{"document":{"aggregate_severity":{"namespace":"https://www.suse.com/support/security/rating/","text":"important"},"category":"csaf_vex","csaf_version":"2.0","distribution":{"text":"Copyright 2024 SUSE LLC. All rights reserved.","tlp":{"label":"WHITE","url":"https://www.first.org/tlp/"}},"lang":"en","notes":[{"category":"summary","text":"SUSE CVE-2022-33980","title":"Title"},{"category":"description","text":"Apache Commons Configuration performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is \"${prefix:name}\", where \"prefix\" is used to locate an instance of org.apache.commons.configuration2.interpol.Lookup that performs the interpolation. Starting with version 2.4 and continuing through 2.7, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - \"script\" - execute expressions using the JVM script execution engine (javax.script) - \"dns\" - resolve dns records - \"url\" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Configuration 2.8.0, which disables the problematic interpolators by default.","title":"Description of the CVE"},{"category":"legal_disclaimer","text":"CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).","title":"Terms of use"}],"publisher":{"category":"vendor","contact_details":"https://www.suse.com/support/security/contact/","name":"SUSE Product Security Team","namespace":"https://www.suse.com/"},"references":[{"category":"external","summary":"CVE-2022-33980","url":"https://www.suse.com/security/cve/CVE-2022-33980"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"external","summary":"SUSE Bug 1201279 for CVE-2022-33980","url":"https://bugzilla.suse.com/1201279"}],"title":"SUSE CVE CVE-2022-33980","tracking":{"current_release_date":"2026-01-23T04:04:23Z","generator":{"date":"2023-02-15T03:25:02Z","engine":{"name":"cve-database.git:bin/generate-csaf-vex.pl","version":"1"}},"id":"CVE-2022-33980","initial_release_date":"2023-02-15T03:25:02Z","revision_history":[{"date":"2023-02-15T03:25:02Z","number":"2","summary":"Current version"},{"date":"2023-09-26T01:52:39Z","number":"3","summary":"Current version"},{"date":"2024-11-23T01:02:43Z","number":"4","summary":"Current version"},{"date":"2025-01-01T03:00:46Z","number":"5","summary":"Current version"},{"date":"2025-01-10T01:52:27Z","number":"6","summary":"Current version"},{"date":"2025-02-14T07:38:53Z","number":"7","summary":"Current version"},{"date":"2025-02-16T07:23:00Z","number":"8","summary":"Current version"},{"date":"2025-03-15T07:29:28Z","number":"9","summary":"Current version"},{"date":"2025-04-25T03:36:06Z","number":"10","summary":"Current version"},{"date":"2025-07-16T01:35:16Z","number":"11","summary":"Current version"},{"date":"2025-11-03T03:29:47Z","number":"12","summary":"Current version"},{"date":"2026-01-23T04:04:23Z","number":"13","summary":"unknown changes"}],"status":"interim","version":"13"}},"product_tree":{"branches":[{"branches":[{"branches":[{"category":"product_name","name":"SUSE Enterprise Storage 7","product":{"name":"SUSE Enterprise Storage 7","product_id":"SUSE Enterprise Storage 7","product_identification_helper":{"cpe":"cpe:/o:suse:ses:7"}}},{"category":"product_name","name":"SUSE Enterprise Storage 7.1","product":{"name":"SUSE Enterprise Storage 7.1","product_id":"SUSE Enterprise Storage 7.1","product_identification_helper":{"cpe":"cpe:/o:suse:ses:7.1"}}},{"category":"product_name","name":"SUSE Linux Enterprise Desktop 15 SP3","product":{"name":"SUSE Linux Enterprise Desktop 15 SP3","product_id":"SUSE Linux Enterprise Desktop 15 SP3","product_identification_helper":{"cpe":"cpe:/o:suse:sled:15:sp3"}}},{"category":"product_name","name":"SUSE Linux Enterprise Desktop 15 SP4","product":{"name":"SUSE Linux Enterprise Desktop 15 SP4","product_id":"SUSE Linux Enterprise Desktop 15 SP4","product_identification_helper":{"cpe":"cpe:/o:suse:sled:15:sp4"}}},{"category":"product_name","name":"SUSE Linux Enterprise Desktop 15 SP6","product":{"name":"SUSE Linux Enterprise Desktop 15 SP6","product_id":"SUSE Linux Enterprise Desktop 15 SP6","product_identification_helper":{"cpe":"cpe:/o:suse:sled:15:sp6"}}},{"category":"product_name","name":"SUSE Linux Enterprise Desktop 15 SP7","product":{"name":"SUSE Linux Enterprise Desktop 15 SP7","product_id":"SUSE Linux Enterprise Desktop 15 SP7","product_identification_helper":{"cpe":"cpe:/o:suse:sled:15:sp7"}}},{"category":"product_name","name":"SUSE Linux Enterprise High Performance Computing 15 SP2-ESPOS","product":{"name":"SUSE Linux Enterprise High Performance Computing 15 SP2-ESPOS","product_id":"SUSE Linux Enterprise High Performance Computing 15 SP2-ESPOS","product_identification_helper":{"cpe":"cpe:/o:suse:sle_hpc-espos:15:sp2"}}},{"category":"product_name","name":"SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS","product":{"name":"SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS","product_id":"SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS","product_identification_helper":{"cpe":"cpe:/o:suse:sle_hpc-ltss:15:sp2"}}},{"category":"product_name","name":"SUSE