CVE-2022-42889

🗓️ 13 Oct 2022 00:00:00Reported by apacheType

cve🔗 web.nvd.nist.gov📰️ 12 Media mentions👁 1052 Views🌐 WEB

Apache Commons Text 1.5-1.9 allows remote code execution or unintentional contact with remote servers via dynamic property interpolation (CVE-2022-42889

Reporter	Title	Published	Views	Family All 246
GithubExploit	Exploit for Code Injection in Apache Commons_Text	9 Sep 202312:11	–	githubexploit
GithubExploit	Exploit for Code Injection in Apache Commons_Text	27 Jun 202308:29	–	githubexploit
GithubExploit	Exploit for Code Injection in Apache Commons_Text	4 Nov 202219:26	–	githubexploit
GithubExploit	Exploit for Code Injection in Apache Commons_Text	9 Sep 202312:11	–	githubexploit
GithubExploit	Exploit for Code Injection in Apache Commons_Text	20 Oct 202218:07	–	githubexploit
GithubExploit	Exploit for Code Injection in Apache Commons_Text	24 Mar 202515:58	–	githubexploit
GithubExploit	Exploit for Code Injection in Apache Commons_Text	22 Oct 202202:06	–	githubexploit
GithubExploit	Exploit for Code Injection in Apache Commons_Text	19 Oct 202222:56	–	githubexploit
GithubExploit	Exploit for Code Injection in Apache Commons_Text	18 Oct 202213:53	–	githubexploit
GithubExploit	Exploit for Code Injection in Apache Commons_Text	5 Nov 202207:32	–	githubexploit

NVD

Vulners

Node

apache commons_textRange1.5–1.10.0

Node

netapp bluexpMatch-

Node

juniper security_threat_response_managerRange<7.5.0

juniper security_threat_response_managerMatch7.5.0-

juniper security_threat_response_managerMatch7.5.0up1

juniper security_threat_response_managerMatch7.5.0up2

juniper security_threat_response_managerMatch7.5.0up3

AND

juniper jsa1500Match-

juniper jsa3500Match-

juniper jsa3800Match-

juniper jsa5500Match-

juniper jsa5800Match-

juniper jsa7500Match-

juniper jsa7800Match-

[
  {
    "vendor": "Apache Software Foundation",
    "product": "Apache Commons Text",
    "versions": [
      {
        "version": "unspecified",
        "lessThanOrEqual": "1.9",
        "status": "affected",
        "versionType": "custom"
      },
      {
        "version": "1.5",
        "status": "affected",
        "lessThan": "Apache Commons Text*",
        "versionType": "custom"
      }
    ]
  }
]

Source	Link
seclists	www.seclists.org/fulldisclosure/2023/Feb/3
openwall	www.openwall.com/lists/oss-security/2022/10/13/4
security	www.security.netapp.com/advisory/ntap-20221020-0004/
lists	www.lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om
packetstormsecurity	www.packetstormsecurity.com/files/171003/OX-App-Suite-Cross-Site-Scripting-Server-Side-Request-Forgery.html
psirt	www.psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0022
packetstormsecurity	www.packetstormsecurity.com/files/176650/Apache-Commons-Text-1.9-Remote-Code-Execution.html
security	www.security.gentoo.org/glsa/202301-05
openwall	www.openwall.com/lists/oss-security/2022/10/18/1

Parameter	Position	Path	Description	CWE
data	query param	/?data={encoded_payload}	POST-based RCE via Apache Commons Text script interpolator (Text4Shell) in vulnerable versions; payload delivered in data parameter.	CWE-94