|
|
|
|
|
|
by tiarafawn
1338 days ago
|
|
|
This doc page [1] seems to have all the interesting API methods listed that could be exploitable.
Looks like an attacker would need to be able to inject a malicious payload like `${script:xyz}` inside of a String template used for one of the functions that ultimately do String interpolate/replace/lookup actions.
While not as trivial as the exploit path for Log4j, it seems conceivable that some applications have injection points here, especially if they perform multi-stage/recursive replace operations. What's quite interesting is that the `env` Lookup is still enabled by default. If I understand correctly, this would imply that leaking environment variables is still possible even with the fix, if the attacker has an injection point and access to the return value of the vulnerable function. [1] https://commons.apache.org/proper/commons-text/apidocs/org/a... |
|
|