[jira] [Closed] (TEXT-225) Apache Commons Arbitrary Code Execution Vulnerability (CVE-2022-42889)
[ https://issues.apache.org/jira/browse/TEXT-225?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Nikhil closed TEXT-225. --- Fix Version/s: 1.10.0 Resolution: Not A Problem Fixed in 1.10 > Apache Commons Arbitrary Code Execution Vulnerability (CVE-2022-42889) > -- > > Key: TEXT-225 > URL: https://issues.apache.org/jira/browse/TEXT-225 > Project: Commons Text > Issue Type: Bug >Affects Versions: 1.5, 1.6, 1.7, 1.8, 1.9 >Reporter: Nikhil >Priority: Major > Fix For: 1.10.0 > > > Apache Commons Text performs variable interpolation, allowing properties to > be dynamically evaluated and expanded. The standard format for interpolation > is "${prefix:name}", where "prefix" is used to locate an instance of > org.apache.commons.text.lookup.StringLookup that performs the interpolation. > Starting with version 1.5 and continuing through 1.9, the set of default > Lookup instances included interpolators that could result in arbitrary code > execution or contact with remote servers. These lookups are: - "script" - > execute expressions using the JVM script execution engine (javax.script) - > "dns" - resolve dns records - "url" - load values from urls, including from > remote servers Applications using the interpolation defaults in the affected > versions may be vulnerable to remote code execution or unintentional contact > with remote servers if untrusted configuration values are used. Users are > recommended to upgrade to Apache Commons Text 1.10.0, which disables the > problematic interpolators by default. > > See [https://nvd.nist.gov/vuln/detail/cve-2022-42889] for more details.. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Created] (TEXT-225) Apache Commons Arbitrary Code Execution Vulnerability (CVE-2022-42889)
Nikhil created TEXT-225: --- Summary: Apache Commons Arbitrary Code Execution Vulnerability (CVE-2022-42889) Key: TEXT-225 URL: https://issues.apache.org/jira/browse/TEXT-225 Project: Commons Text Issue Type: Bug Affects Versions: 1.9, 1.8, 1.7, 1.6, 1.5 Reporter: Nikhil Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default. See [https://nvd.nist.gov/vuln/detail/cve-2022-42889] for more details.. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Created] (IMAGING-343) Apache Commons Imaging 0.97 - CVE-2018-17202
Nikhil created IMAGING-343: -- Summary: Apache Commons Imaging 0.97 - CVE-2018-17202 Key: IMAGING-343 URL: https://issues.apache.org/jira/browse/IMAGING-343 Project: Commons Imaging Issue Type: Bug Affects Versions: 0.97 Reporter: Nikhil Certain input files could make the code to enter into an infinite loop when Apache Sanselan 0.97-incubator was used to parse them, which could be used in a DoS attack. Note that Apache Sanselan (incubating) was renamed to Apache Commons Imaging. See [https://nvd.nist.gov/vuln/detail/CVE-2018-17202] for more details. There is Apache Commons Imaging 1.0-{*}alpha3{*} version available.. but we are trying to understand if a new *GA* will be made available and also to see if this specific CVE is addressed in the latest versions ? Please help -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (IMAGING-338) Sanselan returns an empty set when retrieving the image metadata
[ https://issues.apache.org/jira/browse/IMAGING-338?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17634179#comment-17634179 ] Nikhil commented on IMAGING-338: Hi [~ggregory] I do not have the specific test code since we are tightly coupled code in our project and through debug we could find this - The problem is in {*}IPTCParser.parseIPTCBlock{*}. with {*}TestImage.jpg{*}, we correctly determine it is a IPTC block with isIPTCBlock() but then fail to parse anything within parseIPTCBlock. We enter into this code and return an empty ArrayList (elements): if (tagMarker != IPTC_RECORD_TAG_MARKER) { if (verbose) System.out .println("Unexpected record tag marker in IPTC data."); return elements; } But with a working image, we continue and parse all the IPTC tags. > Sanselan returns an empty set when retrieving the image metadata > > > Key: IMAGING-338 > URL: https://issues.apache.org/jira/browse/IMAGING-338 > Project: Commons Imaging > Issue Type: Bug >Affects Versions: 0.97 >Reporter: Nikhil >Priority: Major > Attachments: TestImage.jpg > > > We were using Sanselan to extract IPTC metadata. Recently there were images > thats causing Sanselan to return an empty set when retrieving the metadata, > despite the fact that there is clearly iptc metadata in the image. > > The problem is seen in the following codebase > IPTCParser.parseIPTCBlock(...), and is the second 'if' statement within the > while loop. In particular, instead of the following: > if (tagMarker != IPTC_RECORD_TAG_MARKER) { > if (verbose) { > System.out.println("Unexpected record tag marker in IPTC data."); > } > {*}return elements{*}; > } > > You should do the following to fix the issue: > > if (tagMarker != IPTC_RECORD_TAG_MARKER) { > if (verbose) { > System.out.println("Unexpected record tag marker in IPTC data."); > } > *continue;* > } > > Credit @ > [https://www.mail-archive.com/sanselan-dev@incubator.apache.org/msg00430.html] > for the detailed notes -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (IMAGING-338) Sanselan returns an empty set when retrieving the image metadata
