This repository contains a simple application using Apache Commons Text 1.9 which is vulnerable to CVE-2022-42889.
- Copy DemoApplication.java to your repo.
- Run the main method, with default string (suggested).
- If your output for the default string is 519. Or if your app runs without any error:
- Then the app is exploitable. 🥵
- Clone the repo
- Build the project
mvn assembly:assembly -DdescriptorId=jar-with-dependencies
- Run the application on VM (by giving below command)
java -jar target/demo-0.0.1-SNAPSHOT-jar-with-dependencies.jar
- When asked for input, let the default string (Hit enter).
- If your output for the default string is 519. Or if your app runs without any error:
- Then the app is exploitable. 🥵
- Clone the repo
- Replace OPENJRE_JRE_IMAGE with the image in your repo.
- Build and run the application via docker:
docker build -t poc .
docker run -it poc- When asked for input, let the default string (Hit enter).
- If your output for the default string is 519. Or if your app runs without any error:
- Then the app is exploitable. 🥵
As you can see, the operation is executed. Which indicates RCE was successful.