PCI v3.2-6.5.1
CAPEC-242
CWE-94
HIPAA-164.306(a), 164.308(a)
ISO27001-A.14.2.5
OWASP 2013-A1
OWASP 2017-A01
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Text4Shell Remote Code Execution - (CVE-2022-42889)

Severity:
Critical
Summary

Invicti detected that the application is vulnerable to a remote code execution (RCE) vulnerability which has CVE-2022-42889 number assigned and mainly affects Apache Software Foundation Commons Text from 1.5 to 1.10.0

Impact
  • The vulnerability allows attackers to execute arbitrary code on the target systems. The attacker may also be able to execute arbitrary system commands.
  • There is a publicly available exploit of the vulnerability. It should therefore be addressed as soon as possible.
Remediation

The StringSubstitutor when used with the default interpolators (StringSubstitutor.createInterpolator()) will perform string lookups that may lead to arbitrary code execution. Please disable script interpolation.

Required Skills for Successful Exploitation
Actions To Take
Classifications
PCI v3.2-6.5.1
CAPEC-242
CWE-94
HIPAA-164.306(a), 164.308(a)
ISO27001-A.14.2.5
OWASP 2013-A1
OWASP 2017-A01
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vulnerability Index

You can search and find all vulnerabilities

Select Category
Critical
High
Medium
Low
Best Practice
Information
Select Vulnerability
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Related Vulnerabilities

Featured resources

No items found.
No items found.
View all resources

Build your resistance to threats. And save hundreds of hours each month.

Get a Demo