Linux Enterprise High Performance Computing 15 SP3","product":{"name":"SUSE Linux Enterprise High Performance Computing 15 SP3","product_id":"SUSE Linux Enterprise High Performance Computing 15 SP3","product_identification_helper":{"cpe":"cpe:/o:suse:sle_hpc:15:sp3"}}},{"category":"product_name","name":"SUSE Linux Enterprise High Performance Computing 15 SP4","product":{"name":"SUSE Linux Enterprise High Performance Computing 15 SP4","product_id":"SUSE Linux Enterprise High Performance Computing 15 SP4","product_identification_helper":{"cpe":"cpe:/o:suse:sle_hpc:15:sp4"}}},{"category":"product_name","name":"SUSE Linux Enterprise High Performance Computing 15 SP6","product":{"name":"SUSE Linux Enterprise High Performance Computing 15 SP6","product_id":"SUSE Linux Enterprise High Performance Computing 15 SP6","product_identification_helper":{"cpe":"cpe:/o:suse:sle_hpc:15:sp6"}}},{"category":"product_name","name":"SUSE Linux Enterprise High Performance Computing 15 SP7","product":{"name":"SUSE Linux Enterprise High Performance Computing 15 SP7","product_id":"SUSE Linux Enterprise High Performance Computing 15 SP7","product_identification_helper":{"cpe":"cpe:/o:suse:sle_hpc:15:sp7"}}},{"category":"product_name","name":"SUSE Linux Enterprise Module for Development Tools 15 SP3","product":{"name":"SUSE Linux Enterprise Module for Development Tools 15 SP3","product_id":"SUSE Linux Enterprise Module for Development Tools 15 SP3","product_identification_helper":{"cpe":"cpe:/o:suse:sle-module-development-tools:15:sp3"}}},{"category":"product_name","name":"SUSE Linux Enterprise Module for Development Tools 15 SP4","product":{"name":"SUSE Linux Enterprise Module for Development Tools 15 SP4","product_id":"SUSE Linux Enterprise Module for Development Tools 15 SP4","product_identification_helper":{"cpe":"cpe:/o:suse:sle-module-development-tools:15:sp4"}}},{"category":"product_name","name":"SUSE Linux Enterprise Module for Development Tools 15 SP6","product":{"name":"SUSE Linux Enterprise Module for Development Tools 15 SP6","product_id":"SUSE Linux Enterprise Module for Development Tools 15 SP6","product_identification_helper":{"cpe":"cpe:/o:suse:sle-module-development-tools:15:sp6"}}},{"category":"product_name","name":"SUSE Linux Enterprise Module for Development Tools 15 SP7","product":{"name":"SUSE Linux Enterprise Module for Development Tools 15 SP7","product_id":"SUSE Linux Enterprise Module for Development Tools 15 SP7","product_identification_helper":{"cpe":"cpe:/o:suse:sle-module-development-tools:15:sp7"}}},{"category":"product_name","name":"SUSE Linux Enterprise Server 15 SP2-LTSS","product":{"name":"SUSE Linux Enterprise Server 15 SP2-LTSS","product_id":"SUSE Linux Enterprise Server 15 SP2-LTSS","product_identification_helper":{"cpe":"cpe:/o:suse:sles-ltss:15:sp2"}}},{"category":"product_name","name":"SUSE Linux Enterprise Server 15 SP3","product":{"name":"SUSE Linux Enterprise Server 15 SP3","product_id":"SUSE Linux Enterprise Server 15 SP3","product_identification_helper":{"cpe":"cpe:/o:suse:sles:15:sp3"}}},{"category":"product_name","name":"SUSE Linux Enterprise Server 15 SP4","product":{"name":"SUSE Linux Enterprise Server 15 SP4","product_id":"SUSE Linux Enterprise Server 15 SP4","product_identification_helper":{"cpe":"cpe:/o:suse:sles:15:sp4"}}},{"category":"product_name","name":"SUSE Linux Enterprise Server 15 SP6","product":{"name":"SUSE Linux Enterprise Server 15 SP6","product_id":"SUSE Linux Enterprise Server 15 SP6","product_identification_helper":{"cpe":"cpe:/o:suse:sles:15:sp6"}}},{"category":"product_name","name":"SUSE Linux Enterprise Server 15 SP7","product":{"name":"SUSE Linux Enterprise Server 15 SP7","product_id":"SUSE Linux Enterprise Server 15 SP7","product_identification_helper":{"cpe":"cpe:/o:suse:sles:15:sp7"}}},{"category":"product_name","name":"SUSE Linux Enterprise Server 16.0","product":{"name":"SUSE Linux Enterprise Server 16.0","product_id":"SUSE Linux Enterprise Server 16.0","product_identification_helper":{"cpe":"cpe:/o:suse:sles:16:16.0:server"}}},{"category":"product_name","name":"SUSE Linux Enterprise Server Business Critical Linux 15 SP2","product":{"name":"SUSE Linux Enterprise Server Business Critical Linux 15 SP2","product_id":"SUSE Linux Enterprise Server Business Critical Linux 15 SP2","product_identification_helper":{"cpe":"cpe:/o:suse:sles_bcl:15:sp2"}}},{"category":"product_name","name":"SUSE Linux Enterprise Server for SAP Applications 15 SP2","product":{"name":"SUSE Linux Enterprise Server for SAP Applications 15 SP2","product_id":"SUSE Linux Enterprise Server for SAP Applications 