Back to KEVs

CVE-2022-42889

Apache Commons Text prior to 1.10.0 allows RCE when applied to untrusted input due to insecure interpolation defaults

Basic Information

CVE State: PUBLISHED
Reserved Date: October 12, 2022
Published Date: October 13, 2022
Last Updated: November 20, 2024
Vendor: Apache Software Foundation
Product: Apache Commons Text
Description: Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default.
Tags

CVSS Scores

CVSS v3.1

9.8 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

Score: 94.16% (Percentile: 99.90%) as of 2025-05-12

SSVC Information

Exploitation: none
Automatable: Yes
Technical Impact: total

Exploit Status

Exploited in the Wild: Yes (2022-10-20 11:40:50 UTC) Source

References

https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om http://www.openwall.com/lists/oss-security/2022/10/13/4 http://www.openwall.com/lists/oss-security/2022/10/18/1 https://security.netapp.com/advisory/ntap-20221020-0004/ https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0022 https://security.gentoo.org/glsa/202301-05 http://seclists.org/fulldisclosure/2023/Feb/3 http://packetstormsecurity.com/files/171003/OX-App-Suite-Cross-Site-Scripting-Server-Side-Request-Forgery.html http://packetstormsecurity.com/files/176650/Apache-Commons-Text-1.9-Remote-Code-Execution.html

Known Exploited Vulnerability Information

Source	Added Date
Wordfence	2022-10-20 11:40:50 UTC

Scanner Integrations

Scanner	URL	Date Detected
Metasploit	https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/apache_commons_text4shell.rb	2025-04-29 11:01:20 UTC

Potential Proof of Concepts

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

apache_commons_text4shell

Type: metasploit • Created: Unknown

Metasploit module for CVE-2022-42889

808ale/CVE-2022-42889-Text4Shell-POC

Type: github • Created: 2023-06-27 08:29:24 UTC • Stars: 14

This repository contains a Python script to automate the process of testing for a vulnerability known as Text4Shell, referenced under the CVE id: CVE-2022-42889.