[ https://issues.apache.org/jira/browse/IMAGING-338?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17631603#comment-17631603 ] Nikhil commented on IMAGING-338: This code is same in the latest library as well and please find the image where we are able to replicate the issue ({*}TestImage.jpg{*}) > Sanselan returns an empty set when retrieving the image metadata > > > Key: IMAGING-338 > URL: https://issues.apache.org/jira/browse/IMAGING-338 > Project: Commons Imaging > Issue Type: Bug >Affects Versions: 0.97 >Reporter: Nikhil >Priority: Major > Attachments: TestImage.jpg > > > We were using Sanselan to extract IPTC metadata. Recently there were images > thats causing Sanselan to return an empty set when retrieving the metadata, > despite the fact that there is clearly iptc metadata in the image. > > The problem is seen in the following codebase > IPTCParser.parseIPTCBlock(...), and is the second 'if' statement within the > while loop. In particular, instead of the following: > if (tagMarker != IPTC_RECORD_TAG_MARKER) { > if (verbose) { > System.out.println("Unexpected record tag marker in IPTC data."); > } > {*}return elements{*}; > } > > You should do the following to fix the issue: > > if (tagMarker != IPTC_RECORD_TAG_MARKER) { > if (verbose) { > System.out.println("Unexpected record tag marker in IPTC data."); > } > *continue;* > } > > Credit @ > [https://www.mail-archive.com/sanselan-dev@incubator.apache.org/msg00430.html] > for the detailed notes -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (IMAGING-338) Sanselan returns an empty set when retrieving the image metadata
[ https://issues.apache.org/jira/browse/IMAGING-338?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Nikhil updated IMAGING-338: --- Attachment: TestImage.jpg > Sanselan returns an empty set when retrieving the image metadata > > > Key: IMAGING-338 > URL: https://issues.apache.org/jira/browse/IMAGING-338 > Project: Commons Imaging > Issue Type: Bug >Affects Versions: 0.97 >Reporter: Nikhil >Priority: Major > Attachments: TestImage.jpg > > > We were using Sanselan to extract IPTC metadata. Recently there were images > thats causing Sanselan to return an empty set when retrieving the metadata, > despite the fact that there is clearly iptc metadata in the image. > > The problem is seen in the following codebase > IPTCParser.parseIPTCBlock(...), and is the second 'if' statement within the > while loop. In particular, instead of the following: > if (tagMarker != IPTC_RECORD_TAG_MARKER) { > if (verbose) { > System.out.println("Unexpected record tag marker in IPTC data."); > } > {*}return elements{*}; > } > > You should do the following to fix the issue: > > if (tagMarker != IPTC_RECORD_TAG_MARKER) { > if (verbose) { > System.out.println("Unexpected record tag marker in IPTC data."); > } > *continue;* > } > > Credit @ > [https://www.mail-archive.com/sanselan-dev@incubator.apache.org/msg00430.html] > for the detailed notes -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Created] (IMAGING-338) Sanselan returns an empty set when retrieving the image metadata
Nikhil created IMAGING-338: -- Summary: Sanselan returns an empty set when retrieving the image metadata Key: IMAGING-338 URL: https://issues.apache.org/jira/browse/IMAGING-338 Project: Commons Imaging Issue Type: Bug Affects Versions: 0.97 Reporter: Nikhil We were using Sanselan to extract IPTC metadata. Recently there were images thats causing Sanselan to return an empty set when retrieving the metadata, despite the fact that there is clearly iptc metadata in the image. The problem is seen in the following codebase IPTCParser.parseIPTCBlock(...), and is the second 'if' statement within the while loop. In particular, instead of the following: if (tagMarker != IPTC_RECORD_TAG_MARKER) { if (verbose) { System.out.println("Unexpected record tag marker in IPTC data."); } {*}return elements{*}; } You should do the following to fix the issue: if (tagMarker != IPTC_RECORD_TAG_MARKER) { if (verbose) { System.out.println("Unexpected record tag marker in IPTC data."); } *continue;* } Credit @ [https://www.mail-archive.com/sanselan-dev@incubator.apache.org/msg00430.html] for the detailed notes -- This message was sent by Atlassian Jira (v8.20.10#820010)