15 SP2","product_identification_helper":{"cpe":"cpe:/o:suse:sles_sap:15:sp2"}}},{"category":"product_name","name":"SUSE Linux Enterprise Server for SAP Applications 15 SP3","product":{"name":"SUSE Linux Enterprise Server for SAP Applications 15 SP3","product_id":"SUSE Linux Enterprise Server for SAP Applications 15 SP3","product_identification_helper":{"cpe":"cpe:/o:suse:sles_sap:15:sp3"}}},{"category":"product_name","name":"SUSE Linux Enterprise Server for SAP Applications 15 SP4","product":{"name":"SUSE Linux Enterprise Server for SAP Applications 15 SP4","product_id":"SUSE Linux Enterprise Server for SAP Applications 15 SP4","product_identification_helper":{"cpe":"cpe:/o:suse:sles_sap:15:sp4"}}},{"category":"product_name","name":"SUSE Linux Enterprise Server for SAP Applications 15 SP6","product":{"name":"SUSE Linux Enterprise Server for SAP Applications 15 SP6","product_id":"SUSE Linux Enterprise Server for SAP Applications 15 SP6","product_identification_helper":{"cpe":"cpe:/o:suse:sles_sap:15:sp6"}}},{"category":"product_name","name":"SUSE Linux Enterprise Server for SAP Applications 15 SP7","product":{"name":"SUSE Linux Enterprise Server for SAP Applications 15 SP7","product_id":"SUSE Linux Enterprise Server for SAP Applications 15 SP7","product_identification_helper":{"cpe":"cpe:/o:suse:sles_sap:15:sp7"}}},{"category":"product_name","name":"SUSE Manager Proxy 4.1","product":{"name":"SUSE Manager Proxy 4.1","product_id":"SUSE Manager Proxy 4.1","product_identification_helper":{"cpe":"cpe:/o:suse:suse-manager-proxy:4.1"}}},{"category":"product_name","name":"SUSE Manager Proxy 4.2","product":{"name":"SUSE Manager Proxy 4.2","product_id":"SUSE Manager Proxy 4.2","product_identification_helper":{"cpe":"cpe:/o:suse:suse-manager-proxy:4.2"}}},{"category":"product_name","name":"SUSE Manager Proxy 4.3","product":{"name":"SUSE Manager Proxy 4.3","product_id":"SUSE Manager Proxy 4.3","product_identification_helper":{"cpe":"cpe:/o:suse:suse-manager-proxy:4.3"}}},{"category":"product_name","name":"SUSE Manager Retail Branch Server 4.1","product":{"name":"SUSE Manager Retail Branch Server 4.1","product_id":"SUSE Manager Retail Branch Server 4.1","product_identification_helper":{"cpe":"cpe:/o:suse:suse-manager-retail-branch-server:4.1"}}},{"category":"product_name","name":"SUSE Manager Retail Branch Server 4.2","product":{"name":"SUSE Manager Retail Branch Server 4.2","product_id":"SUSE Manager Retail Branch Server 4.2","product_identification_helper":{"cpe":"cpe:/o:suse:suse-manager-retail-branch-server:4.2"}}},{"category":"product_name","name":"SUSE Manager Retail Branch Server 4.3","product":{"name":"SUSE Manager Retail Branch Server 4.3","product_id":"SUSE Manager Retail Branch Server 4.3","product_identification_helper":{"cpe":"cpe:/o:suse:suse-manager-retail-branch-server:4.3"}}},{"category":"product_name","name":"SUSE Manager Server 4.1","product":{"name":"SUSE Manager Server 4.1","product_id":"SUSE Manager Server 4.1","product_identification_helper":{"cpe":"cpe:/o:suse:suse-manager-server:4.1"}}},{"category":"product_name","name":"SUSE Manager Server 4.2","product":{"name":"SUSE Manager Server 4.2","product_id":"SUSE Manager Server 4.2","product_identification_helper":{"cpe":"cpe:/o:suse:suse-manager-server:4.2"}}},{"category":"product_name","name":"SUSE Manager Server 4.3","product":{"name":"SUSE Manager Server 4.3","product_id":"SUSE Manager Server 4.3","product_identification_helper":{"cpe":"cpe:/o:suse:suse-manager-server:4.3"}}},{"category":"product_name","name":"openSUSE Tumbleweed","product":{"name":"openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed","product_identification_helper":{"cpe":"cpe:/o:opensuse:tumbleweed"}}},{"category":"product_version","name":"apache-commons-configuration","product":{"name":"apache-commons-configuration","product_id":"apache-commons-configuration","product_identification_helper":{"purl":"pkg:rpm/suse/apache-commons-configuration@?upstream=apache-commons-configuration.src.rpm"}}},{"category":"product_version","name":"apache-commons-configuration2-2.10.1-150200.5.8.1","product":{"name":"apache-commons-configuration2-2.10.1-150200.5.8.1","product_id":"apache-commons-configuration2-2.10.1-150200.5.8.1","product_identification_helper":{"purl":"pkg:rpm/suse/apache-commons-configuration2@2.10.1-150200.5.8.1?upstream=apache-commons-configuration2-2.10.1-150200.5.8.1.src.rpm"}}},{"category":"product_version","name":"apache-commons-configuration2-2.10.1-160000.2.2","product":{"name":"apache-commons-configuration2-2.10.1-160000.2.2","product_id":"apache-commons-configuration2-2.10.1-160000.2.2","product_identification_helper":{"purl":"pkg:rpm/suse/apache-commons-configuration2@2.10.1-160000.2.2?upstream=apache-commons-configuration2-2.10.1-160000.2.2.src.rpm"}}},{"category":"product_version