9.8

CVSS Score

Basic Information

CVE ID

CVE-2022-42889

GHSA ID

GHSA-599f-7c49-w659

EPSS Score

CWE

CWE-94

Published

10/13/2022

Updated

1/19/2024

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-42889

CVE-2022-42889:
Arbitrary code execution in Apache Commons Text

Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default.

(GitHub Advisory)

9.8

CVSS Score

Basic Information

CVE ID

CVE-2022-42889

GHSA ID

GHSA-599f-7c49-w659

EPSS Score

CWE

CWE-94

Published

10/13/2022

Updated

1/19/2024

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.apache.commons:commons-text	maven	>= 1.5, < 1.10.0	1.10.0
com.guicedee.services:commons-text	maven	<= 1.2.2.1-jre17

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The analysis is based on the descriptions provided, highlighting the role of StringSubstitutor and its methods in the vulnerability. The methods replace and replaceIn are directly implicated in processing potentially malicious input, making them the primary vulnerable functions. The createInterpolator method is also relevant as it sets up the interpolator with default lookups that include the vulnerable ones.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*p**** *ommons T*xt p*r*orms v*ri**l* int*rpol*tion, *llowin* prop*rti*s to ** *yn*mi**lly *v*lu*t** *n* *xp*n***. T** st*n**r* *orm*t *or int*rpol*tion is "${pr**ix:n*m*}", w**r* "pr**ix" is us** to lo**t* *n inst*n** o* or*.*p****.*ommons.t*xt.look

Reasoning

T** *n*lysis is **s** on t** **s*riptions provi***, *i**li**tin* t** rol* o* Strin*Su*stitutor *n* its m*t*o*s in t** vuln*r**ility. T** m*t*o*s r*pl*** *n* r*pl***In *r* *ir**tly impli**t** in pro**ssin* pot*nti*lly m*li*ious input, m*kin* t**m t**

9.8

Basic Information

Concerned about an active attack path?

CVE-2022-42889: Arbitrary code execution in Apache Commons Text

9.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2022-42889:
Arbitrary code execution in Apache Commons Text

Vulnerability Intelligence
Miggo AI