A critical security flaw in Apache Commons Text has been compared to the infamous Log4Shell flaw, but experts say it is not as widespread. Apache Commons Text is an open source Java library made specifically for working with strings.
Alvaro Munoz, a researcher at GitHub’s Security Lab, identified the library’s arbitrary code execution vulnerability in March. It is caused by variable interpolation and untrusted data processing. The vulnerability, identified as CVE-2022-42889, was patched last week with the release of version 1.10.0 by the Apache Commons development team.
Since its disclosure almost a year ago, Log4Shell, which affects the widely used Log4j Java logging framework, has been used in numerous attacks.