Description

Apache Commons Text is a library focused on algorithms working on strings. Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. Versions prior to 1.10.0 are vulnerable to RCE when untrusted input is used inside variable interpolation due to insecure interpolation defaults. The vulnerability affects the StringSubstitutor interpolator class, which is included in the Commons Text library.

Remediation

Upgrade to Apache Commons Text 1.10.0.

References

CVE-2022-42889: Apache Commons Text prior to 1.10.0 allows RCE

Detecting and mitigating CVE-2022-42889 a.k.a. Text4shell

Related Vulnerabilities

Symfony ESI (Edge-Side Includes) enabled

Jboss Application Server HTTPServerILServlet.java remote code execution

WordPress 'wp-admin/options.php' Remote Code Execution Vulnerability (0.6.2 - 2.3.2)

Craft CMS register_argc_argv RCE (CVE-2024-56145)

Drupal Remote Code Execution (SA-CORE-2018-002)

Severity

Critical

Classification

CVE-2022-42889 CWE-94 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Code Execution