","name":"apache-commons-configuration2-2.9.0-1.1","product":{"name":"apache-commons-configuration2-2.9.0-1.1","product_id":"apache-commons-configuration2-2.9.0-1.1","product_identification_helper":{"purl":"pkg:rpm/suse/apache-commons-configuration2@2.9.0-1.1?upstream=apache-commons-configuration2-2.9.0-1.1.src.rpm"}}},{"category":"product_version","name":"apache-commons-configuration2-javadoc-2.10.1-160000.2.2","product":{"name":"apache-commons-configuration2-javadoc-2.10.1-160000.2.2","product_id":"apache-commons-configuration2-javadoc-2.10.1-160000.2.2","product_identification_helper":{"purl":"pkg:rpm/suse/apache-commons-configuration2-javadoc@2.10.1-160000.2.2?upstream=apache-commons-configuration2-2.10.1-160000.2.2.src.rpm"}}},{"category":"product_version","name":"apache-commons-configuration2-javadoc-2.9.0-1.1","product":{"name":"apache-commons-configuration2-javadoc-2.9.0-1.1","product_id":"apache-commons-configuration2-javadoc-2.9.0-1.1","product_identification_helper":{"purl":"pkg:rpm/suse/apache-commons-configuration2-javadoc@2.9.0-1.1?upstream=apache-commons-configuration2-2.9.0-1.1.src.rpm"}}}],"category":"product_family","name":"SUSE Linux Enterprise"}],"category":"vendor","name":"SUSE"}],"relationships":[{"category":"default_component_of","full_product_name":{"name":"apache-commons-configuration2-2.10.1-150200.5.8.1 as component of SUSE Linux Enterprise Server 15 SP6","product_id":"SUSE Linux Enterprise Server 15 SP6:apache-commons-configuration2-2.10.1-150200.5.8.1"},"product_reference":"apache-commons-configuration2-2.10.1-150200.5.8.1","relates_to_product_reference":"SUSE Linux Enterprise Server 15 SP6"},{"category":"default_component_of","full_product_name":{"name":"apache-commons-configuration2-2.10.1-150200.5.8.1 as component of SUSE Linux Enterprise Desktop 15 SP6","product_id":"SUSE Linux Enterprise Desktop 15 SP6:apache-commons-configuration2-2.10.1-150200.5.8.1"},"product_reference":"apache-commons-configuration2-2.10.1-150200.5.8.1","relates_to_product_reference":"SUSE Linux Enterprise Desktop 15 SP6"},{"category":"default_component_of","full_product_name":{"name":"apache-commons-configuration2-2.10.1-150200.5.8.1 as component of SUSE Linux Enterprise Server for SAP Applications 15 SP6","product_id":"SUSE Linux Enterprise Server for SAP Applications 15 SP6:apache-commons-configuration2-2.10.1-150200.5.8.1"},"product_reference":"apache-commons-configuration2-2.10.1-150200.5.8.1","relates_to_product_reference":"SUSE Linux Enterprise Server for SAP Applications 15 SP6"},{"category":"default_component_of","full_product_name":{"name":"apache-commons-configuration2-2.10.1-150200.5.8.1 as component of SUSE Linux Enterprise High Performance Computing 15 SP6","product_id":"SUSE Linux Enterprise High Performance Computing 15 SP6:apache-commons-configuration2-2.10.1-150200.5.8.1"},"product_reference":"apache-commons-configuration2-2.10.1-150200.5.8.1","relates_to_product_reference":"SUSE Linux Enterprise High Performance Computing 15 SP6"},{"category":"default_component_of","full_product_name":{"name":"apache-commons-configuration2-2.10.1-150200.5.8.1 as component of SUSE Linux Enterprise Module for Development Tools 15 SP6","product_id":"SUSE Linux Enterprise Module for Development Tools 15 SP6:apache-commons-configuration2-2.10.1-150200.5.8.1"},"product_reference":"apache-commons-configuration2-2.10.1-150200.5.8.1","relates_to_product_reference":"SUSE Linux Enterprise Module for Development Tools 15 SP6"},{"category":"default_component_of","full_product_name":{"name":"apache-commons-configuration2-2.10.1-150200.5.8.1 as component of SUSE Linux Enterprise Server 15 SP7","product_id":"SUSE Linux Enterprise Server 15 SP7:apache-commons-configuration2-2.10.1-150200.5.8.1"},"product_reference":"apache-commons-configuration2-2.10.1-150200.5.8.1","relates_to_product_reference":"SUSE Linux Enterprise Server 15 SP7"},{"category":"default_component_of","full_product_name":{"name":"apache-commons-configuration2-2.10.1-150200.5.8.1 as component of SUSE Linux Enterprise Desktop 15 SP7","product_id":"SUSE Linux Enterprise Desktop 15 SP7:apache-commons-configuration2-2.10.1-150200.5.8.1"},"product_reference":"apache-commons-configuration2-2.10.1-150200.5.8.1","relates_to_product_reference":"SUSE Linux Enterprise Desktop 15 SP7"},{"category":"default_component_of","full_product_name":{"name":"apache-commons-configuration2-2.10.1-150200.5.8.1 as component of SUSE Linux Enterprise Server for SAP Applications 15 SP7","product_id":"SUSE Linux Enterprise Server for SAP Applications 15 SP7:apache-commons-configuration2-2.10.1-150200.5.8.1"},"product_reference":"apache-commons-configuration2-2.10.1-150200.5.8.1","relates_to_product_reference":"SUSE Linux Enterprise Server for SAP Applications 15 