Search for vulnerabilities
Vulnerability details: VCID-a1bm-5n1u-aaaj
Vulnerability ID VCID-a1bm-5n1u-aaaj
Aliases CVE-2022-42889
GHSA-599f-7c49-w659
Summary Arbitrary code execution in Apache Commons Text
Status Published
Exploitability 2.0
Weighted Severity 9.0
Risk 10.0
Affected and Fixed Packages Package Details
Weaknesses (5)
CWE-94 Improper Control of Generation of Code ('Code Injection')
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1188 Initialization of a Resource with an Insecure Default
System Score Found at
cvssv3.1 9.8 http://packetstormsecurity.com/files/171003/OX-App-Suite-Cross-Site-Scripting-Server-Side-Request-Forgery.html
generic_textual CRITICAL http://packetstormsecurity.com/files/171003/OX-App-Suite-Cross-Site-Scripting-Server-Side-Request-Forgery.html
ssvc Track http://packetstormsecurity.com/files/171003/OX-App-Suite-Cross-Site-Scripting-Server-Side-Request-Forgery.html
cvssv3.1 9.8 http://packetstormsecurity.com/files/176650/Apache-Commons-Text-1.9-Remote-Code-Execution.html
generic_textual CRITICAL http://packetstormsecurity.com/files/176650/Apache-Commons-Text-1.9-Remote-Code-Execution.html
ssvc Track http://packetstormsecurity.com/files/176650/Apache-Commons-Text-1.9-Remote-Code-Execution.html
cvssv3.1 7.5 https://access.redhat.com/errata/RHSA-2023:2135
ssvc Track https://access.redhat.com/errata/RHSA-2023:2135
cvssv3 9.8 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-42889.json
epss 0.94115 https://api.first.org/data/v1/epss?cve=CVE-2022-42889
epss 0.94115 https://api.first.org/data/v1/epss?cve=CVE-2022-42889
epss 0.94115 https://api.first.org/data/v1/epss?cve=CVE-2022-42889
epss 0.94115 https://api.first.org/data/v1/epss?cve=CVE-2022-42889
epss 0.94115 https://api.first.org/data/v1/epss?cve=CVE-2022-42889
epss 0.94115 https://api.first.org/data/v1/epss?cve=CVE-2022-42889
epss 0.94115 https://api.first.org/data/v1/epss?cve=CVE-2022-42889
epss 0.94115 https://api.first.org/data/v1/epss?cve=CVE-2022-42889
epss 0.94115 https://api.first.org/data/v1/epss?cve=CVE-2022-42889
epss 0.94161 https://api.first.org/data/v1/epss?cve=CVE-2022-42889
epss 0.94161 https://api.first.org/data/v1/epss?cve=CVE-2022-42889
epss 0.94161 https://api.first.org/data/v1/epss?cve=CVE-2022-42889
epss 0.94161 https://api.first.org/data/v1/epss?cve=CVE-2022-42889
epss 0.94161 https://api.first.org/data/v1/epss?cve=CVE-2022-42889
epss 0.94161 https://api.first.org/data/v1/epss?cve=CVE-2022-42889
epss 0.94161 https://api.first.org/data/v1/epss?cve=CVE-2022-42889
epss 0.94161 https://api.first.org/data/v1/epss?cve=CVE-2022-42889
epss 0.9432 https://api.first.org/data/v1/epss?cve=CVE-2022-42889
epss 0.97060 https://api.first.org/data/v1/epss?cve=CVE-2022-42889
epss 0.97122 https://api.first.org/data/v1/epss?cve=CVE-2022-42889
epss 0.97122 https://api.first.org/data/v1/epss?cve=CVE-2022-42889
epss 0.97203 https://api.first.org/data/v1/epss?cve=CVE-2022-42889
epss 0.97203 https://api.first.org/data/v1/epss?cve=CVE-2022-42889
epss 0.97203 https://api.first.org/data/v1/epss?cve=CVE-2022-42889
epss 0.97318 https://api.first.org/data/v1/epss?cve=CVE-2022-42889
epss 0.97327 https://api.first.org/data/v1/epss?cve=CVE-2022-42889
epss 0.97327 https://api.first.org/data/v1/epss?cve=CVE-2022-42889
cvssv3.1 9.8 https://arxiv.org/pdf/2306.05534
generic_textual CRITICAL https://arxiv.org/pdf/2306.05534
cvssv3.1 9.8 http://seclists.org/fulldisclosure/2023/Feb/3
generic_textual CRITICAL http://seclists.org/fulldisclosure/2023/Feb/3
ssvc Track http://seclists.org/fulldisclosure/2023/Feb/3
cvssv3.1 9.8 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr CRITICAL https://github.com/advisories/GHSA-599f-7c49-w659
cvssv3.1 9.8 https://github.com/apache/commons-text
generic_textual CRITICAL https://github.com/apache/commons-text
cvssv3.1 9.8 https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om
generic_textual CRITICAL https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om
ssvc Track https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om
cvssv3 9.8 https://nvd.nist.gov/vuln/detail/CVE-2022-42889
cvssv3.1 9.8 https://nvd.nist.gov/vuln/detail/CVE-2022-42889
cvssv3.1 9.8 https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0022
generic_textual CRITICAL https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0022
