CVE-2022-42889— Apache Commons Text 代码注入漏洞
新しい脆弱性情報の通知を購読するログインして購読
I. CVE-2022-42889の基本情報
脆弱性情報
脆弱性についてご質問がありますか?Shenlongの分析が参考になるかご確認ください!
Shenlongの10の質問を表示 ↗ 高度な大規模言語モデル技術を使用していますが、出力には不正確または古い情報が含まれる可能性があります。Shenlongはデータの正確性を確保するよう努めていますが、実際の状況に基づいて検証・判断してください。
脆弱性タイトル
Apache Commons Text prior to 1.10.0 allows RCE when applied to untrusted input due to insecure interpolation defaults
ソース: NVD (National Vulnerability Database)
脆弱性説明
Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default.
ソース: NVD (National Vulnerability Database)
CVSS情報
N/A
ソース: NVD (National Vulnerability Database)
脆弱性タイプ
N/A
ソース: NVD (National Vulnerability Database)
脆弱性タイトル
Apache Commons Text 代码注入漏洞
ソース: CNNVD (China National Vulnerability Database)
脆弱性説明
Apache Commons Text是美国阿帕奇(Apache)基金会的一个专注于字符串算法的库。 Apache Commons Text 1.5至1.9版本存在安全漏洞,该漏洞源于默认的Lookup实例集包括可能导致任意代码执行或与远程服务器联系的插值器,可能容易受到远程代码执行或与远程服务器的无意接触的影响。
ソース: CNNVD (China National Vulnerability Database)
CVSS情報
N/A
ソース: CNNVD (China National Vulnerability Database)
脆弱性タイプ
N/A
ソース: CNNVD (China National Vulnerability Database)
影響を受ける製品
| ベンダー | プロダクト | 影響を受けるバージョン | CPE | 購読 |
|---|---|---|---|---|
| Apache Software Foundation | Apache Commons Text | unspecified ~ 1.9 | - |
II. CVE-2022-42889の公開POC
| # | POC説明 | ソースリンク | Shenlongリンク |
|---|---|---|---|
| 1 | CVE-2022-42889 dockerized sample application (Apache Commons Text RCE) | https://github.com/0xst4n/CVE-2022-42889 | POC詳細 |
| 2 | Proof of Concept for the Apache commons-text vulnerability CVE-2022-42889. | https://github.com/SeanWrightSec/CVE-2022-42889-PoC | POC詳細 |
| 3 | ClusterImagePolicy demo for cve-2022-42889 text4shell | https://github.com/chainguard-dev/text4shell-policy | POC詳細 |
| 4 | An intentionally vulnerable webapp to get your hands dirty with CVE-2022-42889. | https://github.com/tulhan/commons-text-goat | POC詳細 |
| 5 | Dockerized POC for CVE-2022-42889 Text4Shell | https://github.com/karthikuj/cve-2022-42889-text4shell-docker | POC詳細 |
| 6 | cve-2022-42889 Text4Shell CVE-2022-42889 affects Apache Commons Text versions 1.5 through 1.9. It has been patched as of Commons Text version 1.10. | https://github.com/ClickCyber/cve-2022-42889 | POC詳細 |
| 7 | A simple application that shows how to exploit the CVE-2022-42889 vulnerability | https://github.com/korteke/CVE-2022-42889-POC | POC詳細 |
| 8 | None | https://github.com/eunomie/cve-2022-42889-check | POC詳細 |
| 9 | Apache commons text - CVE-2022-42889 Text4Shell proof of concept exploit. | https://github.com/kljunowsky/CVE-2022-42889-text4shell | POC詳細 |
| 10 | A fully automated, accurate, and extensive scanner for finding text4shell RCE CVE-2022-42889 | https://github.com/securekomodo/text4shell-scan | POC詳細 |
| 11 | None | https://github.com/neerazz/CVE-2022-42889 | POC詳細 |
| 12 | 通过 jvm 启动参数 以及 jps pid进行拦截非法参数 | https://github.com/uk0/cve-2022-42889-intercept | POC詳細 |
| 13 | Proof of Concept Appliction for testing CVE-2022-42889 | https://github.com/securekomodo/text4shell-poc | POC詳細 |
| 14 | None | https://github.com/humbss/CVE-2022-42889 | POC詳細 |
| 15 | This project includes a python script which generates malicious commands leveraging CVE-2022-42889 vulnerability | https://github.com/stavrosgns/Text4ShellPayloads | POC詳細 |
| 16 | python script for CVE-2022-42889 | https://github.com/s3l33/CVE-2022-42889 | POC詳細 |
