[jira] [Closed] (TEXT-225) Apache Commons Arbitrary Code Execution Vulnerability (CVE-2022-42889)
[
https://issues.apache.org/jira/browse/TEXT-225?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Nikhil closed TEXT-225.
---
Fix Version/s: 1.10.0
Resolution: Not A Problem
Fixed in 1.10
> Apache Commons Arbitrary Code Execution Vulnerability (CVE-2022-42889)
> --
>
> Key: TEXT-225
> URL: https://issues.apache.org/jira/browse/TEXT-225
> Project: Commons Text
> Issue Type: Bug
>Affects Versions: 1.5, 1.6, 1.7, 1.8, 1.9
>Reporter: Nikhil
>Priority: Major
> Fix For: 1.10.0
>
>
> Apache Commons Text performs variable interpolation, allowing properties to
> be dynamically evaluated and expanded. The standard format for interpolation
> is "${prefix:name}", where "prefix" is used to locate an instance of
> org.apache.commons.text.lookup.StringLookup that performs the interpolation.
> Starting with version 1.5 and continuing through 1.9, the set of default
> Lookup instances included interpolators that could result in arbitrary code
> execution or contact with remote servers. These lookups are: - "script" -
> execute expressions using the JVM script execution engine (javax.script) -
> "dns" - resolve dns records - "url" - load values from urls, including from
> remote servers Applications using the interpolation defaults in the affected
> versions may be vulnerable to remote code execution or unintentional contact
> with remote servers if untrusted configuration values are used. Users are
> recommended to upgrade to Apache Commons Text 1.10.0, which disables the
> problematic interpolators by default.
>
> See [https://nvd.nist.gov/vuln/detail/cve-2022-42889] for more details..
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Created] (TEXT-225) Apache Commons Arbitrary Code Execution Vulnerability (CVE-2022-42889)
Nikhil created TEXT-225:
---
Summary: Apache Commons Arbitrary Code Execution Vulnerability
(CVE-2022-42889)
Key: TEXT-225
URL: https://issues.apache.org/jira/browse/TEXT-225
Project: Commons Text
Issue Type: Bug
Affects Versions: 1.9, 1.8, 1.7, 1.6, 1.5
Reporter: Nikhil
Apache Commons Text performs variable interpolation, allowing properties to be
dynamically evaluated and expanded. The standard format for interpolation is
"${prefix:name}", where "prefix" is used to locate an instance of
org.apache.commons.text.lookup.StringLookup that performs the interpolation.
Starting with version 1.5 and continuing through 1.9, the set of default Lookup
instances included interpolators that could result in arbitrary code execution
or contact with remote servers. These lookups are: - "script" - execute
expressions using the JVM script execution engine (javax.script) - "dns" -
resolve dns records - "url" - load values from urls, including from remote
servers Applications using the interpolation defaults in the affected versions
may be vulnerable to remote code execution or unintentional contact with remote
servers if untrusted configuration values are used. Users are recommended to
upgrade to Apache Commons Text 1.10.0, which disables the problematic
interpolators by default.
See [https://nvd.nist.gov/vuln/detail/cve-2022-42889] for more details..
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Created] (IMAGING-343) Apache Commons Imaging 0.97 - CVE-2018-17202
Nikhil created IMAGING-343:
--
Summary: Apache Commons Imaging 0.97 - CVE-2018-17202
Key: IMAGING-343
URL: https://issues.apache.org/jira/browse/IMAGING-343
Project: Commons Imaging
Issue Type: Bug
Affects Versions: 0.97
Reporter: Nikhil
Certain input files could make the code to enter into an infinite loop when
Apache Sanselan 0.97-incubator was used to parse them, which could be used in a
DoS attack. Note that Apache Sanselan (incubating) was renamed to Apache
Commons Imaging.
See [https://nvd.nist.gov/vuln/detail/CVE-2018-17202] for more details.
There is Apache Commons Imaging 1.0-{*}alpha3{*} version available.. but we are
trying to understand if a new *GA* will be made available and also to see if
this specific CVE is addressed in the latest versions ?
Please help
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (IMAGING-338) Sanselan returns an empty set when retrieving the image metadata
[
https://issues.apache.org/jira/browse/IMAGING-338?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17634179#comment-17634179
]
Nikhil commented on IMAGING-338:
Hi [~ggregory]
I do not have the specific test code since we are tightly coupled code in our
project and through debug we could find this -
The problem is in {*}IPTCParser.parseIPTCBlock{*}. with {*}TestImage.jpg{*}, we
correctly determine it is a IPTC block with isIPTCBlock() but then fail to
parse anything within parseIPTCBlock.
We enter into this code and return an empty ArrayList (elements):
if (tagMarker != IPTC_RECORD_TAG_MARKER)
{ if (verbose) System.out .println("Unexpected record tag marker in IPTC
data."); return elements; }
But with a working image, we continue and parse all the IPTC tags.
> Sanselan returns an empty set when retrieving the image metadata
>
>
> Key: IMAGING-338
> URL: https://issues.apache.org/jira/browse/IMAGING-338
> Project: Commons Imaging
> Issue Type: Bug
>Affects Versions: 0.97
>Reporter: Nikhil
>Priority: Major
> Attachments: TestImage.jpg
>
>
> We were using Sanselan to extract IPTC metadata. Recently there were images
> thats causing Sanselan to return an empty set when retrieving the metadata,
> despite the fact that there is clearly iptc metadata in the image.
