CRITICAL✓ PATCH🇬🇧 English

CVE-2022-42889

CVSS 9.8v3.1pub. 2022-10-13upd. 2024-11-21

Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default.

oryginał EN
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Apache Commons Text

    APP
    Apache
    1.5 – 1.10.0 (bez)
  • Juniper Jsa1500

    HW
    Juniper
    wszystkie wersje
  • Juniper Jsa3500

    HW
    Juniper
    wszystkie wersje
  • Juniper Jsa3800

    HW
    Juniper
    wszystkie wersje
  • Juniper Jsa5500

    HW
    Juniper
    wszystkie wersje
  • Juniper Jsa5800

    HW
    Juniper
    wszystkie wersje
  • Juniper Jsa7500

    HW
    Juniper
    wszystkie wersje
  • Juniper Jsa7800

    HW
    Juniper
    wszystkie wersje
  • Juniper Security Threat Response Manager

    APP
    Juniper
    7.5.0< 7.5.0
  • Netapp Bluexp

    APP
    Netapp
    wszystkie wersje
🟢
PATCH DOSTĘPNY
Aktualizacja od producenta gotowa. Wdrożenie w ramach standardowego cyklu.
Tagi
RCE
CWE
Referencje

Powiązane podatności

CVE-2024-7254HIGH8.7ten sam produkt

Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / seri...

CVE-2024-21147HIGH7.4ten sam produkt

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Orac...

CVE-2024-25111HIGH8.6ten sam produkt

Squid is a web proxy cache. Starting in version 3.5.27 and prior to version 6.8, Squid may be vulnerable to a ...

CVE-2024-22201HIGH7.5ten sam produkt

Jetty is a Java based web server and servlet engine. An HTTP/2 SSL connection that is established and TCP cong...

CVE-2024-47554MEDIUM4.3ten sam produkt

Uncontrolled Resource Consumption vulnerability in Apache Commons IO. The org.apache.commons.io.input.XmlStre...

CVE-2022-42889 — CRITICAL 9.8 | CVEbaza.pl