SP7"},{"category":"default_component_of","full_product_name":{"name":"apache-commons-configuration2-2.10.1-150200.5.8.1 as component of SUSE Linux Enterprise High Performance Computing 15 SP7","product_id":"SUSE Linux Enterprise High Performance Computing 15 SP7:apache-commons-configuration2-2.10.1-150200.5.8.1"},"product_reference":"apache-commons-configuration2-2.10.1-150200.5.8.1","relates_to_product_reference":"SUSE Linux Enterprise High Performance Computing 15 SP7"},{"category":"default_component_of","full_product_name":{"name":"apache-commons-configuration2-2.10.1-150200.5.8.1 as component of SUSE Linux Enterprise Module for Development Tools 15 SP7","product_id":"SUSE Linux Enterprise Module for Development Tools 15 SP7:apache-commons-configuration2-2.10.1-150200.5.8.1"},"product_reference":"apache-commons-configuration2-2.10.1-150200.5.8.1","relates_to_product_reference":"SUSE Linux Enterprise Module for Development Tools 15 SP7"},{"category":"default_component_of","full_product_name":{"name":"apache-commons-configuration2-2.10.1-160000.2.2 as component of SUSE Linux Enterprise Server 16.0","product_id":"SUSE Linux Enterprise Server 16.0:apache-commons-configuration2-2.10.1-160000.2.2"},"product_reference":"apache-commons-configuration2-2.10.1-160000.2.2","relates_to_product_reference":"SUSE Linux Enterprise Server 16.0"},{"category":"default_component_of","full_product_name":{"name":"apache-commons-configuration2-javadoc-2.10.1-160000.2.2 as component of SUSE Linux Enterprise Server 16.0","product_id":"SUSE Linux Enterprise Server 16.0:apache-commons-configuration2-javadoc-2.10.1-160000.2.2"},"product_reference":"apache-commons-configuration2-javadoc-2.10.1-160000.2.2","relates_to_product_reference":"SUSE Linux Enterprise Server 16.0"},{"category":"default_component_of","full_product_name":{"name":"apache-commons-configuration2-2.9.0-1.1 as component of openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed:apache-commons-configuration2-2.9.0-1.1"},"product_reference":"apache-commons-configuration2-2.9.0-1.1","relates_to_product_reference":"openSUSE Tumbleweed"},{"category":"default_component_of","full_product_name":{"name":"apache-commons-configuration2-javadoc-2.9.0-1.1 as component of openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed:apache-commons-configuration2-javadoc-2.9.0-1.1"},"product_reference":"apache-commons-configuration2-javadoc-2.9.0-1.1","relates_to_product_reference":"openSUSE Tumbleweed"},{"category":"default_component_of","full_product_name":{"name":"apache-commons-configuration as component of SUSE Enterprise Storage 7","product_id":"SUSE Enterprise Storage 7:apache-commons-configuration"},"product_reference":"apache-commons-configuration","relates_to_product_reference":"SUSE Enterprise Storage 7"},{"category":"default_component_of","full_product_name":{"name":"apache-commons-configuration as component of SUSE Linux Enterprise High Performance Computing 15 SP2-ESPOS","product_id":"SUSE Linux Enterprise High Performance Computing 15 SP2-ESPOS:apache-commons-configuration"},"product_reference":"apache-commons-configuration","relates_to_product_reference":"SUSE Linux Enterprise High Performance Computing 15 SP2-ESPOS"},{"category":"default_component_of","full_product_name":{"name":"apache-commons-configuration as component of SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS","product_id":"SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:apache-commons-configuration"},"product_reference":"apache-commons-configuration","relates_to_product_reference":"SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS"},{"category":"default_component_of","full_product_name":{"name":"apache-commons-configuration as component of SUSE Linux Enterprise Server 15 SP3","product_id":"SUSE Linux Enterprise Server 15 SP3:apache-commons-configuration"},"product_reference":"apache-commons-configuration","relates_to_product_reference":"SUSE Linux Enterprise Server 15 SP3"},{"category":"default_component_of","full_product_name":{"name":"apache-commons-configuration as component of SUSE Linux Enterprise Desktop 15 SP3","product_id":"SUSE Linux Enterprise Desktop 15 SP3:apache-commons-configuration"},"product_reference":"apache-commons-configuration","relates_to_product_reference":"SUSE Linux Enterprise Desktop 15 SP3"},{"category":"default_component_of","full_product_name":{"name":"apache-commons-configuration as component of SUSE Linux Enterprise Server for SAP Applications 15 SP3","product_id":"SUSE Linux Enterprise Server for SAP Applications 15 SP3:apache-commons-configuration"},"product_reference":"apache-commons-configuration","relates_to_product_reference":"SUSE Linux Enterprise Server for SAP Applications 15 SP3"},{"category":"default_component_of","full_product_name":{"name":"apache-commons-configuration as component of