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:2097
Weaknesses
0
cwe_id 74
name Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
description The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
1
cwe_id 1035
name OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.
2
cwe_id 937
name OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.
Exploits
Severity_range_score7.5 - 10.0
Exploitability2.0
Weighted_severity9.0
Risk_score10.0
Resource_urlhttp://public2.vulnerablecode.io/vulnerabilities/VCID-mbst-3bec-ykcq