Security News > 2022 > October > Dangerous hole in Apache Commons Text – like Log4Shell all over again
As you no doubt remember from Log4Shell, unnecessary "Features" in an Apache programming library called Log4J suddenly made all these scenarios possible on any server where an unpatched version of Log4J was installed.
A user who pretended their name was $ , for example, would typically get logged by the Log4J code under the name of the server account doing the processing, if the app didn't take the precaution of checking for dangerous characters in the input data first.
History is repeating itself again in October 2022, with a third Java source code library called Apache Commons Text picking up a CVE for reckless string interpolation behaviour.
Commons Text is a general-purpose text manipulation toolkit, described simply as "a library focused on algorithms working on strings".
Wherever you accept and process untrusted data, especially in Java code, where string interpolation is widely supported and offered as a "Feature" in many third-party libraries, make sure you look for and filter out potentially dangerous character sequences from the input first, or take care not to pass that data into string interpolation functions.
Jar is short for java archive, which is how Java libraries are delivered and installed; the prefix common-text denotes the Apache Common Text software components, and the text in the middle covered by the so-called wildcard * denotes the version number you've got.