SUSE Linux Enterprise High Performance Computing 15 SP3","product_id":"SUSE Linux Enterprise High Performance Computing 15 SP3:apache-commons-configuration"},"product_reference":"apache-commons-configuration","relates_to_product_reference":"SUSE Linux Enterprise High Performance Computing 15 SP3"},{"category":"default_component_of","full_product_name":{"name":"apache-commons-configuration as component of SUSE Manager Server 4.2","product_id":"SUSE Manager Server 4.2:apache-commons-configuration"},"product_reference":"apache-commons-configuration","relates_to_product_reference":"SUSE Manager Server 4.2"},{"category":"default_component_of","full_product_name":{"name":"apache-commons-configuration as component of SUSE Manager Proxy 4.2","product_id":"SUSE Manager Proxy 4.2:apache-commons-configuration"},"product_reference":"apache-commons-configuration","relates_to_product_reference":"SUSE Manager Proxy 4.2"},{"category":"default_component_of","full_product_name":{"name":"apache-commons-configuration as component of SUSE Manager Retail Branch Server 4.2","product_id":"SUSE Manager Retail Branch Server 4.2:apache-commons-configuration"},"product_reference":"apache-commons-configuration","relates_to_product_reference":"SUSE Manager Retail Branch Server 4.2"},{"category":"default_component_of","full_product_name":{"name":"apache-commons-configuration as component of SUSE Enterprise Storage 7.1","product_id":"SUSE Enterprise Storage 7.1:apache-commons-configuration"},"product_reference":"apache-commons-configuration","relates_to_product_reference":"SUSE Enterprise Storage 7.1"},{"category":"default_component_of","full_product_name":{"name":"apache-commons-configuration as component of SUSE Linux Enterprise Module for Development Tools 15 SP3","product_id":"SUSE Linux Enterprise Module for Development Tools 15 SP3:apache-commons-configuration"},"product_reference":"apache-commons-configuration","relates_to_product_reference":"SUSE Linux Enterprise Module for Development Tools 15 SP3"},{"category":"default_component_of","full_product_name":{"name":"apache-commons-configuration as component of SUSE Linux Enterprise Server 15 SP4","product_id":"SUSE Linux Enterprise Server 15 SP4:apache-commons-configuration"},"product_reference":"apache-commons-configuration","relates_to_product_reference":"SUSE Linux Enterprise Server 15 SP4"},{"category":"default_component_of","full_product_name":{"name":"apache-commons-configuration as component of SUSE Linux Enterprise Desktop 15 SP4","product_id":"SUSE Linux Enterprise Desktop 15 SP4:apache-commons-configuration"},"product_reference":"apache-commons-configuration","relates_to_product_reference":"SUSE Linux Enterprise Desktop 15 SP4"},{"category":"default_component_of","full_product_name":{"name":"apache-commons-configuration as component of SUSE Linux Enterprise Server for SAP Applications 15 SP4","product_id":"SUSE Linux Enterprise Server for SAP Applications 15 SP4:apache-commons-configuration"},"product_reference":"apache-commons-configuration","relates_to_product_reference":"SUSE Linux Enterprise Server for SAP Applications 15 SP4"},{"category":"default_component_of","full_product_name":{"name":"apache-commons-configuration as component of SUSE Linux Enterprise High Performance Computing 15 SP4","product_id":"SUSE Linux Enterprise High Performance Computing 15 SP4:apache-commons-configuration"},"product_reference":"apache-commons-configuration","relates_to_product_reference":"SUSE Linux Enterprise High Performance Computing 15 SP4"},{"category":"default_component_of","full_product_name":{"name":"apache-commons-configuration as component of SUSE Manager Server 4.3","product_id":"SUSE Manager Server 4.3:apache-commons-configuration"},"product_reference":"apache-commons-configuration","relates_to_product_reference":"SUSE Manager Server 4.3"},{"category":"default_component_of","full_product_name":{"name":"apache-commons-configuration as component of SUSE Manager Proxy 4.3","product_id":"SUSE Manager Proxy 4.3:apache-commons-configuration"},"product_reference":"apache-commons-configuration","relates_to_product_reference":"SUSE Manager Proxy 4.3"},{"category":"default_component_of","full_product_name":{"name":"apache-commons-configuration as component of SUSE Manager Retail Branch Server 4.3","product_id":"SUSE Manager Retail Branch Server 4.3:apache-commons-configuration"},"product_reference":"apache-commons-configuration","relates_to_product_reference":"SUSE Manager Retail Branch Server 4.3"},{"category":"default_component_of","full_product_name":{"name":"apache-commons-configuration as component of SUSE Linux Enterprise Module for Development Tools 15 SP4","product_id":"SUSE Linux Enterprise Module for Development Tools 15 SP4:apache-commons-configuration"},"product_reference":"apache-commons-configuration","relates_to_product_reference":"SUSE