Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

cve-2022-42889
Back to All
CVE

CVE-2022-42889

Arbitrary code execution in Apache Commons Text

Description

Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default.

Base CVSS

9.8

EPSS Score

94.12%

Introduced Version

0

Fix Available

1.10.0

Available Patches

Package
CVEs Fixed
Lines of Code Changed
Package Name
org.apache.commons:commons-text
1.9
CVES Fixed
C
1
H
0
M
0
L
0
Code Changed
+999
-311

References

https://arxiv.org/pdf/2306.05534
https://securitylab.github.com/advisories/GHSL-2022-018_Apache_Commons_Text
http://packetstormsecurity.com/files/176650/Apache-Commons-Text-1.9-Remote-Code-Execution.html
https://nvd.nist.gov/vuln/detail/CVE-2022-42889
https://security.netapp.com/advisory/ntap-20221020-0004
https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om
http://packetstormsecurity.com/files/171003/OX-App-Suite-Cross-Site-Scripting-Server-Side-Request-Forgery.html
http://www.openwall.com/lists/oss-security/2022/10/13/4
http://www.openwall.com/lists/oss-security/2022/10/18/1
https://github.com/apache/commons-text
http://seclists.org/fulldisclosure/2023/Feb/3
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0022
https://security.gentoo.org/glsa/202301-05

AppSec for the Software Development Revolution

Endor Labs builds a complete graph of your software estate, so teams can pinpoint and fix critical risks in complex, dependency-rich code—whether it was written by humans or AI.

Welcome to the resistance
Oops! Something went wrong, please try again.
brightness-increase
moon-01