Details
Alert ID 40047
Alert Type Active
Status beta
Risk High
CWE 117
WASC 20
Technologies Targeted Language / Java
Tags CVE-2022-42889
CWE-117
OUT_OF_BAND
OWASP_2017_A09
OWASP_2021_A06
POLICY_DEV_FULL
POLICY_QA_FULL
POLICY_SEQUENCE
WSTG-V42-INPV-11
More Info Scan Rule Help

Summary

Apache Commons Text prior to 1.10.0 allows RCE when applied to untrusted input due to insecure interpolation defaults.Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded.The application has been shown to initial contact with remote servers via variable interpolation and may well be vulnerable to Remote Code Execution (RCE).

Solution

Upgrade Apache Commons Text prior to version 1.10.0 or newer.

Other Info

References

Code

org/zaproxy/zap/extension/ascanrulesBeta/Text4ShellScanRule.java