CVE-2022-42889

MITRE NVD CVE.ORG JSON API Print: PDF PDF

Summary

CVECVE-2022-42889
StatePUBLIC
Assigner[email protected]
Source PriorityCVE Program / NVD first with legacy fallback
Published2022-10-13 13:15:00 UTC
Updated2024-01-19 16:15:00 UTC
DescriptionApache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default.

Risk And Classification

Problem Types: CWE-94

NVD Known Affected Configurations (CPE 2.3)

TypeVendorProductVersionUpdateEditionLanguage
Application Apache Commons Text All All All All
Hardware Juniper Jsa1500 - All All All
Hardware Juniper Jsa3500 - All All All
Hardware Juniper Jsa3800 - All All All
Hardware Juniper Jsa5500 - All All All
Hardware Juniper Jsa5800 - All All All
Hardware Juniper Jsa7500 - All All All
Hardware Juniper Jsa7800 - All All All
Application Juniper Security Threat Response Manager All All All All
Application Juniper Security Threat Response Manager 7.5.0 - All All
Application Juniper Security Threat Response Manager 7.5.0 up1 All All
Application Juniper Security Threat Response Manager 7.5.0 up2 All All
Application Juniper Security Threat Response Manager 7.5.0 up3 All All
Application Netapp Bluexp - All All All

References

ReferenceSourceLinkTags
Full Disclosure: OXAS-ADV-2022-0002: OX App Suite Security Advisory FULLDISC seclists.org
Apache Commons Text 1.9 Remote Code Execution ≈ Packet Storm packetstormsecurity.com
Apache Commons Text: Arbitrary Code Execution (GLSA 202301-05) — Gentoo security GENTOO security.gentoo.org
Security Advisory CONFIRM psirt.global.sonicwall.com
oss-security - CVE-2022-42889: Apache Commons Text prior to 1.10.0 allows RCE when applied to untrusted input due to insecure interpolation defaults MLIST www.openwall.com
oss-security - Re: CVE-2022-42889: Apache Commons Text prior to 1.10.0 allows RCE when applied to untrusted input due to insecure interpolation defaults MLIST www.openwall.com
N/A CONFIRM lists.apache.org
OX App Suite Cross Site Scripting / Server-Side Request Forgery ≈ Packet Storm MISC packetstormsecurity.com
CVE-2022-42889 Apache Commons Text Vulnerability in NetApp Products | NetApp Product Security CONFIRM security.netapp.com
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis

Legacy QID Mappings

  • 150586 Apache Commons Text Remote Code Execution (RCE) Vulnerability (Text4Shell) (CVE-2022-42889)
  • 182611 Debian Security Update for commons-text (CVE-2022-42889)
  • 20317 Oracle Database 21c Critical Patch Update - January 2023
  • 20318 Oracle Database 19c Critical Patch Update - January 2023
  • 20319 Oracle Database 19c Critical OJVM Patch Update - January 2023
  • 241074 Red Hat Update for Satellite 6.12.1 (RHSA-2023:0261)
  • 241326 Red Hat OpenShift Container Platform 4.9 Security Update (RHSA-2023:1524)
  • 241340 Red Hat OpenShift Container Platform 4.10 Security Update (RHSA-2023:1655)
  • 241395 Red Hat OpenShift Container Platform 4.10 Security Update (RHSA-2023:1866)
  • 241405 Red Hat Update for Satellite 6.13 (RHSA-2023:2097)
  • 377639 Apache Commons Arbitrary Code Execution (ACE) Vulnerability (Text4Shell) (CVE-2022-42889)
  • 377682 F5 BIG-IP Apache Commons Text Vulnerability (K24823443) (Text4Shell) (CVE-2022-42889)
  • 377701 Apache Commons Arbitrary Code Execution (ACE) Vulnerability (Text4Shell) (CVE-2022-42889) Scan Utility
  • 710697 Gentoo Linux Apache Commons Text Arbitrary Code Execution Vulnerability (GLSA 202301-05)
  • 770183 Red Hat OpenShift Container Platform 4.9 Security Update (RHSA-2023:1524)
  • 770184 Red Hat OpenShift Container Platform 4.10 Security Update (RHSA-2023:1655)
  • 770185 Red Hat OpenShift Container Platform 4.10 Security Update (RHSA-2023:1866)
  • 960924 Rocky Linux Security Update for Satellite (RLSA-2023:2097)
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report