Text4shell (CVE-2022-42889)

Apache Commons Text prior to 1.10.0 allows RCE when applied to untrusted input due to insecure interpolation defaults.Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded.The application has been shown to initial contact with remote servers via variable interpolation and may well be vulnerable to Remote Code Execution (RCE).

The Text4Shell vulnerability allows remote code execution through malicious variable interpolation expressions in Apache Commons Text versions prior to 1.10.0. Attackers inject special syntax like ${script:javascript:…​} or ${dns:…​} into user-controlled input that gets processed by the StringSubstitutor or StringLookup classes. When the application processes these expressions, it can trigger arbitrary code execution, DNS exfiltration, or remote resource loading. This vulnerability is similar in nature to Log4Shell but affects applications using Apache Commons Text for string interpolation on untrusted input.

Upgrade Apache Commons Text prior to version 1.10.0 or newer.