一、 漏洞 CVE-2022-42889 基础信息
漏洞信息
# Apache Commons Text 1.10.0 之前远程代码执行漏洞
N/A
神龙判断
是否为 Web 类漏洞: 是
判断理由:
是。这个漏洞存在于Apache Commons Text库中,涉及变量插值功能,可能导致远程代码执行或与远程服务器的意外通信,当应用程序使用受影响版本(1.5至1.9)的插值默认设置且使用了不可信的配置值时,可能会被利用。
提示
尽管我们采用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。
神龙会尽力确保数据准确,但也请结合实际情况进行甄别与判断。
神龙祝您一切顺利!
神龙会尽力确保数据准确,但也请结合实际情况进行甄别与判断。
神龙祝您一切顺利!
漏洞标题
Apache Commons Text prior to 1.10.0 allows RCE when applied to untrusted input due to insecure interpolation defaults
来源:美国国家漏洞数据库 NVD
漏洞描述信息
Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default.
来源:美国国家漏洞数据库 NVD
CVSS信息
N/A
来源:美国国家漏洞数据库 NVD
漏洞类别
N/A
来源:美国国家漏洞数据库 NVD
漏洞标题
Apache Commons Text 代码注入漏洞
来源:中国国家信息安全漏洞库 CNNVD
漏洞描述信息
Apache Commons Text是美国阿帕奇(Apache)基金会的一个专注于字符串算法的库。 Apache Commons Text 1.5至1.9版本存在安全漏洞,该漏洞源于默认的Lookup实例集包括可能导致任意代码执行或与远程服务器联系的插值器,可能容易受到远程代码执行或与远程服务器的无意接触的影响。
来源:中国国家信息安全漏洞库 CNNVD
CVSS信息
N/A
来源:中国国家信息安全漏洞库 CNNVD
漏洞类别
代码注入
来源:中国国家信息安全漏洞库 CNNVD
二、漏洞 CVE-2022-42889 的公开POC
| # | POC 描述 | 源链接 | 神龙链接 |
|---|---|---|---|
| 1 | CVE-2022-42889 dockerized sample application (Apache Commons Text RCE) | https://github.com/0xst4n/CVE-2022-42889 | POC详情 |
| 2 | Proof of Concept for the Apache commons-text vulnerability CVE-2022-42889. | https://github.com/SeanWrightSec/CVE-2022-42889-PoC | POC详情 |
| 3 | ClusterImagePolicy demo for cve-2022-42889 text4shell | https://github.com/chainguard-dev/text4shell-policy | POC详情 |
| 4 | An intentionally vulnerable webapp to get your hands dirty with CVE-2022-42889. | https://github.com/tulhan/commons-text-goat | POC详情 |
| 5 | Dockerized POC for CVE-2022-42889 Text4Shell | https://github.com/karthikuj/cve-2022-42889-text4shell-docker | POC详情 |
| 6 | cve-2022-42889 Text4Shell CVE-2022-42889 affects Apache Commons Text versions 1.5 through 1.9. It has been patched as of Commons Text version 1.10. | https://github.com/ClickCyber/cve-2022-42889 | POC详情 |
| 7 | A simple application that shows how to exploit the CVE-2022-42889 vulnerability | https://github.com/korteke/CVE-2022-42889-POC | POC详情 |
| 8 | None | https://github.com/eunomie/cve-2022-42889-check | POC详情 |
| 9 | Apache commons text - CVE-2022-42889 Text4Shell proof of concept exploit. | https://github.com/kljunowsky/CVE-2022-42889-text4shell | POC详情 |
| 10 | A fully automated, accurate, and extensive scanner for finding text4shell RCE CVE-2022-42889 | https://github.com/securekomodo/text4shell-scan | POC详情 |
| 11 | None | https://github.com/neerazz/CVE-2022-42889 | POC详情 |
| 12 | 通过 jvm 启动参数 以及 jps pid进行拦截非法参数 | https://github.com/uk0/cve-2022-42889-intercept | POC详情 |
| 13 | Proof of Concept Appliction for testing CVE-2022-42889 | https://github.com/securekomodo/text4shell-poc | POC详情 |
| 14 | None | https://github.com/humbss/CVE-2022-42889 | POC详情 |
| 15 | This project includes a python script which generates malicious commands leveraging CVE-2022-42889 vulnerability | https://github.com/stavrosgns/Text4ShellPayloads | POC详情 |
| 16 | python script for CVE-2022-42889 | https://github.com/s3l33/CVE-2022-42889 | POC详情 |
| 17 | Dockerized PoC for CVE-2022-42889 Text4Shell | https://github.com/galoget/CVE-2022-42889-Text4Shell-Docker | POC详情 |
| 18 | CVE-2022-42889 Text4Shell Exploit POC | https://github.com/rhitikwadhvana/CVE-2022-42889-Text4Shell-Exploit-POC | POC详情 |
