| Details | |
|---|---|
| Alert ID | 40047 |
| Alert Type | Active |
| Status | beta |
| Risk | High |
| CWE | 117 |
| WASC | 20 |
| Technologies Targeted |
Language / Java |
| Tags |
CVE-2022-42889 CWE-117 OUT_OF_BAND OWASP_2017_A09 OWASP_2021_A06 WSTG-V42-INPV-11 |
| More Info |
Scan Rule Help |
Summary
Apache Commons Text prior to 1.10.0 allows RCE when applied to untrusted input due to insecure interpolation defaults.Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded.The application has been shown to initial contact with remote servers via variable interpolation and may well be vulnerable to Remote Code Execution (RCE).
Solution
Upgrade Apache Commons Text prior to version 1.10.0 or newer.Other Info
References
- https://nvd.nist.gov/vuln/detail/CVE-2022-42889
- https://securitylab.github.com/advisories/GHSL-2022-018_Apache_Commons_Text/