{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-29131", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2024-03-16T11:33:44.045Z", "datePublished": "2024-03-21T09:07:13.627Z", "dateUpdated": "2024-08-28T14:22:06.366Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected", "packageName": "org.apache.commons:commons-configuration2", "product": "Apache Commons Configuration", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "2.10.1", "status": "affected", "version": "2.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Bob Marinier"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Out-of-bounds Write vulnerability in Apache Commons Configuration.<p>This issue affects Apache Commons Configuration: from 2.0 before 2.10.1.</p><p>Users are recommended to upgrade to version 2.10.1, which fixes the issue.</p>"}], "value": "Out-of-bounds Write vulnerability in Apache Commons Configuration.This issue affects Apache Commons Configuration: from 2.0 before 2.10.1.\n\nUsers are recommended to upgrade to version 2.10.1, which fixes the issue.\n\n"}], "metrics": [{"other": {"content": {"text": "low"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-787", "description": "CWE-787 Out-of-bounds Write", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2024-03-21T09:07:13.627Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/03nzzzjn4oknyw5y0871tw7ltj0t3r37"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YD4AFTIIQW662LUAQRMWS6BBKYSZG3YS/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SNKDKEEKZNL5FGCTZKJ6CFXFVWFL5FJ7/"}, {"url": "http://www.openwall.com/lists/oss-security/2024/03/20/4"}], "source": {"defect": ["CONFIGURATION-840"], "discovery": "EXTERNAL"}, "title": "Apache Commons Configuration: StackOverflowError adding property in AbstractListDelimiterHandler.flattenIterator()", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T01:03:51.764Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.apache.org/thread/03nzzzjn4oknyw5y0871tw7ltj0t3r37"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YD4AFTIIQW662LUAQRMWS6BBKYSZG3YS/", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SNKDKEEKZNL5FGCTZKJ6CFXFVWFL5FJ7/", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/03/20/4", "tags": ["x_transferred"]}]}, {"affected": [{"vendor": "apache", "product": "commons_configuration", "cpes": ["cpe:2.3:a:apache:commons_configuration:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "2.0", "status": "affected", "lessThan": "2.10.1", "versionType": "custom"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-03-29T15:57:00.599892Z", "id": "CVE-2024-29131", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-28T14:22:06.366Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://lists.apache.org/thread/03nzzzjn4oknyw5y0871tw7ltj0t3r37", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YD4AFTIIQW662LUAQRMWS6BBKYSZG3YS/", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SNKDKEEKZNL5FGCTZKJ6CFXFVWFL5FJ7/", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/03/20/4", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T01:03:51.764Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-29131", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-03-29T15:57:00.599892Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:apache:commons_configuration:*:*:*:*:*:*:*:*"], "vendor": "apache", "product": "commons_configuration", "versions": [{"status": "affected", "version": "2.0", "lessThan": "2.10.1", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-28T14:21:52.672Z"}}], "cna": {"title": "Apache Commons Configuration: StackOverflowError adding property in AbstractListDelimiterHandler.flattenIterator()", "source": {"defect": ["CONFIGURATION-840"], "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Bob Marinier"}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "low"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache Commons Configuration", "versions": [{"status": "affected", "version": "2.0", "lessThan": "2.10.1", "versionType": "semver"}], "packageName": "org.apache.commons:commons-configuration2", "collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected"}], "references": [{"url": "https://lists.apache.org/thread/03nzzzjn4oknyw5y0871tw7ltj0t3r37", "tags": ["vendor-advisory"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YD4AFTIIQW662LUAQRMWS6BBKYSZG3YS/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SNKDKEEKZNL5FGCTZKJ6CFXFVWFL5FJ7/"}, {"url": "http://www.openwall.com/lists/oss-security/2024/03/20/4"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Out-of-bounds Write vulnerability in Apache Commons Configuration.This issue affects Apache Commons Configuration: from 2.0 before 2.10.1.\n\nUsers are recommended to upgrade to version 2.10.1, which fixes the issue.\n\n", "supportingMedia": [{"type": "text/html", "value": "Out-of-bounds Write vulnerability in Apache Commons Configuration.<p>This issue affects Apache Commons Configuration: from 2.0 before 2.10.1.</p><p>Users are recommended to upgrade to version 2.10.1, which fixes the issue.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-787", "description": "CWE-787 Out-of-bounds Write"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2024-03-21T09:07:13.627Z"}}}, "cveMetadata": {"cveId": "CVE-2024-29131", "state": "PUBLISHED", "dateUpdated": "2024-08-28T14:22:06.366Z", "dateReserved": "2024-03-16T11:33:44.045Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2024-03-21T09:07:13.627Z", "assignerShortName": "apache"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Out-of-bounds Write vulnerability in Apache Commons Configuration.This issue affects Apache Commons Configuration: from 2.0 before 2.10.1.