Lucene search
+L

Apache Commons Text 1.5 - 1.9 RCE Vulnerability (Text4Shell)

🗓️ 25 Nov 2022 00:00:00Reported by Copyright (C) 2022 Greenbone AGType 
openvas
 openvas
🔗 plugins.openvas.org👁 31 Views

Apache Commons Text 1.5 - 1.9 RCE Vulnerability (Text4Shell

Related
Refs
Code
# SPDX-FileCopyrightText: 2022 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only

CPE = "cpe:/a:apache:commons_text";

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.104439");
  script_version("2025-12-19T05:45:49+0000");
  script_tag(name:"last_modification", value:"2025-12-19 05:45:49 +0000 (Fri, 19 Dec 2025)");
  script_tag(name:"creation_date", value:"2022-11-25 10:38:03 +0000 (Fri, 25 Nov 2022)");
  script_tag(name:"cvss_base", value:"10.0");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_tag(name:"severity_vector", value:"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_tag(name:"severity_origin", value:"NVD");
  script_tag(name:"severity_date", value:"2022-10-18 03:15:00 +0000 (Tue, 18 Oct 2022)");

  script_cve_id("CVE-2022-42889");

  script_tag(name:"qod_type", value:"executable_version_unreliable");

  script_tag(name:"solution_type", value:"VendorFix");

  script_name("Apache Commons Text 1.5 - 1.9 RCE Vulnerability (Text4Shell)");

  script_category(ACT_GATHER_INFO);

  script_copyright("Copyright (C) 2022 Greenbone AG");
  script_family("General");
  script_dependencies("gb_apache_commons_consolidation.nasl");
  script_mandatory_keys("apache/commons/text/detected");

  script_tag(name:"summary", value:"The Apache Commons Text library is prone to a remote code
  execution (RCE) vulnerability dubbed 'Text4Shell'.");

  script_tag(name:"vuldetect", value:"Checks if a vulnerable version is present on the target host.");

  script_tag(name:"insight", value:"Apache Commons Text performs variable interpolation, allowing
  properties to be dynamically evaluated and expanded. The standard format for interpolation is
  '${prefix:name}', where 'prefix' is used to locate an instance of
  org.apache.commons.text.lookup.StringLookup that performs the interpolation. The set of default
  Lookup instances included interpolators that could result in arbitrary code execution or contact
  with remote servers.

  These lookups are:

  - 'script' - execute expressions using the JVM script execution engine (javax.script)

  - 'dns' - resolve dns records

  - 'url' - load values from urls, including from remote servers");

  script_tag(name:"affected", value:"All of the following prerequisites needs to be fulfilled to
  make an application vulnerable:

  - using the Apache Commons Text library in version 1.5 through 1.9

  - using the interpolation defaults

  - using untrusted configuration values (e.g. from untrusted user input)

  Some external resources are also mentioning that the exploitability depends on the used Java
  version.");

  script_tag(name:"solution", value:"- Update to version 1.10 or later which disables the affected
  interpolators by default

  - After updating to version 1.10 make sure that the affected application isn't enabling the
  interpolators again

  - If the affected interpolators are required for the application sanitize untrusted user input");

  script_xref(name:"URL", value:"https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om");
  script_xref(name:"URL", value:"https://securitylab.github.com/advisories/GHSL-2022-018_Apache_Commons_Text/");
  script_xref(name:"URL", value:"https://issues.apache.org/jira/browse/TEXT-225");
  script_xref(name:"URL", value:"https://commons.apache.org/proper/commons-text/changes.html#a1.10.0");

  exit(0);
}

include("host_details.inc");
include("version_func.inc");

if (isnull(port = get_app_port(cpe: CPE)))
  exit(0);

if (!infos = get_app_version_and_location(cpe: CPE, port: port, exit_no_version: TRUE))
  exit(0);

version = infos["version"];
location = infos["location"];

if (version_in_range(version: version, test_version: "1.5", test_version2: "1.9")) {
  report = report_fixed_ver(installed_version: version, fixed_version: "1.10", install_path: location);
  security_message(port: port, data: report);
  exit(0);
}

exit(99);

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

19 Dec 2025 00:00Current
7.9High risk
Vulners AI Score7.9
CVSS 3.19.8
EPSS0.99931
SSVC
31