[jira] [Closed] (TEXT-225) Apache Commons Arbitrary Code Execution Vulnerability (CVE-2022-42889)
[
https://issues.apache.org/jira/browse/TEXT-225?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Nikhil closed TEXT-225.
---
Fix Version/s: 1.10.0
Resolution: Not A Problem
Fixed in 1.10
> Apache Commons Arbitrary Code Execution Vulnerability (CVE-2022-42889)
> --
>
> Key: TEXT-225
> URL: https://issues.apache.org/jira/browse/TEXT-225
> Project: Commons Text
> Issue Type: Bug
>Affects Versions: 1.5, 1.6, 1.7, 1.8, 1.9
>Reporter: Nikhil
>Priority: Major
> Fix For: 1.10.0
>
>
> Apache Commons Text performs variable interpolation, allowing properties to
> be dynamically evaluated and expanded. The standard format for interpolation
> is "${prefix:name}", where "prefix" is used to locate an instance of
> org.apache.commons.text.lookup.StringLookup that performs the interpolation.
> Starting with version 1.5 and continuing through 1.9, the set of default
> Lookup instances included interpolators that could result in arbitrary code
> execution or contact with remote servers. These lookups are: - "script" -
> execute expressions using the JVM script execution engine (javax.script) -
> "dns" - resolve dns records - "url" - load values from urls, including from
> remote servers Applications using the interpolation defaults in the affected
> versions may be vulnerable to remote code execution or unintentional contact
> with remote servers if untrusted configuration values are used. Users are
> recommended to upgrade to Apache Commons Text 1.10.0, which disables the
> problematic interpolators by default.
>
> See [https://nvd.nist.gov/vuln/detail/cve-2022-42889] for more details..
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Created] (TEXT-225) Apache Commons Arbitrary Code Execution Vulnerability (CVE-2022-42889)
Nikhil created TEXT-225:
---
Summary: Apache Commons Arbitrary Code Execution Vulnerability
(CVE-2022-42889)
Key: TEXT-225
URL: https://issues.apache.org/jira/browse/TEXT-225
Project: Commons Text
Issue Type: Bug
Affects Versions: 1.9, 1.8, 1.7, 1.6, 1.5
Reporter: Nikhil
Apache Commons Text performs variable interpolation, allowing properties to be
dynamically evaluated and expanded. The standard format for interpolation is
"${prefix:name}", where "prefix" is used to locate an instance of
org.apache.commons.text.lookup.StringLookup that performs the interpolation.
Starting with version 1.5 and continuing through 1.9, the set of default Lookup
instances included interpolators that could result in arbitrary code execution
or contact with remote servers. These lookups are: - "script" - execute
expressions using the JVM script execution engine (javax.script) - "dns" -
resolve dns records - "url" - load values from urls, including from remote
servers Applications using the interpolation defaults in the affected versions
may be vulnerable to remote code execution or unintentional contact with remote
servers if untrusted configuration values are used. Users are recommended to
upgrade to Apache Commons Text 1.10.0, which disables the problematic
interpolators by default.
See [https://nvd.nist.gov/vuln/detail/cve-2022-42889] for more details..
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[GitHub] [commons-collections] garydgregory merged pull request #398: Changes required to open testing to new implementations.
garydgregory merged PR #398: URL: https://github.com/apache/commons-collections/pull/398 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@commons.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [commons-collections] aherbert commented on pull request #398: Changes required to open testing to new implementations.
aherbert commented on PR #398: URL: https://github.com/apache/commons-collections/pull/398#issuecomment-1599240096 Sure. If it helps Claude develop his prototype before merge then this moves the project forward. I just questioned the making public of test methods and classes without a reason. Prototype development is reason enough. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@commons.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [commons-csv] garydgregory commented on pull request #309: Document duplicate header behavior
garydgregory commented on PR #309: URL: https://github.com/apache/commons-csv/pull/309#issuecomment-1598598926 Hi All, I'll start a thread on the ML for https://github.com/apache/commons-csv/pull/309#issuecomment-1441456258 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@commons.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [commons-csv] garydgregory merged pull request #309: (doc): Document duplicate header behavior
garydgregory merged PR #309: URL: https://github.com/apache/commons-csv/pull/309 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@commons.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [commons-csv] garydgregory closed pull request #318: refactored CSVPrinterTest.java PerformanceTest.java and PerformanceTe…
garydgregory closed pull request #318: refactored CSVPrinterTest.java PerformanceTest.java and PerformanceTe… URL: https://github.com/apache/commons-csv/pull/318 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@commons.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [commons-csv] garydgregory commented on pull request #318: refactored CSVPrinterTest.java PerformanceTest.java and PerformanceTe…
garydgregory commented on PR #318: URL: https://github.com/apache/commons-csv/pull/318#issuecomment-1598591293 Closing: no reply. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@commons.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [commons-csv] garydgregory closed pull request #319: refactor: made some minor refactorings.
garydgregory closed pull request #319: refactor: made some minor refactorings. URL: https://github.com/apache/commons-csv/pull/319 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@commons.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [commons-collections] garydgregory commented on pull request #398: Changes required to open testing to new implementations.
garydgregory commented on PR #398: URL: https://github.com/apache/commons-collections/pull/398#issuecomment-1598588850 @aherbert I am OK to merge this, are you? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@commons.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [commons-collections] garydgregory commented on pull request #398: Changes required to open testing to new implementations.
garydgregory commented on PR #398: URL: https://github.com/apache/commons-collections/pull/398#issuecomment-1598588475 > Member Also, note that these are test classes that are being made public, there increasing the API footprint is NOT an issue. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@commons.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
