一、 漏洞 CVE-2022-42889 基础信息
漏洞标题
在Apache Commons Text 1.10.0之前,由于不安全的插值默认值,允许在未信任的输入中使用RCE。
来源:AIGC 神龙大模型
漏洞描述信息
Apache Commons Text 在 1.10.0 之前的版本中,由于不安全的默认插值,会对未经信任的输入应用时导致远程代码执行(RCE)。
来源:AIGC 神龙大模型
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
来源:AIGC 神龙大模型
漏洞类别
N/A
来源:AIGC 神龙大模型
漏洞标题
Apache Commons Text prior to 1.10.0 allows RCE when applied to untrusted input due to insecure interpolation defaults
来源:美国国家漏洞数据库 NVD
漏洞描述信息
Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default.
来源:美国国家漏洞数据库 NVD
CVSS信息
N/A
来源:美国国家漏洞数据库 NVD
漏洞类别
N/A
来源:美国国家漏洞数据库 NVD
漏洞标题
Apache Commons Text 代码注入漏洞
来源:中国国家信息安全漏洞库 CNNVD
漏洞描述信息
Apache Commons Text是美国阿帕奇(Apache)基金会的一个专注于字符串算法的库。 Apache Commons Text 1.5至1.9版本存在安全漏洞,该漏洞源于默认的Lookup实例集包括可能导致任意代码执行或与远程服务器联系的插值器,可能容易受到远程代码执行或与远程服务器的无意接触的影响。
来源:中国国家信息安全漏洞库 CNNVD
CVSS信息
N/A
来源:中国国家信息安全漏洞库 CNNVD
漏洞类别
代码注入
来源:中国国家信息安全漏洞库 CNNVD
二、漏洞 CVE-2022-42889 的公开POC
# POC 描述 源链接 神龙链接
1 CVE-2022-42889 dockerized sample application (Apache Commons Text RCE) https://github.com/0xst4n/CVE-2022-42889 POC详情
2 Proof of Concept for the Apache commons-text vulnerability CVE-2022-42889. https://github.com/SeanWrightSec/CVE-2022-42889-PoC POC详情
3 ClusterImagePolicy demo for cve-2022-42889 text4shell https://github.com/chainguard-dev/text4shell-policy POC详情
4 An intentionally vulnerable webapp to get your hands dirty with CVE-2022-42889. https://github.com/tulhan/commons-text-goat POC详情
5 Dockerized POC for CVE-2022-42889 Text4Shell https://github.com/karthikuj/cve-2022-42889-text4shell-docker POC详情
6 cve-2022-42889 Text4Shell CVE-2022-42889 affects Apache Commons Text versions 1.5 through 1.9. It has been patched as of Commons Text version 1.10. https://github.com/ClickCyber/cve-2022-42889 POC详情
7 A simple application that shows how to exploit the CVE-2022-42889 vulnerability https://github.com/korteke/CVE-2022-42889-POC POC详情
8 None https://github.com/eunomie/cve-2022-42889-check POC详情
9 Apache commons text - CVE-2022-42889 Text4Shell proof of concept exploit. https://github.com/kljunowsky/CVE-2022-42889-text4shell POC详情
10 A fully automated, accurate, and extensive scanner for finding text4shell RCE CVE-2022-42889 https://github.com/securekomodo/text4shell-scan POC详情
11 None https://github.com/neerazz/CVE-2022-42889 POC详情
12 通过 jvm 启动参数 以及 jps pid进行拦截非法参数 https://github.com/uk0/cve-2022-42889-intercept POC详情
13 Proof of Concept Appliction for testing CVE-2022-42889 https://github.com/securekomodo/text4shell-poc POC详情
14 None https://github.com/humbss/CVE-2022-42889 POC详情
15 This project includes a python script which generates malicious commands leveraging CVE-2022-42889 vulnerability https://github.com/stavrosgns/Text4ShellPayloads POC详情
16 python script for CVE-2022-42889 https://github.com/s3l33/CVE-2022-42889 POC详情
17 Dockerized PoC for CVE-2022-42889 Text4Shell https://github.com/galoget/CVE-2022-42889-Text4Shell-Docker POC详情
18 CVE-2022-42889 Text4Shell Exploit POC https://github.com/rhitikwadhvana/CVE-2022-42889-Text4Shell-Exploit-POC POC详情
19 A simple dockerize application that shows how to exploit the CVE-2022-42889 vulnerability. https://github.com/akshayithape-devops/CVE-2022-42889-POC POC详情
