⚠ Exploited in the wild
Exploitation observed in the wild. Not yet on CISA KEV.

CVE-2022-42889Text4Shell: Code Injection in Apache Commons Text

CWE-94Code Injection27 documents14 sources
Severity
9.8CRITICALNVD
EPSS
94.3%
top 0.07%
CISA KEV
Not in KEV
Exploit
Exploited in wild
Active exploitation observed
Affected products
12
Apache Software Foundation Apache Commons TextApache Commons TextJuniper Security Threat Response Manager+9 more
Timeline
PublishedOct 13
Latest updateApr 18

Description

Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These look

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages12 packages

NVDapache/commons_text1.51.10.0
CVEListV5apache_software_foundation/apache_commons_text1.5Apache Commons Text*+1
Palo Altopaloalto/pan-os
Palo Altopaloalto/prisma_sd

🔴Vulnerability Details

5
CVEList
Apache Commons Text prior to 1.10.0 allows RCE when applied to untrusted input due to insecure interpolation defaults2022-10-13
OSV
CVE-2022-42889: Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded2022-10-13
GHSA
Arbitrary code execution in Apache Commons Text2022-10-13
OSV
Arbitrary code execution in Apache Commons Text2022-10-13
VulnCheck
Apache commons_text Improper Control of Generation of Code ('Code Injection')2022

💥Exploits & PoCs

2
Exploit-DB
Apache Commons Text 1.10.0 - Remote Code Execution2025-04-18
Nuclei
Text4Shell - Remote Code Execution

🔍Detection Rules

8
Suricata
ET EXPLOIT Possible Apache Text4shell RCE Attempt URL Prefix (CVE-2022-42889) (Inbound)2022-10-19
Suricata
ET EXPLOIT Possible Apache Text4shell RCE Attempt Script Prefix (CVE-2022-42889) (Outbound)2022-10-19
Suricata
ET EXPLOIT Possible Apache Text4shell RCE Attempt JEXL Path (CVE-2022-42889) (Outbound)2022-10-19
Suricata
ET EXPLOIT Possible Apache Text4shell RCE Attempt DNS Prefix (CVE-2022-42889) (Outbound)2022-10-19
Suricata
ET EXPLOIT Possible Apache Text4shell RCE Attempt JEXL Path (CVE-2022-42889) (Inbound)2022-10-19

📋Vendor Advisories

6
Oracle
Oracle Oracle HealthCare Applications Risk Matrix: FHIR (Apache Commons Text) — CVE-2022-428892024-04-15
Oracle
Oracle Oracle Financial Services Applications Risk Matrix: Application (Apache Commons Text) — CVE-2022-428892023-04-15
Oracle
Oracle Oracle Communications Applications Risk Matrix: PSR Designer (Apache Commons Text) — CVE-2022-428892023-01-15
Palo Alto
CVE-2022-42889 Impact of Apache Text Commons Vulnerability CVE-2022-428892022-11-09
Red Hat
apache-commons-text: variable interpolation RCE2022-10-13

🕵️Threat Intelligence

3
Qualys
CVE-2022-42889: Detect Text4Shell via Qualys Container Security2022-10-25
Qualys
CVE-2022-42889: Detect Text4Shell via Qualys Container Security | Qualys2022-10-25
Huntress
CVE-2022-42889 (Text4Shell): Analysis, Detection & Prevention | Huntress
CVE-2022-42889 — Text4Shell: Code Injection in Apache | cvebase