This Metasploit module exploit takes advantage of the StringSubstitutor interpolator class, which is included in the Commons Text library. A default interpolator allows for string lookups that can lead to remote code execution. This is due to a logic flaw that makes the script, dns and url lookup keys interpolated by default, as opposed to what it should be, according to the documentation of the StringLookupFactory class. Those keys allow an attacker to execute arbitrary code via lookups primarily using the script key. In order to exploit the vulnerabilities, the following requirements must be met: Run a version of Apache Commons Text from version 1.5 to 1.9, use the StringSubstitutor interpolator, and the target should run JDK versions prior to 15.
3303e5c941051cbc6b4f8ddaa2c9912a8740038a8cc31a244e760936ff9694d8
Red Hat Security Advisory 2023-3299-01 - Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron. Issues addressed include bypass, cross site scripting, denial of service, deserialization, improper authorization, and information leakage vulnerabilities.
070dedb972682a284f682880ba83ebf6de70378d3be68806dd984d5184f93267
Red Hat Security Advisory 2023-3296-01 - Multicluster Engine for Kubernetes 2.2.4 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy.
0d190181de187a85cca97396c686e2bf391eef8e2f72f844b36951fbeb15a493
Red Hat Security Advisory 2023-3195-01 - Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron. Issues addressed include bypass, cross site scripting, information leakage, and insecure permissions vulnerabilities.
1c0f371bbf2460cdbd44e6232d75191d859f20b812ef0b81b78a5414981c6bc1
Red Hat Security Advisory 2023-3198-01 - Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron. Issues addressed include bypass, code execution, cross site request forgery, cross site scripting, denial of service, deserialization, information leakage, and insecure permissions vulnerabilities.
90baa6d6f8737bc29288b3b786655a657c5e97ed240d5aeb004a1660ffaa76c6
Red Hat Security Advisory 2023-1866-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.10.58. Issues addressed include a cross site scripting vulnerability.
60147a8fdf6c53e7eda20f3e0a6a5e994efa58cd13406e903a89573ee69fa740
Red Hat Security Advisory 2023-1656-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.10.56.
240de720e001bf838375281c8974f3f4db8855a03923fc43cfd177237fada857
Red Hat Security Advisory 2023-1655-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.10.56. Issues addressed include bypass, cross site scripting, information leakage, insecure permissions, and privilege escalation vulnerabilities.
f5fdb00ee615b9b2fbc00838a17e11fc10b0748dec647bfe139f3c9248ea106e
Red Hat Security Advisory 2023-1524-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.9.59.
76f4b0e3f3ea7884d6e299b4a81f60ce28ea66b48a087dabcd77087eea4a8cba
Red Hat Security Advisory 2023-1525-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.9.59.
c7fff0c27d61ac3bb7204fc93a47db5959206b2f34b2f34dc40a1a0403893667
Red Hat Security Advisory 2023-1006-01 - This release of Red Hat build of Quarkus 2.7.7 includes security updates, bug fixes, and enhancements. For more information, see the release notes page listed in the References section. Issues addressed include code execution, denial of service, deserialization, information leakage, memory leak, and remote SQL injection vulnerabilities.
22e7b3eb2e44fe047c265d427baa95d5cd894dbe2e83f35b2ba2c51d7269e2f5
OX App Suite suffers from cross site scripting and server-side request forgery vulnerabilities.
5da321216ffd148c932f83887a1cd3f3515a69d20e80fbfd6a71cda91af29547
Red Hat Security Advisory 2023-0469-01 - Red Hat Integration Camel Extensions for Quarkus 2.13.2 is now available. Issues addressed include denial of service and memory exhaustion vulnerabilities.
78de6afc9535fe20cdbc4329849f36770128cfd58b4cbe81608fa281372496ec
Red Hat Security Advisory 2023-0261-02 - Red Hat Satellite is a system management solution that allows organizations to configure and maintain their systems without the necessity to provide public Internet access to their servers or other client systems. It performs provisioning and configuration management of predefined standard operating environments.
f0b8a6d8460d61fa4ae9979d110407f1930effd68e878c401f90127a6b9a5027
Gentoo Linux Security Advisory 202301-5 - A vulnerability has been discovered in Apache Commons Text which could result in arbitrary code execution. Versions less than 1.10.0 are affected.
db71108f98463292403fd7c6f94877025ceff307cd04b48feff8fc02a418ecb7
Red Hat Security Advisory 2022-9023-01 - This release of Red Hat build of Quarkus 2.13.5 includes security updates, bug fixes, and enhancements. For more information, see the release notes page listed in the References section. Issues addressed include denial of service and remote SQL injection vulnerabilities.
df6b37e9380bd4d9840f228c66d0517e1bce9318d82620afe02d2b5655495e78
Red Hat Security Advisory 2022-8902-01 - This release of Camel for Spring Boot 3.18.3 serves as a replacement for Camel for Spring Boot 3.14.2 and includes bug fixes and enhancements, which are documented in the Release Notes document linked in the References. Issues addressed include a denial of service vulnerability.
82726123a48b0a4f3384ba9dcbe543e687280dbbf0db4f130286e5888018f73c
Red Hat Security Advisory 2022-8876-01 - AMQ Broker is a high-performance messaging implementation based on ActiveMQ Artemis. It uses an asynchronous journal for fast message persistence, and supports multiple languages, protocols, and platforms. This release of Red Hat AMQ Broker 7.10.2 includes security and bug fixes, and enhancements. For further information, refer to the release notes linked to in the References section. Issues addressed include a denial of service vulnerability.
dd653c1e0ad52e5524dc257ed3b3491dcdb1dcd93451da4187a377acfe1bde05