Coordinated Disclosure Timeline
- 2022-03-09: Issue reported to security@commons.apache.org
- 2022-03-25: Apache Commons security team acknowledged receiving the report
- 2022-05-27: GHSL requested an status update
- 2022-05-27: Apache Commons security team notifies they are working on disabling the script interpolation by default
- 2022-06-29: Apache Commons security team states that “Commons Text” will be updated, in order to make the programmer’s intention completely explicit on using a “dangerous” feature
- 2022-08-11: GHSL requested an status update
- 2022-10-12: Apache Commons Text releases version 1.10.0 where script interpolation is disabled by default
Summary
The StringSubstitutor default interpolators may lead to unsafe script evaluation and arbitrary code execution
Product
Apache Commons Text
Tested Version
Details
Issue: Unsafe script evaluation (GHSL-2022-018)
The StringSubstitutor when used with the default interpolators (StringSubstitutor.createInterpolator()) will perform string lookups that may lead to arbitrary code execution.
In particular, if untrusted data flows into the StringSubstitutor.replace() or StringSubstitutor.replaceIn() methods, an attacker will be able to use the ScriptStringLookup to trigger arbitrary code execution.
final StringSubstitutor interpolator = StringSubstitutor.createInterpolator();
String out = interpolator.replace("${script:javascript:java.lang.Runtime.getRuntime().exec('touch /tmp/foo')}");
System.out.println(out);
Impact
This issue may lead to Remote Code Execution (RCE)
CVE
- CVE-2022-42889
Resources
- https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om
Credit
This issue was discovered and reported by GHSL team member @pwntester (Alvaro Muñoz).
Contact
You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2022-018 in any communication regarding this issue.