| 17 | Dockerized PoC for CVE-2022-42889 Text4Shell | https://github.com/galoget/CVE-2022-42889-Text4Shell-Docker | POC詳細 |
| 18 | CVE-2022-42889 Text4Shell Exploit POC | https://github.com/rhitikwadhvana/CVE-2022-42889-Text4Shell-Exploit-POC | POC詳細 |
| 19 | A simple dockerize application that shows how to exploit the CVE-2022-42889 vulnerability. | https://github.com/akshayithape-devops/CVE-2022-42889-POC | POC詳細 |
| 20 | Apache Text4Shell (CVE-2022-42889) Burp Bounty Profile | https://github.com/0xmaximus/Apache-Commons-Text-CVE-2022-42889 | POC詳細 |
| 21 | Vulnerability Scanner for CVE-2022-42889 (Text4Shell) | https://github.com/smileostrich/Text4Shell-Scanner | POC詳細 |
| 22 | CVE-2022-42889 aka Text4Shell research & PoC | https://github.com/cxzero/CVE-2022-42889-text4shell | POC詳細 |
| 23 | Text4Shell PoC Exploit | https://github.com/west-wind/CVE-2022-42889 | POC詳細 |
| 24 | None | https://github.com/Vulnmachines/text4shell-CVE-2022-42889 | POC詳細 |
| 25 | CVE-2022-42889 Blind-RCE Nuclei Template | https://github.com/Hack4rLIFE/CVE-2022-42889 | POC詳細 |
| 26 | Proof of Concept for CVE-2022-42889 (Text4Shell Vulnerability) | https://github.com/cryxnet/CVE-2022-42889-RCE | POC詳細 |
| 27 | CVE-2022-42889 (a.k.a. Text4Shell) RCE Proof of Concept | https://github.com/sunnyvale-it/CVE-2022-42889-PoC | POC詳細 |
| 28 | Script to handle CVE 2022-42889 | https://github.com/QAInsights/cve-2022-42889-jmeter | POC詳細 |
| 29 | None | https://github.com/adarshpv9746/Text4shell--Automated-exploit---CVE-2022-42889 | POC詳細 |
| 30 | Python Script to exploit RCE of CVE-2022-42889 | https://github.com/pwnb0y/Text4shell-exploit | POC詳細 |
| 31 | CVE-2022-42889 - Text4Shell exploit | https://github.com/gokul-ramesh/text4shell-exploit | POC詳細 |
| 32 | text4shell(CVE-2022-42889) BurpSuite Scanner | https://github.com/f0ng/text4shellburpscanner | POC詳細 |
| 33 | https://github.com/karthikuj/cve-2022-42889-text4shell-docker.git | https://github.com/WFS-Mend/vtrade-common | POC詳細 |
| 34 | Kubernetes Lab for CVE-2022-42889 | https://github.com/devenes/text4shell-cve-2022-42889 | POC詳細 |
| 35 | A demonstration of CVE-2022-42889 (text4shell) remote code execution vulnerability | https://github.com/hotblac/text4shell | POC詳細 |
| 36 | docker for CVE-2022-42889 | https://github.com/necroteddy/CVE-2022-42889 | POC詳細 |
| 37 | None | https://github.com/ReachabilityOrg/cve-2022-42889-text4shell-docker | POC詳細 |
| 38 | None | https://github.com/dgor2023/cve-2022-42889-text4shell-docker | POC詳細 |
| 39 | None | https://github.com/Dima2021/cve-2022-42889-text4shell | POC詳細 |
| 40 | None | https://github.com/RSA-Demo/cve-2022-42889-text4shell | POC詳細 |
| 41 | Dockerized POC for CVE-2022-42889 Text4Shell | https://github.com/aaronm-sysdig/text4shell-docker | POC詳細 |
| 42 | This repository contains a Python script to automate the process of testing for a vulnerability known as Text4Shell, referenced under the CVE id: CVE-2022-42889. | https://github.com/gustanini/CVE-2022-42889-Text4Shell-POC | POC詳細 |
| 43 | Text4Shell | https://github.com/Sic4rio/CVE-2022-42889 | POC詳細 |
| 44 | RCE PoC for Apache Commons Text vuln | https://github.com/34006133/CVE-2022-42889 | POC詳細 |
| 45 | None | https://github.com/DimaMend/cve-2022-42889-text4shell | POC詳細 |
| 46 | CVE-2022-42889 Blind-RCE Nuclei Template | https://github.com/Gotcha-1G/CVE-2022-42889 | POC詳細 |
| 47 | None | https://github.com/joshbnewton31080/cve-2022-42889-text4shell | POC詳細 |
| 48 | None | https://github.com/MendDemo-josh/cve-2022-42889-text4shell | POC詳細 |
| 49 | CVE-2022-42889 dockerized sample application (Apache Commons Text RCE) | https://github.com/rockmelodies/CVE-2022-42889 | POC詳細 |
| 50 | This repository contains a Python script to automate the process of testing for a vulnerability known as Text4Shell, referenced under the CVE id: CVE-2022-42889. | https://github.com/808ale/CVE-2022-42889-Text4Shell-POC | POC詳細 |
| 51 | A fully automated, accurate, and extensive scanner for finding text4shell RCE CVE-2022-42889 | https://github.com/kiralab/text4shell-scan | POC詳細 |
| 52 | A custom Python-based proof-of-concept (PoC) exploit targeting Text4Shell (CVE-2022-42889), a critical remote code execution vulnerability in Apache Commons Text versions < 1.10. | https://github.com/chaudharyarjun/text4shell-exploit | POC詳細 |
| 53 | CVE-2022-42889 Blind-RCE Nuclei Template | https://github.com/Gotcha1G/CVE-2022-42889 | POC詳細 |
| 54 | Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default. | https://github.com/projectdiscovery/nuclei-templates/blob/main/dast/cves/2022/CVE-2022-42889.yaml | POC詳細 |
| 55 | None | https://github.com/Threekiii/Awesome-POC/blob/master/%E5%BC%80%E5%8F%91%E6%A1%86%E6%9E%B6%E6%BC%8F%E6%B4%9E/Apache%20Commons%20Text%20%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%20CVE-2022-42889.md | POC詳細 |
| 56 | Python Script to exploit RCE of CVE-2022-42889 | https://github.com/vickyaryan7/Text4shell-exploit | POC詳細 |
| 57 | A custom Python-based proof-of-concept (PoC) exploit targeting Text4Shell (CVE-2022-42889), a critical remote code execution vulnerability in Apache Commons Text versions < 1.10. | https://github.com/Syndicate27/text4shell-exploit | POC詳細 |
| 58 | Log4Shell / Log4J Payload - CVE-2021-45046 and CVE-2022-42889 | https://github.com/ifconfig-me/Log4Shell-Payloads | POC詳細 |
| 59 | None | https://github.com/shoucheng3/asf__commons-text_CVE-2022-42889_1-9 | POC詳細 |
| 60 | Proof of Concept (PoC) for CVE-2022-42889 (Text4Shell) targeting Apache Commons Text versions prior to 1.10.0. This script automates Remote Code Execution (RCE) via script interpolation to establish a reverse shell. This version is a structured optimization based on the original exploit found at Exploit-DB (ID: 52261). | https://github.com/Goultarde/CVE-2022-42889-text4shell | POC詳細 |
AI生成POCプレミアム
公開POCは見つかりませんでした。
ログインしてAI POCを生成III. CVE-2022-42889のインテリジェンス情報
请登录查看更多情报信息。
- https://security.gentoo.org/glsa/202301-05vendor-advisory
- http://seclists.org/fulldisclosure/2023/Feb/3mailing-list
- https://nvd.nist.gov/vuln/detail/CVE-2022-42889
IV. 関連脆弱性
同じベンダー: Apache Software Foundation
- CVE-2026-39816
Apache NiFi: Missing Execute Code Required Permission on Tin - CVE-2026-25199
Apache CloudStack: Proxmox Extension Allows Unauthorized Cro - CVE-2026-25077
Apache CloudStack: Unauthenticated Command Injection in Dire - CVE-2025-69233
Apache CloudStack: Domain/account resources limits not honor - CVE-2025-66467
Apache CloudStack: MinIO policy remains intact on bucket del
V. CVE-2022-42889へのコメント
まだコメントはありません