GHSA-599f-7c49-w659 — critical GitHub Advisory (CVE-2022-42889) in maven/org.apache.commons:commons…

Description

Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default.

Basic information

Type: reviewed
Severity: critical
Advisory on GitHub: Open advisory ↗
Repository advisory: —
Source code: Browse source ↗
Published (advisory): 2022-10-13 19:00:17 UTC
Updated: 2024-01-19 20:49:34 UTC
GitHub reviewed: 2022-10-13 20:22:17 UTC
NVD published: 2022-10-13

Score	Percentile
94.25%	99.93%

CVSS Scores

Base score	Version	Severity	Vector
9.8	3.1	—	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` Click to expand Attack vector (AV:N) Could be attacked over the internet or any normal routed network—not just someone sitting at the machine. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:N) No account or special rights needed—anonymous or random user is enough. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:H) Serious risk that confidential data gets exposed in a big way. Integrity (I:H) They could widely tamper with or forge data—trust in the data is badly hurt. Availability (A:H) Could take the service down hard or make it unusable for people who depend on it.

Identifiers

Type	Value
GHSA	GHSA-599f-7c49-w659 ↗
CVE	CVE-2022-42889 ↗

CWEs

CWE id	Name
CWE-94	Improper Control of Generation of Code ('Code Injection')

Affected packages (2)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem	Package	Vulnerable range	First patched	Vulnerable functions
maven	org.apache.commons:commons-text	>= 1.5, < 1.10.0	1.10.0	—
maven	com.guicedee.services:commons-text	<= 1.2.2.1-jre17	—	—

Arbitrary code execution in Apache Commons Text