Description
Apache Commons Text is a library focused on algorithms working on strings. Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. Versions prior to 1.10.0 are vulnerable to RCE when untrusted input is used inside variable interpolation due to insecure interpolation defaults. The vulnerability affects the StringSubstitutor interpolator class, which is included in the Commons Text library.
Remediation
Upgrade to Apache Commons Text 1.10.0.
References
Related Vulnerabilities
WordPress Plugin EWWW Image Optimizer Remote Code Execution (2.8.3)
BigIP iRule Tcl code injection
XWiki Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2023-40177)
WordPress Plugin WP Super Cache PHP Code Injection (1.2)
Palo Alto PAN-OS Management Interface Auth Bypass (CVE-2024-0012/CVE-2024-9474)