| 19 | A simple dockerize application that shows how to exploit the CVE-2022-42889 vulnerability. | https://github.com/akshayithape-devops/CVE-2022-42889-POC | POC详情 |
| 20 | Apache Text4Shell (CVE-2022-42889) Burp Bounty Profile | https://github.com/0xmaximus/Apache-Commons-Text-CVE-2022-42889 | POC详情 |
| 21 | Vulnerability Scanner for CVE-2022-42889 (Text4Shell) | https://github.com/smileostrich/Text4Shell-Scanner | POC详情 |
| 22 | CVE-2022-42889 aka Text4Shell research & PoC | https://github.com/cxzero/CVE-2022-42889-text4shell | POC详情 |
| 23 | Text4Shell PoC Exploit | https://github.com/west-wind/CVE-2022-42889 | POC详情 |
| 24 | None | https://github.com/Vulnmachines/text4shell-CVE-2022-42889 | POC详情 |
| 25 | CVE-2022-42889 Blind-RCE Nuclei Template | https://github.com/Hack4rLIFE/CVE-2022-42889 | POC详情 |
| 26 | Proof of Concept for CVE-2022-42889 (Text4Shell Vulnerability) | https://github.com/cryxnet/CVE-2022-42889-RCE | POC详情 |
| 27 | CVE-2022-42889 (a.k.a. Text4Shell) RCE Proof of Concept | https://github.com/sunnyvale-it/CVE-2022-42889-PoC | POC详情 |
| 28 | Script to handle CVE 2022-42889 | https://github.com/QAInsights/cve-2022-42889-jmeter | POC详情 |
| 29 | None | https://github.com/adarshpv9746/Text4shell--Automated-exploit---CVE-2022-42889 | POC详情 |
| 30 | Python Script to exploit RCE of CVE-2022-42889 | https://github.com/pwnb0y/Text4shell-exploit | POC详情 |
| 31 | CVE-2022-42889 - Text4Shell exploit | https://github.com/gokul-ramesh/text4shell-exploit | POC详情 |
| 32 | text4shell(CVE-2022-42889) BurpSuite Scanner | https://github.com/f0ng/text4shellburpscanner | POC详情 |
| 33 | https://github.com/karthikuj/cve-2022-42889-text4shell-docker.git | https://github.com/WFS-Mend/vtrade-common | POC详情 |
| 34 | Kubernetes Lab for CVE-2022-42889 | https://github.com/devenes/text4shell-cve-2022-42889 | POC详情 |
| 35 | A demonstration of CVE-2022-42889 (text4shell) remote code execution vulnerability | https://github.com/hotblac/text4shell | POC详情 |
| 36 | docker for CVE-2022-42889 | https://github.com/necroteddy/CVE-2022-42889 | POC详情 |
| 37 | None | https://github.com/ReachabilityOrg/cve-2022-42889-text4shell-docker | POC详情 |
| 38 | None | https://github.com/dgor2023/cve-2022-42889-text4shell-docker | POC详情 |
| 39 | None | https://github.com/Dima2021/cve-2022-42889-text4shell | POC详情 |
| 40 | None | https://github.com/RSA-Demo/cve-2022-42889-text4shell | POC详情 |
| 41 | Dockerized POC for CVE-2022-42889 Text4Shell | https://github.com/aaronm-sysdig/text4shell-docker | POC详情 |
| 42 | This repository contains a Python script to automate the process of testing for a vulnerability known as Text4Shell, referenced under the CVE id: CVE-2022-42889. | https://github.com/gustanini/CVE-2022-42889-Text4Shell-POC | POC详情 |
| 43 | Text4Shell | https://github.com/Sic4rio/CVE-2022-42889 | POC详情 |
| 44 | RCE PoC for Apache Commons Text vuln | https://github.com/34006133/CVE-2022-42889 | POC详情 |
| 45 | None | https://github.com/DimaMend/cve-2022-42889-text4shell | POC详情 |
| 46 | CVE-2022-42889 Blind-RCE Nuclei Template | https://github.com/Gotcha-1G/CVE-2022-42889 | POC详情 |
| 47 | None | https://github.com/joshbnewton31080/cve-2022-42889-text4shell | POC详情 |
| 48 | None | https://github.com/MendDemo-josh/cve-2022-42889-text4shell | POC详情 |
| 49 | CVE-2022-42889 dockerized sample application (Apache Commons Text RCE) | https://github.com/rockmelodies/CVE-2022-42889 | POC详情 |