Linux Enterprise Module for Development Tools 15 SP4"},{"category":"default_component_of","full_product_name":{"name":"apache-commons-configuration as component of SUSE Linux Enterprise Server 15 SP2-LTSS","product_id":"SUSE Linux Enterprise Server 15 SP2-LTSS:apache-commons-configuration"},"product_reference":"apache-commons-configuration","relates_to_product_reference":"SUSE Linux Enterprise Server 15 SP2-LTSS"},{"category":"default_component_of","full_product_name":{"name":"apache-commons-configuration as component of SUSE Linux Enterprise Server Business Critical Linux 15 SP2","product_id":"SUSE Linux Enterprise Server Business Critical Linux 15 SP2:apache-commons-configuration"},"product_reference":"apache-commons-configuration","relates_to_product_reference":"SUSE Linux Enterprise Server Business Critical Linux 15 SP2"},{"category":"default_component_of","full_product_name":{"name":"apache-commons-configuration as component of SUSE Linux Enterprise Server for SAP Applications 15 SP2","product_id":"SUSE Linux Enterprise Server for SAP Applications 15 SP2:apache-commons-configuration"},"product_reference":"apache-commons-configuration","relates_to_product_reference":"SUSE Linux Enterprise Server for SAP Applications 15 SP2"},{"category":"default_component_of","full_product_name":{"name":"apache-commons-configuration as component of SUSE Manager Proxy 4.1","product_id":"SUSE Manager Proxy 4.1:apache-commons-configuration"},"product_reference":"apache-commons-configuration","relates_to_product_reference":"SUSE Manager Proxy 4.1"},{"category":"default_component_of","full_product_name":{"name":"apache-commons-configuration as component of SUSE Manager Retail Branch Server 4.1","product_id":"SUSE Manager Retail Branch Server 4.1:apache-commons-configuration"},"product_reference":"apache-commons-configuration","relates_to_product_reference":"SUSE Manager Retail Branch Server 4.1"},{"category":"default_component_of","full_product_name":{"name":"apache-commons-configuration as component of SUSE Manager Server 4.1","product_id":"SUSE Manager Server 4.1:apache-commons-configuration"},"product_reference":"apache-commons-configuration","relates_to_product_reference":"SUSE Manager Server 4.1"}]},"vulnerabilities":[{"cve":"CVE-2022-33980","ids":[{"system_name":"SUSE CVE Page","text":"https://www.suse.com/security/cve/CVE-2022-33980"}],"notes":[{"category":"general","text":"Apache Commons Configuration performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is \"${prefix:name}\", where \"prefix\" is used to locate an instance of org.apache.commons.configuration2.interpol.Lookup that performs the interpolation. Starting with version 2.4 and continuing through 2.7, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - \"script\" - execute expressions using the JVM script execution engine (javax.script) - \"dns\" - resolve dns records - \"url\" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Configuration 2.8.0, which disables the problematic interpolators by default.","title":"CVE description"}],"product_status":{"known_not_affected":["SUSE Enterprise Storage 7.1:apache-commons-configuration","SUSE Enterprise Storage 7:apache-commons-configuration","SUSE Linux Enterprise Desktop 15 SP3:apache-commons-configuration","SUSE Linux Enterprise Desktop 15 SP4:apache-commons-configuration","SUSE Linux Enterprise High Performance Computing 15 SP2-ESPOS:apache-commons-configuration","SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:apache-commons-configuration","SUSE Linux Enterprise High Performance Computing 15 SP3:apache-commons-configuration","SUSE Linux Enterprise High Performance Computing 15 SP4:apache-commons-configuration","SUSE Linux Enterprise Module for Development Tools 15 SP3:apache-commons-configuration","SUSE Linux Enterprise Module for Development Tools 15 SP4:apache-commons-configuration","SUSE Linux Enterprise Server 15 SP2-LTSS:apache-commons-configuration","SUSE Linux Enterprise Server 15 SP3:apache-commons-configuration","SUSE Linux Enterprise Server 15 SP4:apache-commons-configuration","SUSE Linux Enterprise Server Business Critical Linux 15 SP2:apache-commons-configuration","SUSE Linux Enterprise Server for SAP Applications 15 SP2:apache-commons-configuration","SUSE Linux Enterprise Server for SAP Applications 15 SP3:apache-commons-configuration","SUSE Linux Enterprise Server for SAP Applications 15 SP4:apache-commons-configuration","SUSE Manager Proxy 4.1:apache-commons-configuration","SUSE Manager Proxy 4.2:apache-commons-configuration","SUSE Manager Proxy 4.3:apache-commons-configuration","SUSE Manager Retail Branch Server 4.1:apache-commons-configuration","SUSE Manager Retail Branch Server 4.2:apache-commons-configuration","SUSE Manager Retail Branch Server 