Summary

Acunetix 360 detected that the application is vulnerable to a remote code execution (RCE) vulnerability which has CVE-2022-42889 number assigned and mainly affects Apache Software Foundation Commons Text from 1.5 to 1.10.0

Impact

  • The vulnerability allows attackers to execute arbitrary code on the target systems. The attacker may also be able to execute arbitrary system commands.
  • There is a publicly available exploit of the vulnerability. It should therefore be addressed as soon as possible.

Remediation

The StringSubstitutor when used with the default interpolators (StringSubstitutor.createInterpolator()) will perform string lookups that may lead to arbitrary code execution. Please disable script interpolation.

Severity

Critical

Classification

PCI v3.2-6.5.1 CAPEC-242 CWE-94 HIPAA-164.306(a) 164.308(a) ISO27001-A.14.2.5 OWASP 2013-A03 OWASP 2017-A01 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H