CVE-2022-42889
Remote Code Execution vulnerability in org.apache.commons:commons-text

Remote Code Execution High confidence exploit

What is CVE-2022-42889 About?

Apache Commons Text versions 1.5 through 1.9 contain a Remote Code Execution vulnerability due to insecure default variable interpolation. The 'script', 'dns', and 'url' Lookup instances, enabled by default, allow for arbitrary code execution or contact with remote servers when processing untrusted configuration values. Exploitation is facile given the high confidence in existing exploits.

Affected Software

  • org.apache.commons:commons-text
    • >1.5, <1.10.0
  • com.guicedee.services:commons-text
    • <=1.2.2.1-jre17

Technical Details

Apache Commons Text, in versions 1.5 through 1.9, suffers from a Remote Code Execution (RCE) vulnerability due to its variable interpolation feature. The standard interpolation format `${prefix:name}` dynamically evaluates properties using `org.apache.commons.text.lookup.StringLookup` instances. Critically, these affected versions enable several problematic Lookup instances by default: 'script' which executes expressions via `javax.script`, 'dns' which resolves DNS records, and 'url' which loads values from URLs. If an application processes untrusted input (e.g., from a configuration file, user-supplied data, or environment variables) that contains a malformed string like `${script:javascript:java.lang.Runtime.getRuntime().exec('command')}`, the 'script' interpolator will execute the embedded JavaScript code. Similarly, 'dns' and 'url' can be abused for information disclosure or server-side request forgery (SSRF). This allows an attacker to execute arbitrary code or interact with remote servers by embedding malicious payloads within strings that are subsequently interpolated.

What is the Impact of CVE-2022-42889?

Successful exploitation may allow attackers to achieve remote code execution by injecting malicious payloads into untrusted configuration values or input processed by the vulnerable interpolation mechanism.

What is the Exploitability of CVE-2022-42889?

Exploiting this vulnerability is straightforward due to the insecure default configuration of the Apache Commons Text interpolation. The complexity is low to moderate, as it involves crafting a specific string with malicious interpolation directives. Authentication requirements depend on whether the application allows unauthenticated users to provide input that is later subjected to Commons Text interpolation. Privilege requirements are generally those of the application itself. This is a remote vulnerability, as the malicious string can typically be delivered via various remote input channels (e.g., HTTP requests, configuration files downloaded from external sources). The existence of a 'High confidence exploit' indicates that reliable exploit code is available, significantly increasing the likelihood of successful attacks. This is commonly referred to as 'Text4Shell'.

What are the Known Public Exploits?

PoC Author Link Commentary
karthikuj Link Dockerized POC for CVE-2022-42889 Text4Shell
kljunowsky Link Apache commons text - CVE-2022-42889 Text4Shell proof of concept exploit.
ClickCyber Link cve-2022-42889 Text4Shell CVE-2022-42889 affects Apache Commons Text versions 1.5 through 1.9. It has been patched as of Commons Text version 1.10.

What are the Available Fixes for CVE-2022-42889?

Available Upgrade Options

  • org.apache.commons:commons-text
    • >1.5, <1.10.0 → Upgrade to 1.10.0

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2022-42889?

Similar Vulnerabilities: CVE-2021-44228 , CVE-2021-45046 , CVE-2021-45105 , CVE-2020-13938 , CVE-2020-13942

All Rights reserved 2025
Privacy Policy