ssvc Track https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0022
cvssv3.1 9.8 https://security.gentoo.org/glsa/202301-05
generic_textual CRITICAL https://security.gentoo.org/glsa/202301-05
ssvc Track https://security.gentoo.org/glsa/202301-05
cvssv3.1 9.8 https://securitylab.github.com/advisories/GHSL-2022-018_Apache_Commons_Text
generic_textual CRITICAL https://securitylab.github.com/advisories/GHSL-2022-018_Apache_Commons_Text
cvssv3.1 9.8 https://security.netapp.com/advisory/ntap-20221020-0004
generic_textual CRITICAL https://security.netapp.com/advisory/ntap-20221020-0004
ssvc Track https://security.netapp.com/advisory/ntap-20221020-0004/
cvssv3.1 9.8 http://www.openwall.com/lists/oss-security/2022/10/13/4
generic_textual CRITICAL http://www.openwall.com/lists/oss-security/2022/10/13/4
ssvc Track http://www.openwall.com/lists/oss-security/2022/10/13/4
cvssv3.1 9.8 http://www.openwall.com/lists/oss-security/2022/10/18/1
generic_textual CRITICAL http://www.openwall.com/lists/oss-security/2022/10/18/1
ssvc Track http://www.openwall.com/lists/oss-security/2022/10/18/1
Reference id Reference type URL
http://packetstormsecurity.com/files/171003/OX-App-Suite-Cross-Site-Scripting-Server-Side-Request-Forgery.html
http://packetstormsecurity.com/files/176650/Apache-Commons-Text-1.9-Remote-Code-Execution.html
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-42889.json
https://api.first.org/data/v1/epss?cve=CVE-2022-42889
https://arxiv.org/pdf/2306.05534
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42889
http://seclists.org/fulldisclosure/2023/Feb/3
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/apache/commons-text
https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0022
https://security.gentoo.org/glsa/202301-05
https://securitylab.github.com/advisories/GHSL-2022-018_Apache_Commons_Text
https://security.netapp.com/advisory/ntap-20221020-0004
https://security.netapp.com/advisory/ntap-20221020-0004/
http://www.openwall.com/lists/oss-security/2022/10/13/4
http://www.openwall.com/lists/oss-security/2022/10/18/1
1021787 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021787
2135435 https://bugzilla.redhat.com/show_bug.cgi?id=2135435
cpe:2.3:a:apache:commons_text:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:commons_text:*:*:*:*:*:*:*:*
cpe:2.3:a:netapp:bluexp:-:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:netapp:bluexp:-:*:*:*:*:*:*:*
CVE-2022-42889 Exploit https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52261.py
CVE-2022-42889 https://nvd.nist.gov/vuln/detail/CVE-2022-42889
GHSA-599f-7c49-w659 https://github.com/advisories/GHSA-599f-7c49-w659
RHSA-2022:8652 https://access.redhat.com/errata/RHSA-2022:8652
RHSA-2022:8876 https://access.redhat.com/errata/RHSA-2022:8876
RHSA-2022:8902 https://access.redhat.com/errata/RHSA-2022:8902
RHSA-2022:9023 https://access.redhat.com/errata/RHSA-2022:9023
RHSA-2023:0261 https://access.redhat.com/errata/RHSA-2023:0261
RHSA-2023:0469 https://access.redhat.com/errata/RHSA-2023:0469
RHSA-2023:1006 https://access.redhat.com/errata/RHSA-2023:1006
RHSA-2023:1524 https://access.redhat.com/errata/RHSA-2023:1524
RHSA-2023:1655 https://access.redhat.com/errata/RHSA-2023:1655
RHSA-2023:2097 https://access.redhat.com/errata/RHSA-2023:2097
RHSA-2023:2135 https://access.redhat.com/errata/RHSA-2023:2135
RHSA-2023:3195 https://access.redhat.com/errata/RHSA-2023:3195
RHSA-2023:3198 https://access.redhat.com/errata/RHSA-2023:3198
RHSA-2023:3299 https://access.redhat.com/errata/RHSA-2023:3299
RHSA-2023:6171 https://access.redhat.com/errata/RHSA-2023:6171
RHSA-2023:6172 https://access.redhat.com/errata/RHSA-2023:6172
RHSA-2023:6179 https://access.redhat.com/errata/RHSA-2023:6179
RHSA-2023:7288 https://access.redhat.com/errata/RHSA-2023:7288
RHSA-2024:0775 https://access.redhat.com/errata/RHSA-2024:0775
RHSA-2024:0776 https://access.redhat.com/errata/RHSA-2024:0776
RHSA-2024:0777 https://access.redhat.com/errata/RHSA-2024:0777
RHSA-2024:0778 https://access.redhat.com/errata/RHSA-2024:0778
RHSA-2025:1746 https://access.redhat.com/errata/RHSA-2025:1746
RHSA-2025:1747 https://access.redhat.com/errata/RHSA-2025:1747
Data source Exploit-DB
Date added April 18, 2025
Description Apache Commons Text 1.10.0 - Remote Code Execution
Ransomware campaign use Unknown
Source publication date April 18, 2025
Exploit type webapps
Platform multiple
Source update date April 18, 2025
Data source Metasploit
Description This exploit takes advantage of the StringSubstitutor interpolator class, which is included in the Commons Text library. A default interpolator allows for string lookups that can lead to Remote Code Execution. This is due to a logic flaw that makes the “script”, “dns” and “url” lookup keys interpolated by default, as opposed to what it should be, according to the documentation of the StringLookupFactory class. Those keys allow an attacker to execute arbitrary code via lookups primarily using the "script" key. In order to exploit the vulnerabilities, the following requirements must be met: Run a version of Apache Commons Text from version 1.5 to 1.9 Use the StringSubstitutor interpolator Target should run JDK < 15
Note 
Stability:
  - crash-safe
Reliability:
  - repeatable-session
SideEffects:
  - artifacts-on-disk
  - ioc-in-logs
Ransomware campaign use Unknown
Source publication date Oct. 13, 2022
Platform Java,Linux,Unix,Windows
Source URL https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/multi/http/apache_commons_text4shell.rb
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at http://packetstormsecurity.com/files/171003/OX-App-Suite-Cross-Site-Scripting-Server-Side-Request-Forgery.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-01-24T16:22:10Z/ Found at http://packetstormsecurity.com/files/171003/OX-App-Suite-Cross-Site-Scripting-Server-Side-Request-Forgery.html
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at http://packetstormsecurity.com/files/176650/Apache-Commons-Text-1.9-Remote-Code-Execution.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-01-24T16:22:10Z/ Found at http://packetstormsecurity.com/files/176650/Apache-Commons-Text-1.9-Remote-Code-Execution.html
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://access.redhat.com/errata/RHSA-2023:2135
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-08T18:37:50Z/ Found at https://access.redhat.com/errata/RHSA-2023:2135
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-42889.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://arxiv.org/pdf/2306.05534
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at http://seclists.org/fulldisclosure/2023/Feb/3
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-01-24T16:22:10Z/ Found at http://seclists.org/fulldisclosure/2023/Feb/3
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/apache/commons-text
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-01-24T16:22:10Z/ Found at https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2022-42889
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2022-42889
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0022
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-01-24T16:22:10Z/ Found at https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0022
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://security.gentoo.org/glsa/202301-05
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-01-24T16:22:10Z/ Found at https://security.gentoo.org/glsa/202301-05
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://securitylab.github.com/advisories/GHSL-2022-018_Apache_Commons_Text
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://security.netapp.com/advisory/ntap-20221020-0004
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-01-24T16:22:10Z/ Found at https://security.netapp.com/advisory/ntap-20221020-0004/
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at http://www.openwall.com/lists/oss-security/2022/10/13/4
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-01-24T16:22:10Z/ Found at http://www.openwall.com/lists/oss-security/2022/10/13/4
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at http://www.openwall.com/lists/oss-security/2022/10/18/1
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-01-24T16:22:10Z/ Found at http://www.openwall.com/lists/oss-security/2022/10/18/1
Exploit Prediction Scoring System (EPSS)
Percentile 0.99899
EPSS Score 0.94115
Published At April 2, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
There are no relevant records.