Source: commons-text X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security
Hi, The following vulnerability was published for commons-text. CVE-2022-42889[0]: | Apache Commons Text performs variable interpolation, allowing | properties to be dynamically evaluated and expanded. The standard | format for interpolation is "${prefix:name}", where "prefix" is used | to locate an instance of org.apache.commons.text.lookup.StringLookup | that performs the interpolation. Starting with version 1.5 and | continuing through 1.9, the set of default Lookup instances included | interpolators that could result in arbitrary code execution or contact | with remote servers. These lookups are: - "script" - execute | expressions using the JVM script execution engine (javax.script) - | "dns" - resolve dns records - "url" - load values from urls, including | from remote servers Applications using the interpolation defaults in | the affected versions may be vulnerable to remote code execution or | unintentional contact with remote servers if untrusted configuration | values are used. Users are recommended to upgrade to Apache Commons | Text 1.10.0, which disables the problematic interpolators by default. https://www.openwall.com/lists/oss-security/2022/10/13/4 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-42889 https://www.cve.org/CVERecord?id=CVE-2022-42889 Please adjust the affected versions in the BTS as needed.