CVE-2022-42889 Information
Description
Apache Commons Text performs variable interpolation allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is $prefix:name\ where \prefix\ is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9 the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - \script\ - execute expressions using the JVM script execution engine (javax.script) - \dns\ - resolve dns records - �rl\ - load values from urls including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0 which disables the problematic interpolators by default.
Reference
https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om
http://www.openwall.com/lists/oss-security/2022/10/13/4
Apache
Commons
Text
performs
variable
interpolation
allowing
properties
to
be
dynamically
evaluated
and
expanded.
The
standard
format
for
interpolation
is
${prefix:name}
where
\prefix
is
used
to
locate
an
instance
of
org.apache.commons.text.lookup.StringLookup
that
performs
the
interpolation.
Starting
with
version
1.5
and
continuing
through
1.9
the
set
of
default
Lookup
instances
included
interpolators
that
could
result
in
arbitrary
code
execution
or
contact
with
remote
servers.
These
lookups
are:
\script\
execute expressions using the JVM script execution engine (javax.script)
\dns\
resolve dns records
�rl\
load values from urls including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0 which disables the problematic interpolators by default.
Share on: