|Category: Vulnerability Intelligence||Vulnerability Class: Remote Code Execution||CVE ID: CVE-2022-42889||CVSS:3.0 Score: 9.8|
- The StringSubstitutor interpolator class, which is part of the Commons Text library, is vulnerable to a flaw found in Apache Commons Text packages 1.5 and continuing through 1.9.
- String lookups with a default interpolator are possible and may result in Remote Code Execution.
- Due to a logical error, the "script," "dns," and "url" lookup keys are interpolated by default, instead of how they should be, as stated in the StringLookupFactory class documentation.
- These keys enable an attacker to run any code by using lookups.
- The vulnerable web application exposes a search API in which the Commons Text StringSubstitutor is used to interpolate the query: http://web.app/text4shell/attack?search=<query>
- The vulnerability could be exploited to launch a reverse shell with the payload described as follows:
- This payload's "$prefix:name" component initiates the String Lookup. "Script," "dns," and "url" are the keys that can be used as the prefix to exploit the vulnerability, as mentioned earlier.
- The lookup has a number of fields which it tries to identify: