Text4Shell Remote Code Execution – (CVE-2022-42889)

Severity: Critical
Summary#

Invicti detected that the application is vulnerable to a remote code execution (RCE) vulnerability which has CVE-2022-42889 number assigned and mainly affects Apache Software Foundation Commons Text from 1.5 to 1.10.0

Impact#
  • The vulnerability allows attackers to execute arbitrary code on the target systems. The attacker may also be able to execute arbitrary system commands.
  • There is a publicly available exploit of the vulnerability. It should therefore be addressed as soon as possible.

Remediation#

The StringSubstitutor when used with the default interpolators (StringSubstitutor.createInterpolator()) will perform string lookups that may lead to arbitrary code execution. Please disable script interpolation.

Invicti Logo

Dead accurate, fast & easy-to-use Web Application Security Scanner

Get a demo