Remote code execution vulnerability discovered in Apache Commons Text

Jan

Jan

Who's the Boss?
Staff member
Joined
May 24, 2010
Messages
14,766
Reaction score
13,403
Location
The Rabbit Hole
Major Apache Commons Text vulnerability discovered

A dangerous vulnerability related to reckless string interpolation behaviour has been found in the Java source code library Apache Commons Text, Sophos reports.

The flaw is tracked as CVE-2022-42889 and affects Apache Commons Text versions released before 1.10.0, allowing remote code execution when applied to untrusted input due to insecure interpolation defaults.
 
There are some prerequisites, like you need a web interface that accepts user input (without validation!), and not everyone uses the interpolator function. Plus it needs the Nashorn engine.

For Apache Commons Text, look for:
Code: 
StringLookupFactory.INSTANCE.interpolatorStringLookup().lookup()
or
Code: 
StringSubstitutor.createInterpolator().replace()
in your code.

For Apache Commons Configuration look for:
Code: 
org.apache.commons.configuration2.interpol.ConfigurationInterpolator
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X