Text4Shell Remote Code Execution - (CVE-2022-42889)

Summary#

Invicti detected that the application is vulnerable to a remote code execution (RCE) vulnerability which has CVE-2022-42889 number assigned and mainly affects Apache Software Foundation Commons Text from 1.5 to 1.10.0

Impact#

The vulnerability allows attackers to execute arbitrary code on the target systems. The attacker may also be able to execute arbitrary system commands.
There is a publicly available exploit of the vulnerability. It should therefore be addressed as soon as possible.

Remediation#

The StringSubstitutor when used with the default interpolators (StringSubstitutor.createInterpolator()) will perform string lookups that may lead to arbitrary code execution. Please disable script interpolation.

Classifications#

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, OWASP 2013-A03, ISO27001-A.14.2.5, PCI v3.2-6.5.1, OWASP 2017-A01, CWE-94, CAPEC-242, HIPAA-164.306(a), 164.308(a)