Bug#1021787: commons-text: CVE-2022-42889
Moritz Mühlenhoff
jmm at inutil.org
Fri Oct 14 19:22:41 BST 2022
Source: commons-text
X-Debbugs-CC: team at security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for commons-text.
CVE-2022-42889[0]:
| Apache Commons Text performs variable interpolation, allowing
| properties to be dynamically evaluated and expanded. The standard
| format for interpolation is "${prefix:name}", where "prefix" is used
| to locate an instance of org.apache.commons.text.lookup.StringLookup
| that performs the interpolation. Starting with version 1.5 and
| continuing through 1.9, the set of default Lookup instances included
| interpolators that could result in arbitrary code execution or contact
| with remote servers. These lookups are: - "script" - execute
| expressions using the JVM script execution engine (javax.script) -
| "dns" - resolve dns records - "url" - load values from urls, including
| from remote servers Applications using the interpolation defaults in
| the affected versions may be vulnerable to remote code execution or
| unintentional contact with remote servers if untrusted configuration
| values are used. Users are recommended to upgrade to Apache Commons
| Text 1.10.0, which disables the problematic interpolators by default.
https://www.openwall.com/lists/oss-security/2022/10/13/4
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-42889
https://www.cve.org/CVERecord?id=CVE-2022-42889
Please adjust the affected versions in the BTS as needed.
More information about the pkg-java-maintainers
mailing list