Critical Vulnerability in Apache Commons Text Library

Published on 18 Oct 2022

Updated on 18 Oct 2022

The Apache Software Foundation has released security updates to address a critical vulnerability (CVE-2022-42889) in their Apache Commons Text library. It has a Common Vulnerability Scoring System (CVSS) score of 9.8 out of 10. 

The vulnerability affects Apache Commons Text versions 1.5 through 1.9 as these versions allow the evaluation of interpolators such as "script", "dns" and "url". Successful exploitation could allow an unauthenticated attacker to perform arbitrary remote code execution (RCE) or contact with remote servers. A proof-of-concept exploit for this vulnerability is reportedly available.

Administrators and users of the Apache Commons Text library are advised to upgrade to version 1.10.0 immediately.

More information is available here:
https://nvd.nist.gov/vuln/detail/CVE-2022-42889
https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om
https://www.darkreading.com/application-security/researchers-keep-a-wary-eye-on-critical-new-vulnerability-in-apache-commons-text