I do not believe so but there will be a more indepth investigation and likely an upgrade in the next release.
:~/Projects/knox$ grep -r StringSubstitutor . Binary file ./install/knox-2.0.0-SNAPSHOT/dep/commons-text-1.9.jar matches It appears to only exist as the API in the lib itself. On Mon, Oct 24, 2022 at 12:36 PM O'Connell, Richard via user < [email protected]> wrote: > Hi, > > Is Knox affected by this vulnerability ? > > https://commons.apache.org/proper/commons-text/security.html > > > > ……… > > > > On 2022-10-13, the Apache Commons Text team disclosed CVE-2022-42889 > <https://www.cve.org/CVERecord?id=CVE-2022-42889> . Key takeaways: > > · If you rely on software that uses a version of commons-text > prior to 1.10.0, you are likely still not vulnerable: only if this software > uses the StringSubstitutor API without properly sanitizing any untrusted > input. > > · If your own software uses commons-text, double-check whether it > uses the StringSubstitutor API without properly sanitizing any untrusted > input. If so, an update to 1.10.0 could be a quick workaround, but the > recommended solution is to also properly validate and sanitize any > untrusted input. > > > > >
