Apache Commons Text Vulnerability

Threat Intelligence from DigitalXRAID’s Security Operations Centre analysts:

The Apache Commons Text library has been found to contain a vulnerability which can result in code execution. Originally reported by Alvaro Munoz, this vulnerability comes from an insecure implementation of Commons Text’s variable interpolation functionality.

Read more about the CVE detail here: CVE-2022-42889
The CVSS (Common Vulnerability Scoring System) Severity Score has been rated as: 9.8 (critical)

Common Text is a java source code library, used as a general purpose text manipulation toolkit. This vulnerability resides in the StringSubstitutor interpolator object. The interpolator will allow string lookups, which can be used by passing a string “${prefix:name}”, where the prefix is the lookup defined in the StringLookupFactory.

By using lookups such as “script”, “dns” or “url”, a crafted string would be able to execute arbitrary scripts when it has been passed to the interpolator object.

This affects Apache Commons Text versions 1.5 through 1.9. It has been patched as of Commons Text version 1.10.

The recommended action is to upgrade to version 1.10 as soon as possible if there is a direct dependency on Commons Text. In common with other vulnerabilities, the likelihood is that vendors will release advisories in the near future with upgrades to any of their products which utilise the library.

If you discover that you’ve suffered a breach as a result of this or any other vulnerability, and need help urgently, get in contact with us. You can call our emergency line on 0800 066 4509 to speak to one of our experts. They’re available 24 hours a day, 7 days a week. Bookmark this page in case you ever need us.   

If you need any support in mitigating any risks this vulnerability may have on your business, please don’t hesitate to get in contact.