Home > Vulnerability Database > CVE-2022-42889

Mend.io Vulnerability Database

CVE-2022-42889

Good to know:

Date: October 13, 2022

Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default.

Language: Java

Severity Score

9.8

Related Resources (12)

Url: http://www.openwall.com/lists/oss-security/2022/10/13/4

Url: https://security.netapp.com/advisory/ntap-20221020-0004/

Url: http://packetstormsecurity.com/files/176650/Apache-Commons-Text-1.9-Remote-Code-Execution.html

Url: https://nvd.nist.gov/vuln/detail/CVE-2022-42889

Url: http://packetstormsecurity.com/files/171003/OX-App-Suite-Cross-Site-Scripting-Server-Side-Request-Forgery.html

Url: http://seclists.org/fulldisclosure/2023/Feb/3

Url: https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om

Url: https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0022

Url: https://security.gentoo.org/glsa/202301-05

Url: https://security-tracker.debian.org/tracker/CVE-2022-42889

Url: http://www.openwall.com/lists/oss-security/2022/10/18/1

Url: https://www.mend.io/vulnerability-database/CVE-2022-42889

Severity Score

9.8

Weakness Type (CWE)

Code Injection

CWE-94

Top Fix

Upgrade Version

Upgrade to version org.apache.commons:commons-text:1.10.0

Learn More

CVSS v3.1

Base Score:	9.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2022-42889

Good to know:

Date: October 13, 2022

Language: Java

Severity Score

Related Resources (12)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?