View Issue Details

IDProjectCategoryView StatusLast Update
0005541SymmetricDSBugpublic2022-11-30 19:40
Reporterpmarzullo Assigned Topmarzullo  
Status closedResolutionfixed 
Product Version3.13.8 
Target Version3.13.9Fixed in Version3.13.9 
Summary0005541: Apache commons-text version 1.9 security vulnerability
DescriptionCVE-2022-42889 prior to 1.10.0, RCE when applied to untrusted input

On 2022-10-13, the Apache Commons Text team disclosed CVE-2022-42889 . Key takeaways:

If you rely on software that uses a version of commons-text prior to 1.10.0, you are likely still not vulnerable: only if this software uses the StringSubstitutor API without properly sanitizing any untrusted input.
If your own software uses commons-text, double-check whether it uses the StringSubstitutor API without properly sanitizing any untrusted input. If so, an update to 1.10.0 could be a quick workaround, but the recommended solution is to also properly validate and sanitize any untrusted input.
Apache Commons Text is a low-level library for performing various text operations, such as escaping, calculating string differences, and substituting placeholders in the text with values looked up through interpolators. When using the string substitution feature, some of the available interpolators can trigger network access or code execution. This is intended, but it also means an application that includes user input in the string passed to the substitution without properly sanitizing it would allow an attacker to trigger those interpolators.

For that reason the Apache Commons Text team have decided to update the configuration to be more "secure by default", so that the impact of a failure to validate inputs is mitigated and will not give an attacker access to these interpolators. However, it is still recommended that users treat untrusted input with care.

We're not currently aware of any applications that pass untrusted input to the substitutor and thus would have been impacted by this problem prior to Apache Commons Text 1.10.0.

This issue is different from Log4Shell (CVE-2021-44228) because in Log4Shell, string interpolation was possible from the log message body, which commonly contains untrusted input. In the Apache Common Text issue, the relevant method is explicitly intended and clearly documented to perform string interpolation, so it is much less likely that applications would inadvertently pass in untrusted input without proper validation.


related to 0005540 closedpmarzullo Apache commons-text version 1.9 security vulnerability 
related to 0005542 closedpmarzullo Apache commons-text version 1.9 security vulnerability 


There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2022-10-19 13:30 pmarzullo New Issue
2022-10-19 13:30 pmarzullo Status new => assigned
2022-10-19 13:30 pmarzullo Assigned To => pmarzullo
2022-10-19 13:30 pmarzullo Tag Attached: security
2022-10-19 15:05 pmarzullo Status assigned => resolved
2022-10-19 15:05 pmarzullo Resolution open => fixed
2022-10-19 15:05 pmarzullo Fixed in Version => 3.13.9
2022-11-11 13:52 pmarzullo Relationship added related to 0005542
2022-11-11 13:53 pmarzullo Relationship added related to 0005540
2022-11-30 19:40 admin Status resolved => closed