[GitHub] [commons-text] jvz commented on a diff in pull request #374: Add statement about CVE-2022-42889 to frontpage

[GitBox <gi...@apache.org>]

jvz commented on code in PR #374:
URL: https://github.com/apache/commons-text/pull/374#discussion_r998314429


##########
src/site/xdoc/index.xml:
##########
@@ -41,6 +41,41 @@ The <a href="scm.html">Git repository</a> can be
 </p>
 </section>
 <!-- ================================================== -->
+<section name="Security">
+  <subsection name="CVE-2022-42889 prior to 1.10.0, RCE when applied to untrusted input">
+    <p>
+    On 2022-10-13, the Apache Commons Text team disclosed <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42889">CVE-2022-42889</a>. Key takeaways:
+    <ul>
+      <li>If you rely on software that uses a version of commons-text prior to 1.10.0, you are likely still not vulnerable: only if this software uses the <code>StringSubstitutor</code> API without propery sanitizing any untrusted input.</li>
+      <li>If your own software uses commons-text, double-check whether it uses the <code>StringSubstitutor</code> API without propery sanitizing any untrusted input. If so, an update to 1.10.0 could be a quick workaround, but the recommended solution is to also properly validate and sanitize any untrusted input.</li>

Review Comment:
   ```suggestion
         <li>If your own software uses commons-text, double-check whether it uses the <code>StringSubstitutor</code> API without properly sanitizing any untrusted input. If so, an update to 1.10.0 could be a quick workaround, but the recommended solution is to also properly validate and sanitize any untrusted input.</li>
   ```



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@commons.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org