0

implementation group: 'com.github.jknack', name: 'handlebars', version: '4.3.0'

This version of handlebar has commons-text included as part of the pom. Even on exclusion it is not excluded from downloading the dependencies

critical
org.apache.commons_commons-text CVE-2022-42889
Fixed in: 1.10.0 4 days ago 40 days left 6 Impacted versions: >=1.5 and <1.10.0 Discovered: less than an hour ago Published: 4 days ago Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default.

Vishnupriya
  • 1
  • 1
  • Can you please elaborate on how could we reproduce this error? Is this related to https://www.paloaltonetworks.com/prisma/cloud? – Nurul Sundarani Oct 21 '22 at 12:39

2 Answers2

0

This report looks to be false positive. Presence of commons-text does not indicate it is vulnerable.

Reference

GitHub's security blog describes the issue as follows

The StringSubstitutor when used with the default interpolators (StringSubstitutor.createInterpolator()) will perform string lookups that may lead to arbitrary code execution.

In particular, if untrusted data flows into the StringSubstitutor.replace() or StringSubstitutor.replaceIn() methods, an attacker will be able to use the ScriptStringLookup to trigger arbitrary code execution.

If we check the pom.xml of handlebars, it uses shade plugin to include some of the classes of commons-text but not all. This is done via minimizeJar feature of shade plugin. If we see this jar files, we dont find StringSubstitutor class.

<plugin>
<artifactId>maven-shade-plugin</artifactId>
<version>3.1.1</version>
<executions>
<execution>
<id>standalone</id>
<phase>package</phase>
<goals>
<goal>shade</goal>
</goals>
<configuration>
<minimizeJar>true</minimizeJar>
<artifactSet>
<includes>
<include>org.apache.commons:commons-lang3</include>
<include>org.apache.commons:commons-text</include>
<include>org.antlr:antlr4-runtime</include>
</includes>
</artifactSet>
<relocations>
<relocation>
<pattern>org.apache.commons.lang3</pattern>
<shadedPattern>com.github.jknack.handlebars.internal.lang3</shadedPattern>
</relocation>
<relocation>
<pattern>org.apache.commons.text</pattern>
<shadedPattern>com.github.jknack.handlebars.internal.text</shadedPattern>
</relocation>
<relocation>
<pattern>org.antlr.v4.runtime</pattern>
<shadedPattern>com.github.jknack.handlebars.internal.antlr</shadedPattern>
</relocation>
</relocations>
</configuration>
</execution>
</executions>
</plugin>
Kunal Surana
  • 659
  • 5
  • 14
0

We have been dealing with the same issue, and have decided to upgrade to a higher version on handlebar which does not try to include the commons-text 1.6 instead 1.10.1 which does not have any vulnerability issues.

We used 4.3.1 which is currently the latest version.

Sagarika Singh
  • 1