Text4Shell Remote Code Execution – (CVE-2022-42889)

Severity: Critical

Summary#

Invicti detected that the application is vulnerable to a remote code execution (RCE) vulnerability which has CVE-2022-42889 number assigned and mainly affects Apache Software Foundation Commons Text from 1.5 to 1.10.0

Impact#

The vulnerability allows attackers to execute arbitrary code on the target systems. The attacker may also be able to execute arbitrary system commands.
There is a publicly available exploit of the vulnerability. It should therefore be addressed as soon as possible.

Remediation#

The StringSubstitutor when used with the default interpolators (StringSubstitutor.createInterpolator()) will perform string lookups that may lead to arbitrary code execution. Please disable script interpolation.

Classifications#

HIPAA-164.306(a), 164.308(a), PCI v3.2-6.5.1, CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, CAPEC-242, CWE-94, OWASP 2013-A03, OWASP 2017-A01, ISO27001-A.14.2.5