4.3:apache-commons-configuration","SUSE Manager Server 4.1:apache-commons-configuration","SUSE Manager Server 4.2:apache-commons-configuration","SUSE Manager Server 4.3:apache-commons-configuration"],"recommended":["SUSE Linux Enterprise Desktop 15 SP6:apache-commons-configuration2-2.10.1-150200.5.8.1","SUSE Linux Enterprise Desktop 15 SP7:apache-commons-configuration2-2.10.1-150200.5.8.1","SUSE Linux Enterprise High Performance Computing 15 SP6:apache-commons-configuration2-2.10.1-150200.5.8.1","SUSE Linux Enterprise High Performance Computing 15 SP7:apache-commons-configuration2-2.10.1-150200.5.8.1","SUSE Linux Enterprise Module for Development Tools 15 SP6:apache-commons-configuration2-2.10.1-150200.5.8.1","SUSE Linux Enterprise Module for Development Tools 15 SP7:apache-commons-configuration2-2.10.1-150200.5.8.1","SUSE Linux Enterprise Server 15 SP6:apache-commons-configuration2-2.10.1-150200.5.8.1","SUSE Linux Enterprise Server 15 SP7:apache-commons-configuration2-2.10.1-150200.5.8.1","SUSE Linux Enterprise Server 16.0:apache-commons-configuration2-2.10.1-160000.2.2","SUSE Linux Enterprise Server 16.0:apache-commons-configuration2-javadoc-2.10.1-160000.2.2","SUSE Linux Enterprise Server for SAP Applications 15 SP6:apache-commons-configuration2-2.10.1-150200.5.8.1","SUSE Linux Enterprise Server for SAP Applications 15 SP7:apache-commons-configuration2-2.10.1-150200.5.8.1","openSUSE Tumbleweed:apache-commons-configuration2-2.9.0-1.1","openSUSE Tumbleweed:apache-commons-configuration2-javadoc-2.9.0-1.1"]},"references":[{"category":"external","summary":"CVE-2022-33980","url":"https://www.suse.com/security/cve/CVE-2022-33980"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"external","summary":"SUSE Bug 1201279 for CVE-2022-33980","url":"https://bugzilla.suse.com/1201279"}],"remediations":[{"category":"vendor_fix","details":"To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n","product_ids":["SUSE Linux Enterprise Desktop 15 SP6:apache-commons-configuration2-2.10.1-150200.5.8.1","SUSE Linux Enterprise Desktop 15 SP7:apache-commons-configuration2-2.10.1-150200.5.8.1","SUSE Linux Enterprise High Performance Computing 15 SP6:apache-commons-configuration2-2.10.1-150200.5.8.1","SUSE Linux Enterprise High Performance Computing 15 SP7:apache-commons-configuration2-2.10.1-150200.5.8.1","SUSE Linux Enterprise Module for Development Tools 15 SP6:apache-commons-configuration2-2.10.1-150200.5.8.1","SUSE Linux Enterprise Module for Development Tools 15 SP7:apache-commons-configuration2-2.10.1-150200.5.8.1","SUSE Linux Enterprise Server 15 SP6:apache-commons-configuration2-2.10.1-150200.5.8.1","SUSE Linux Enterprise Server 15 SP7:apache-commons-configuration2-2.10.1-150200.5.8.1","SUSE Linux Enterprise Server 16.0:apache-commons-configuration2-2.10.1-160000.2.2","SUSE Linux Enterprise Server 16.0:apache-commons-configuration2-javadoc-2.10.1-160000.2.2","SUSE Linux Enterprise Server for SAP Applications 15 SP6:apache-commons-configuration2-2.10.1-150200.5.8.1","SUSE Linux Enterprise Server for SAP Applications 15 SP7:apache-commons-configuration2-2.10.1-150200.5.8.1","openSUSE Tumbleweed:apache-commons-configuration2-2.9.0-1.1","openSUSE Tumbleweed:apache-commons-configuration2-javadoc-2.9.0-1.1"]}],"scores":[{"cvss_v3":{"baseScore":8.1,"baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L","version":"3.1"},"products":["SUSE Linux Enterprise Desktop 15 SP6:apache-commons-configuration2-2.10.1-150200.5.8.1","SUSE Linux Enterprise Desktop 15 SP7:apache-commons-configuration2-2.10.1-150200.5.8.1","SUSE Linux Enterprise High Performance Computing 15 SP6:apache-commons-configuration2-2.10.1-150200.5.8.1","SUSE Linux Enterprise High Performance Computing 15 SP7:apache-commons-configuration2-2.10.1-150200.5.8.1","SUSE Linux Enterprise Module for Development Tools 15 SP6:apache-commons-configuration2-2.10.1-150200.5.8.1","SUSE Linux Enterprise Module for Development Tools 15 SP7:apache-commons-configuration2-2.10.1-150200.5.8.1","SUSE Linux Enterprise Server 15 SP6:apache-commons-configuration2-2.10.1-150200.5.8.1","SUSE Linux Enterprise Server 15 SP7:apache-commons-configuration2-2.10.1-150200.5.8.1","SUSE Linux Enterprise Server 16.0:apache-commons-configuration2-2.10.1-160000.2.2","SUSE Linux Enterprise Server 16.0:apache-commons-configuration2-javadoc-2.10.1-160000.2.2","SUSE Linux Enterprise Server for SAP Applications 15 SP6:apache-commons-configuration2-2.10.1-150200.5.8.1","SUSE Linux Enterprise Server for SAP Applications 15 SP7:apache-commons-configuration2-2.10.1-150200.5.8.1","openSUSE Tumbleweed:apache-commons-configuration2-2.9.0-1.1","openSUSE Tumbleweed:apache-commons-configuration2-javadoc-2.9.0-1.1"]}],"threats":[{"category":"impact","date":"2022-07-06T14:00:02Z","details":"important"}],"title":"CVE-2022-33980"}]}