The issue stems from the fact that the following keys should not be interpolated by default (as per the documentation [https://commons.apache.org/proper/commons-text/apidocs/org/apache/commons/text/lookup/StringLookupFactory.html](https://commons.apache.org/proper/commons-text/apidocs/org/apache/commons/text/lookup/StringLookupFactory.html)):
22
+
* `script`
23
+
* `dns`
24
+
* `url`
25
+
26
+
However due to a flaw in the logic, these 3 keys are interpolated by default, when they should not (since they could represent a security risk).
27
+
28
+
# What's the Risk?
29
+
30
+
An attacker with control over the string passed into an affected `StringSubstitutor` replace could allow the attacker to:
31
+
* Run JavaScript code on the system (typically a server) executing the `StringSubstitutor` code
32
+
* Connect to other servers from the affected system
33
+
* Potentially gain access to other remove resources from the affected system
34
+
19
35
# Am I Vulnerable?
20
36
21
37
In order for your code to be vulnerable you need to:
skipped 3 lines
25
41
# Official Fix
26
42
The fix for this is to update your instances of `commons-text` to versions `1.10.0` or later.
27
43
44
+
# Note
45
+
46
+
The other default lookups could still potentially represent a security risk (such as the ability to read content of files, read system properies, etc). Use this feature with caution and make sure that all user input appropriately sanitised (for example passing through an allow list).
Sean Wright
committed
with
GitHub
2 years ago
1 parent f4263bbc