CVE-2022-42889: Apache Commons Text

Hi,
A new CVE has been posted in Apache Commons Text: CVE-2022-42889: interpolations that allow RCE disabled in Commons Text 1.10.0.

As far as I can tell from a bit of searching in Github, Version 1.9 of commons-text is used in XWiki, which is an affected version but, the affected StringSubstitutor API is not.

Would someone more familiar with the XWiki codebase and its dependencies be able to confirm?

I noticed that liquibase includes a repackaged version of commons-text but I don’t know what version and whether StringSubstitutoris actually used or not. I’ll keep trying to dig through the jars to see whether any dependencies are using the affected API.

Cheers

commons-configuration appears to use StringSubstitutor Repository search results · GitHub

…which would suggest that config variables could have injected code; however, I don’t know the extent to which commons-configuration is used in XWiki. If that’s how the xwiki.properties files, etc. are read then I guess it might be possible for an attacker to inject a malicious value into config but an attacker would need access to that config so the risk would appear, barring my ignorance, to be minimal in that particular case.

Actually we’ve upgraded to version 1.10 on the 3rd of October, see xwiki-commons/pom.xml at 0814c70b84bc91aecad39d2d6d6ed11375402efd · xwiki/xwiki-commons · GitHub (see also Loading...). This means version 14.9RC1 is using version 1.10 and 14.9 final will be using that version.

Note that you should be able to replace the version in WEB-INF/lib easily.

Interesting. Best would be to ask Liquibase to know if they’re aware and in which version they’ve fixed it. XWiki is very fast to upgrade its dependencies in general. We use version of it 4.12.0 ATM.

Thank you @vmassol.

Sorry, I forgot to mention we’re on 13.10 which is why I could see 1.9 in use. We’ll be upgrading to 14.x when it goes into LTS but it’s good to know that 14 already addresses this issue.

Note that you should be able to replace the version in WEB-INF/lib easily.

Thanks, that most likely the route we’ll be taking.

Cheers