This vulnerability was analyzed during Episode 159 on 17 October 2022
Just another thing to be testing for, it was found that the Apache Commons Text library when doing a StringLookup
will do variable expansion. Supporting several prefixes like url
to fetch data from a remote url or script
to execute a Javax string. This is just a reported issue in the core library, actual vulnerable instances will vary depending on how the lookup is accessed. It would make sense to start tossing something like ${url:https://example.com}
into your testing though just to see what happens to ping your URL.