20 Apache Text4Shell (CVE-2022-42889) Burp Bounty Profile https://github.com/0xmaximus/Apache-Commons-Text-CVE-2022-42889 POC详情
21 Vulnerability Scanner for CVE-2022-42889 (Text4Shell) https://github.com/smileostrich/Text4Shell-Scanner POC详情
22 CVE-2022-42889 aka Text4Shell research & PoC https://github.com/cxzero/CVE-2022-42889-text4shell POC详情
23 Text4Shell PoC Exploit https://github.com/west-wind/CVE-2022-42889 POC详情
24 None https://github.com/Vulnmachines/text4shell-CVE-2022-42889 POC详情
25 CVE-2022-42889 Blind-RCE Nuclei Template https://github.com/Hack4rLIFE/CVE-2022-42889 POC详情
26 Proof of Concept for CVE-2022-42889 (Text4Shell Vulnerability) https://github.com/cryxnet/CVE-2022-42889-RCE POC详情
27 CVE-2022-42889 (a.k.a. Text4Shell) RCE Proof of Concept https://github.com/sunnyvale-it/CVE-2022-42889-PoC POC详情
28 Script to handle CVE 2022-42889 https://github.com/QAInsights/cve-2022-42889-jmeter POC详情
29 None https://github.com/adarshpv9746/Text4shell--Automated-exploit---CVE-2022-42889 POC详情
30 Python Script to exploit RCE of CVE-2022-42889 https://github.com/pwnb0y/Text4shell-exploit POC详情
31 CVE-2022-42889 - Text4Shell exploit https://github.com/gokul-ramesh/text4shell-exploit POC详情
32 text4shell(CVE-2022-42889) BurpSuite Scanner https://github.com/f0ng/text4shellburpscanner POC详情
33 https://github.com/karthikuj/cve-2022-42889-text4shell-docker.git https://github.com/WFS-Mend/vtrade-common POC详情
34 Kubernetes Lab for CVE-2022-42889 https://github.com/devenes/text4shell-cve-2022-42889 POC详情
35 A demonstration of CVE-2022-42889 (text4shell) remote code execution vulnerability https://github.com/hotblac/text4shell POC详情
36 docker for CVE-2022-42889 https://github.com/necroteddy/CVE-2022-42889 POC详情
37 None https://github.com/ReachabilityOrg/cve-2022-42889-text4shell-docker POC详情
38 None https://github.com/dgor2023/cve-2022-42889-text4shell-docker POC详情
39 None https://github.com/Dima2021/cve-2022-42889-text4shell POC详情
40 None https://github.com/RSA-Demo/cve-2022-42889-text4shell POC详情
41 Dockerized POC for CVE-2022-42889 Text4Shell https://github.com/aaronm-sysdig/text4shell-docker POC详情
42 This repository contains a Python script to automate the process of testing for a vulnerability known as Text4Shell, referenced under the CVE id: CVE-2022-42889. https://github.com/gustanini/CVE-2022-42889-Text4Shell-POC POC详情
43 Text4Shell https://github.com/Sic4rio/CVE-2022-42889 POC详情
44 RCE PoC for Apache Commons Text vuln https://github.com/34006133/CVE-2022-42889 POC详情
45 None https://github.com/DimaMend/cve-2022-42889-text4shell POC详情
46 CVE-2022-42889 Blind-RCE Nuclei Template https://github.com/Gotcha-1G/CVE-2022-42889 POC详情
47 None https://github.com/joshbnewton31080/cve-2022-42889-text4shell POC详情
48 None https://github.com/MendDemo-josh/cve-2022-42889-text4shell POC详情
49 CVE-2022-42889 dockerized sample application (Apache Commons Text RCE) https://github.com/rockmelodies/CVE-2022-42889 POC详情
50 This repository contains a Python script to automate the process of testing for a vulnerability known as Text4Shell, referenced under the CVE id: CVE-2022-42889. https://github.com/808ale/CVE-2022-42889-Text4Shell-POC POC详情
三、漏洞 CVE-2022-42889 的情报信息