\n\nUsers are recommended to upgrade to version 2.10.1, which fixes the issue.\n\n"}, {"lang": "es", "value": "Vulnerabilidad de escritura fuera de los l\u00edmites en la configuraci\u00f3n de Apache Commons. Este problema afecta a la configuraci\u00f3n de Apache Commons: desde 2.0 antes de 2.10.1. Se recomienda a los usuarios actualizar a la versi\u00f3n 2.10.1, que soluciona el problema."}], "id": "CVE-2024-29131", "lastModified": "2024-08-28T15:35:19.953", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-03-21T09:15:07.807", "references": [{"source": "security@apache.org", "url": "http://www.openwall.com/lists/oss-security/2024/03/20/4"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread/03nzzzjn4oknyw5y0871tw7ltj0t3r37"}, {"source": "security@apache.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SNKDKEEKZNL5FGCTZKJ6CFXFVWFL5FJ7/"}, {"source": "security@apache.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YD4AFTIIQW662LUAQRMWS6BBKYSZG3YS/"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-787"}], "source": "security@apache.org", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2024:3920", "cpe": "cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8", "package": "commons-configuration2", "product_name": "Migration Toolkit for Runtimes 1 on RHEL 8", "release_date": "2024-06-13T00:00:00Z"}, {"advisory": "RHSA-2024:3989", "cpe": "cpe:/a:redhat:migration_toolkit_applications:6.2::el9", "package": "mta/mta-windup-addon-rhel9:6.2.3-2", "product_name": "MTA-6.2-RHEL-9", "release_date": "2024-06-20T00:00:00Z"}, {"advisory": "RHSA-2024:2945", "cpe": "cpe:/a:redhat:amq_broker:7.12", "package": "commons-configuration2", "product_name": "Red Hat AMQ Broker 7", "release_date": "2024-05-21T00:00:00Z"}], "bugzilla": {"description": "commons-configuration: StackOverflowError adding property in AbstractListDelimiterHandler.flattenIterator()", "id": "2270674", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2270674"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.4", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "status": "verified"}, "cwe": "CWE-121->CWE-787", "details": ["Out-of-bounds Write vulnerability in Apache Commons Configuration.This issue affects Apache Commons Configuration: from 2.0 before 2.10.1.\nUsers are recommended to upgrade to version 2.10.1, which fixes the issue.", "A vulnerability was found in Apache Commons-Configuration2, where a Stack Overflow Error can occur when adding a property in AbstractListDelimiterHandler.flattenIterator(). This issue could allow an attacker to corrupt memory or execute a denial of service attack by crafting malicious property that triggers an out-of-bounds write issue when processed by the vulnerable method."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-29131", "package_state": [{"cpe": "cpe:/a:redhat:amq_clients:2023", "fix_state": "Not affected", "package_name": "commons-configuration2", "product_name": "AMQ Clients"}, {"cpe": "cpe:/a:redhat:a_mq_clients:2", "fix_state": "Will not fix", "package_name": "commons-configuration2", "product_name": "A-MQ Clients 2"}, {"cpe": "cpe:/a:redhat:ocp_tools", "fix_state": "Affected", "package_name": "jenkins-2-plugins", "product_name": "OpenShift Developer Tools and Services"}, {"cpe": "cpe:/a:redhat:camel_quarkus:3", "fix_state": "Not affected", "package_name": "commons-configuration2", "product_name": "Red Hat build of Apache Camel for Quarkus"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:3", "fix_state": "Not affected", "package_name": "commons-configuration2", "product_name": "Red Hat build of Apache Camel for Spring Boot 3"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:4", "fix_state": "Not affected", "package_name": "commons-configuration2", "product_name": "Red Hat build of Apache Camel for Spring Boot 4"}, {"cpe": "cpe:/a:redhat:optaplanner:::el6", "fix_state": "Not affected", "package_name": "commons-configuration2", "product_name": "Red Hat build of OptaPlanner 8"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Not affected", "package_name": "commons-configuration2", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Out of support scope", "package_name": "commons-configuration2", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Will not fix", "package_name": "commons-configuration2", "product_name": "Red Hat Integration Camel K"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Not affected", "package_name": "commons-configuration2", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Not affected", "package_name": "commons-configuration2", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "commons-configuration2", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "commons-configuration2", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Out of support scope", "package_name": "jenkins-2-plugins", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Out of support scope", "package_name": "commons-configuration2", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Will not fix", "package_name": "commons-configuration2", "product_name": "Red Hat Single Sign-On 7"}, {"cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "fix_state": "Out of support scope", "package_name": "commons-configuration2", "product_name": "Red Hat support for Spring Boot"}], "public_date": "2024-03-20T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-29131\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-29131\nhttps://github.com/apache/commons-configuration/commit/56b5c4dcdffbde27870df5a3105d6a5f9b22f554\nhttps://github.com/apache/commons-configuration/commit/7d7d399d0598cb0ca5f81891de34694178156dab\nhttps://issues.apache.org/jira/browse/CONFIGURATION-840"], "threat_severity": "Low", "upstream_fix": "commons-configuration 2.10.1"}