skip to content
Back to
Home Bounties Research Advisories Get Involved Events
July 14, 2022

GHSL-2022-017: Arbitrary command execution through Apache Commons Configuration - CVE-2022-33980

Alvaro Munoz

Coordinated Disclosure Timeline


Attackers able to control a configuration file or property may be able to run arbitrary system commands


Apache Commons Configuration

Tested Version



Issue: Unsafe script evaluation (GHSL-2022-017)

By default, Commons Configuration performs variable interpolation that allows properties to be dynamically evaluated and expanded. The general syntax of a variable name is ${prefix:name}. The prefix tells Commons Configuration that the variable is to be evaluated in a certain context. If the prefix is missing, the context is the current configuration instance. If a prefix is provided, then it will be used to look for the matching Lookup class that will resolve the variable. Commons Configuration uses Commons Text StringSubstitutor with the default set of interpolation lookups under the hood. On of the default available lookups is the ScriptStringLookup which uses javax.script package to run scripts (eg: Javascript, Groovy, …). An attacker can provide a configuration property such as ${script:javascript:java.lang.Runtime.getRuntime().exec()} to run arbitrary system commands when the property is retrieved.


Create a properties files such as:

database.user = ${script:javascript:java.lang.Runtime.getRuntime().exec('touch /tmp/foo')}

Load the database.user property:

Parameters params = new Parameters();
File propertiesFile = new File("");
FileBasedConfigurationBuilder<FileBasedConfiguration> builder = new FileBasedConfigurationBuilder<FileBasedConfiguration>(PropertiesConfiguration.class)
FileBasedConfiguration config = builder.getConfiguration();

A file called /tmp/foo should have been created.

Reasons to report

This issue may be considered a feature, however, we think it is a vulnerability for the following reasons:

  1. In the past CVE-2020-1953 was issued with CVSS 10. This vulnerability is similar to the one being reported since loading untrusted configuration files may lead to remote code execution (RCE).
  2. Official documentation does not mention the script interpolation and the related risk so users may not be aware of it. It does, however, mention the const, sys, and env interpolations.
  3. Official documentation documents ExprLookup which is similar to ScriptStringLookup in that they can both lead to RCE but in this case, the dangerous lookup is an opt-in lookup and, therefore, not enabled by default (probably because of the security implications although it is not mentioned explicitly).
  4. An attacker does not need to control the whole configuration file, untrusted data flowing to Configuration.addProperty or Configuration.setProperty will also lead to RCE if those properties are later read.
  5. Some configurations such as the ServletRequestConfiguration are intrinsically insecure since they will always contain user-controlled properties.


This issue may lead to Remote Code Execution



This issue was discovered and reported by GHSL team member @pwntester (Alvaro Muñoz).


You can contact the GHSL team at, please include a reference to GHSL-2022-017 in any communication regarding this issue.