>
> The problem is seen in the following codebase
> IPTCParser.parseIPTCBlock(...), and is the second 'if' statement within the
> while loop. In particular, instead of the following:
> if (tagMarker != IPTC_RECORD_TAG_MARKER) {
> if (verbose) {
> System.out.println("Unexpected record tag marker in IPTC data.");
> }
> {*}return elements{*};
> }
>
> You should do the following to fix the issue:
>
> if (tagMarker != IPTC_RECORD_TAG_MARKER) {
> if (verbose) {
> System.out.println("Unexpected record tag marker in IPTC data.");
> }
> *continue;*
> }
>
> Credit @
> [https://www.mail-archive.com/sanselan-dev@incubator.apache.org/msg00430.html]
> for the detailed notes
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (IMAGING-338) Sanselan returns an empty set when retrieving the image metadata
[
https://issues.apache.org/jira/browse/IMAGING-338?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17631603#comment-17631603
]
Nikhil commented on IMAGING-338:
This code is same in the latest library as well and please find the image where
we are able to replicate the issue ({*}TestImage.jpg{*})
> Sanselan returns an empty set when retrieving the image metadata
>
>
> Key: IMAGING-338
> URL: https://issues.apache.org/jira/browse/IMAGING-338
> Project: Commons Imaging
> Issue Type: Bug
>Affects Versions: 0.97
>Reporter: Nikhil
>Priority: Major
> Attachments: TestImage.jpg
>
>
> We were using Sanselan to extract IPTC metadata. Recently there were images
> thats causing Sanselan to return an empty set when retrieving the metadata,
> despite the fact that there is clearly iptc metadata in the image.
>
> The problem is seen in the following codebase
> IPTCParser.parseIPTCBlock(...), and is the second 'if' statement within the
> while loop. In particular, instead of the following:
> if (tagMarker != IPTC_RECORD_TAG_MARKER) {
> if (verbose) {
> System.out.println("Unexpected record tag marker in IPTC data.");
> }
> {*}return elements{*};
> }
>
> You should do the following to fix the issue:
>
> if (tagMarker != IPTC_RECORD_TAG_MARKER) {
> if (verbose) {
> System.out.println("Unexpected record tag marker in IPTC data.");
> }
> *continue;*
> }
>
> Credit @
> [https://www.mail-archive.com/sanselan-dev@incubator.apache.org/msg00430.html]
> for the detailed notes
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Updated] (IMAGING-338) Sanselan returns an empty set when retrieving the image metadata
[
https://issues.apache.org/jira/browse/IMAGING-338?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Nikhil updated IMAGING-338:
---
Attachment: TestImage.jpg
> Sanselan returns an empty set when retrieving the image metadata
>
>
> Key: IMAGING-338
> URL: https://issues.apache.org/jira/browse/IMAGING-338
> Project: Commons Imaging
> Issue Type: Bug
>Affects Versions: 0.97
>Reporter: Nikhil
>Priority: Major
> Attachments: TestImage.jpg
>
>
> We were using Sanselan to extract IPTC metadata. Recently there were images
> thats causing Sanselan to return an empty set when retrieving the metadata,
> despite the fact that there is clearly iptc metadata in the image.
>
> The problem is seen in the following codebase
> IPTCParser.parseIPTCBlock(...), and is the second 'if' statement within the
> while loop. In particular, instead of the following:
> if (tagMarker != IPTC_RECORD_TAG_MARKER) {
> if (verbose) {
> System.out.println("Unexpected record tag marker in IPTC data.");
> }
> {*}return elements{*};
> }
>
> You should do the following to fix the issue:
>
> if (tagMarker != IPTC_RECORD_TAG_MARKER) {
> if (verbose) {
> System.out.println("Unexpected record tag marker in IPTC data.");
> }
> *continue;*
> }
>
> Credit @
> [https://www.mail-archive.com/sanselan-dev@incubator.apache.org/msg00430.html]
> for the detailed notes
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Created] (IMAGING-338) Sanselan returns an empty set when retrieving the image metadata
Nikhil created IMAGING-338:
--
Summary: Sanselan returns an empty set when retrieving the image
metadata
Key: IMAGING-338
URL: https://issues.apache.org/jira/browse/IMAGING-338
Project: Commons Imaging
Issue Type: Bug
Affects Versions: 0.97
Reporter: Nikhil
We were using Sanselan to extract IPTC metadata. Recently there were images
thats causing Sanselan to return an empty set when retrieving the metadata,
despite the fact that there is clearly iptc metadata in the image.
The problem is seen in the following codebase
IPTCParser.parseIPTCBlock(...), and is the second 'if' statement within the
while loop. In particular, instead of the following:
if (tagMarker != IPTC_RECORD_TAG_MARKER) {
if (verbose) {
System.out.println("Unexpected record tag marker in IPTC data.");
}
{*}return elements{*};
}
You should do the following to fix the issue:
if (tagMarker != IPTC_RECORD_TAG_MARKER) {
if (verbose) {
System.out.println("Unexpected record tag marker in IPTC data.");
}
*continue;*
}
Credit @
[https://www.mail-archive.com/sanselan-dev@incubator.apache.org/msg00430.html]
for the detailed notes
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
