Another Java String Interpolation Bug
Posted on 2022-10-17: https://nvd.nist.gov/vuln/detail/CVE-2022-42889
Java “Don’t Run Template Formatting For User Strings Espectially When That Template Formatting Can Make Arbitrary Network Calls” Challenge: Impossible
From @GossiTheDog’s thread on this:
https://twitter.com/gossithedog/status/1582041938638667784
Potential Log4shell situation - Apache Commons Text supports functions that allow code execution, in potentially user supplied text strings.
One to keep an eye on. CVE-2022-42889 allocated and under review.
Version 1.5-1.9, released between 2018-2022
https://twitter.com/GossiTheDog/status/1582015230925996035
This one is going to need smarter minds than me to look at it. There are open source projects which use the function.. Doesn’t mean vuln tho, obvs.
https://twitter.com/1ZRR4H/status/1582040744713256961
Similar to CVE-2022-33980 🤔
${script:js:java.lang.Runtime.getRuntime().exec(“ping -c1 10.10.10.10”)} https://twitter.com/GossiTheDog/status/1582041938638667784
yep it’s essentially a replay of this issue but in a different part of Apache Commons