Coordinated Disclosure Timeline
- 2022-03-09: Issue reported to firstname.lastname@example.org
- 2022-03-25: Apache Commons security team acknowledged receiving the report
- 2022-05-27: GHSL requested an status update
- 2022-05-27: Apache Commons security team notifies they are working on disabling the script interpolation by default
- 2022-06-29: Apache Commons security team states that “Commons Text” will be updated, in order to make the programmer’s intention completely explicit on using a “dangerous” feature
- 2022-08-11: GHSL requested an status update
- 2022-10-12: Apache Commons Text releases version 1.10.0 where script interpolation is disabled by default
StringSubstitutor default interpolators may lead to unsafe script evaluation and arbitrary code execution
Apache Commons Text
Issue: Unsafe script evaluation (
StringSubstitutor when used with the default interpolators (
StringSubstitutor.createInterpolator()) will perform string lookups that may lead to arbitrary code execution.
In particular, if untrusted data flows into the
StringSubstitutor.replaceIn() methods, an attacker will be able to use the
ScriptStringLookup to trigger arbitrary code execution.
This issue may lead to Remote Code Execution (RCE)
This issue was discovered and reported by GHSL team member @pwntester (Alvaro Muñoz).
You can contact the GHSL team at
email@example.com, please include a reference to
GHSL-2022-018 in any communication regarding this issue.