CVE-2022-42889
Last modified
CVE-2022-42889 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. EPSS estimates a 99.93% chance of exploitation in the next 30 days.
Description
Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Apache | Commons Text | >= 1.5, < 1.10.0 |
| Netapp | Bluexp | All versions |
| Juniper | Security Threat Response Manager | < 7.5.0 |
| Juniper | Security Threat Response Manager | 7.5.0 |
References
- http://packetstormsecurity.com/files/171003/OX-App-Suite-Cross-Site-Scripting-Server-Side-Request-Forgery.htmlThird Party Advisory, VDB Entry
- http://seclists.org/fulldisclosure/2023/Feb/3Mailing List, Third Party Advisory
- http://www.openwall.com/lists/oss-security/2022/10/13/4Mailing List, Third Party Advisory
- http://www.openwall.com/lists/oss-security/2022/10/18/1Mailing List, Third Party Advisory
- https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1omMailing List, Vendor Advisory
- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0022Third Party Advisory
- https://security.gentoo.org/glsa/202301-05Third Party Advisory
- https://security.netapp.com/advisory/ntap-20221020-0004/Third Party Advisory
- http://packetstormsecurity.com/files/171003/OX-App-Suite-Cross-Site-Scripting-Server-Side-Request-Forgery.htmlThird Party Advisory, VDB Entry
- http://seclists.org/fulldisclosure/2023/Feb/3Mailing List, Third Party Advisory
- http://www.openwall.com/lists/oss-security/2022/10/13/4Mailing List, Third Party Advisory
- http://www.openwall.com/lists/oss-security/2022/10/18/1Mailing List, Third Party Advisory
- https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1omMailing List, Vendor Advisory
- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0022Third Party Advisory
- https://security.gentoo.org/glsa/202301-05Third Party Advisory
- https://security.netapp.com/advisory/ntap-20221020-0004/Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2022-42889?
How severe is CVE-2022-42889?
How do I fix CVE-2022-42889?
Are you affected by CVE-2022-42889?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST