Vulnerability in Apache Software Foundation Commons Text
CVE-2022-42889
Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.common…
EPSS: 0.943 (99.9th percentile) — read the EPSS interpretation.
Affected products
- Apache Software Foundation Commons Text — versions unspecified, 1.5
Public proof-of-concept exploits
- karthikuj/cve-2022-42889-text4shell-docker
- kljunowsky/CVE-2022-42889-text4shell
- ClickCyber/cve-2022-42889
- SeanWrightSec/CVE-2022-42889-PoC
- cxzero/CVE-2022-42889-text4shell
- f0ng/text4shellburpscanner
- cryxnet/CVE-2022-42889-RCE
- alealeluyah/CVE-2022-42889-Text4Shell-POC
- korteke/CVE-2022-42889-POC
- ifconfig-me/Log4Shell-Payloads
References
- lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om
- [oss-security] 20221013 CVE-2022-42889: Apache Commons Text prior to 1.10.0 allows RCE when applied to untrusted input due to insecure interpolation defaults (mailing-list)
- [oss-security] 20221017 Re: CVE-2022-42889: Apache Commons Text prior to 1.10.0 allows RCE when applied to untrusted input due to insecure interpolation defaults (mailing-list)
- security.netapp.com/advisory/ntap-20221020-0004/
- psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0022
- GLSA-202301-05 (vendor-advisory)
- 20230214 OXAS-ADV-2022-0002: OX App Suite Security Advisory (mailing-list)
- packetstormsecurity.com/files/171003/OX-App-Suite-Cross-Site-Scripting-Server-S…
- packetstormsecurity.com/files/176650/Apache-Commons-Text-1.9-Remote-Code-Execut…
Frequently asked questions
- What is CVE-2022-42889?
- CVE-2022-42889 is a vulnerability in Apache Software Foundation Commons Text. Published 2022-10-13.
- Is CVE-2022-42889 known to be exploited?
- 154 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.