[Apache Commands Text] Insecure Variable Interpolation in StringLookup
We discussed this vulnerability during Episode 159 on 17 October 2022
Just another thing to be testing for, it was found that the Apache Commons Text library when doing a StringLookup
will do variable expansion. Supporting several prefixes like url
to fetch data from a remote url or script
to execute a Javax string. This is just a reported issue in the core library, actual vulnerable instances will vary depending on how the lookup is accessed. It would make sense to start tossing something like ${url:https://example.com}
into your testing though just to see what happens to ping your URL.