image credit: Adobe Stock

Upgrade to Apache Commons Text 1.10 to Avoid New Exploit

November 21, 2022

Via: InfoQ

A new vulnerability in the Apache Commons Text, AKA Text4Shell, allows an attacker to execute arbitrary code on the host machine. Originally reported by Alvaro Munoz, principal security researcher at GitHub, CVE-2022-42889, is similar to Spring4Shell and Log4Shell, allowing remote code execution (RCE).

The CVSSv3 system scores the vulnerability at 9.8 with critical severity as it is easily exploitable, and the impact of getting access to the underlying host could potentially affect the reliability and availability of the system. However, it will not have the same broad impact as Log4Shell, for example, since the vulnerability exists in the StringSubstitutor class, which is not a common method but restricted to a specific use case.

Read More on InfoQ