| 50 | This repository contains a Python script to automate the process of testing for a vulnerability known as Text4Shell, referenced under the CVE id: CVE-2022-42889. | https://github.com/808ale/CVE-2022-42889-Text4Shell-POC | POC详情 |
| 51 | A fully automated, accurate, and extensive scanner for finding text4shell RCE CVE-2022-42889 | https://github.com/kiralab/text4shell-scan | POC详情 |
| 52 | A custom Python-based proof-of-concept (PoC) exploit targeting Text4Shell (CVE-2022-42889), a critical remote code execution vulnerability in Apache Commons Text versions < 1.10. | https://github.com/chaudharyarjun/text4shell-exploit | POC详情 |
| 53 | CVE-2022-42889 Blind-RCE Nuclei Template | https://github.com/Gotcha1G/CVE-2022-42889 | POC详情 |
| 54 | Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default. | https://github.com/projectdiscovery/nuclei-templates/blob/main/dast/cves/2022/CVE-2022-42889.yaml | POC详情 |
| 55 | None | https://github.com/Threekiii/Awesome-POC/blob/master/%E5%BC%80%E5%8F%91%E6%A1%86%E6%9E%B6%E6%BC%8F%E6%B4%9E/Apache%20Commons%20Text%20%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%20CVE-2022-42889.md | POC详情 |
| 56 | Python Script to exploit RCE of CVE-2022-42889 | https://github.com/vickyaryan7/Text4shell-exploit | POC详情 |
| 57 | A custom Python-based proof-of-concept (PoC) exploit targeting Text4Shell (CVE-2022-42889), a critical remote code execution vulnerability in Apache Commons Text versions < 1.10. | https://github.com/Syndicate27/text4shell-exploit | POC详情 |
| 58 | Log4Shell / Log4J Payload - CVE-2021-45046 and CVE-2022-42889 | https://github.com/ifconfig-me/Log4Shell-Payloads | POC详情 |
| 59 | None | https://github.com/shoucheng3/asf__commons-text_CVE-2022-42889_1-9 | POC详情 |
| 60 | Proof of Concept (PoC) for CVE-2022-42889 (Text4Shell) targeting Apache Commons Text versions prior to 1.10.0. This script automates Remote Code Execution (RCE) via script interpolation to establish a reverse shell. This version is a structured optimization based on the original exploit found at Exploit-DB (ID: 52261). | https://github.com/Goultarde/CVE-2022-42889-text4shell | POC详情 |
三、漏洞 CVE-2022-42889 的情报信息
- http://packetstormsecurity.com/files/171003/OX-App-Suite-Cross-Site-Scripting-Server-Side-Request-Forgery.html
- https://security.netapp.com/advisory/ntap-20221020-0004/
- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0022
- https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om
- http://packetstormsecurity.com/files/176650/Apache-Commons-Text-1.9-Remote-Code-Execution.html
- https://security.gentoo.org/glsa/202301-05vendor-advisory
- http://seclists.org/fulldisclosure/2023/Feb/3mailing-list
标题: oss-security - CVE-2022-42889: Apache Commons Text prior to 1.10.0 allows RCE when applied to untrusted input due to insecure interpolation defaults -- 🔗来源链接
标签:mailing-list
神龙速读:### 关键漏洞信息 - **漏洞编号**: CVE-2022-42889 - **受影响软件**: Apache Commons Text - **受影响版本**: 1.x 系列至 1.9.0,未包含 1.10.0 - **漏洞类型**: 远程代码执行 (RCE) - **严重性**: 重要 - **发布日期**: 2022年10月13日 #### 描述 Apache Commons Text 库允许动态评估和扩展属性值。在版本 1.5 至 1.9.0 中,默认情况下包含不安全的插值处理器,可能导致任意代码执行或与远程服务器的非预期交互。 #### 缓解措施 升级至 Apache Commons Text 1.10.0 版本,该版本禁用了问题插值处理器。
- http://www.openwall.com/lists/oss-security/2022/10/18/1mailing-list
- https://nvd.nist.gov/vuln/detail/CVE-2022-42889
四、漏洞 CVE-2022-42889 的评论
暂无评论