Is sqlg affected by the vulnerability of Apache Commons Text? #468

antheil · 2022-10-18T13:28:28Z

antheil
Oct 18, 2022

A vulnerability was found in Apache Commons Text recently. Is slqg affected by that?
Details could be found in: https://seclists.org/oss-sec/2022/q4/22
CVE-2022-42889: Apache Commons Text prior to 1.10.0 allows RCE when applied to untrusted input due to insecure interpolation defaults
Thanks.
@pietermartin @diegonc @ssalevan @metlos @JPMoresmau

Answered by pietermartin

Oct 18, 2022

No, a search in Sqlg shows that Sqlg itself only uses,
org.apache.commons.text.RandomStringGenerator
org.apache.commons.text.StringEscapeUtils

If I read the vulnerability correctly it refers to org.apache.commons.text.lookup.StringLookup

Apache Commons Text is however also used by TinkerPop's gremlin-core and gremlin-language and gremlin-test.
Searching in there is looks like it only uses,

org.apache.commons.text.StringEscapeUtils
org.apache.commons.text.TextStringBuilder

View full answer

pietermartin · 2022-10-18T13:54:14Z

pietermartin
Oct 18, 2022
Maintainer

No, a search in Sqlg shows that Sqlg itself only uses,
org.apache.commons.text.RandomStringGenerator
org.apache.commons.text.StringEscapeUtils

If I read the vulnerability correctly it refers to org.apache.commons.text.lookup.StringLookup

Apache Commons Text is however also used by TinkerPop's gremlin-core and gremlin-language and gremlin-test.
Searching in there is looks like it only uses,

org.apache.commons.text.StringEscapeUtils
org.apache.commons.text.TextStringBuilder

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Is sqlg affected by the vulnerability of Apache Commons Text? #468

{{title}}

Replies: 1 comment

{{title}}

Select a reply

Is sqlg affected by the vulnerability of Apache Commons Text? #468

antheil Oct 18, 2022

Replies: 1 comment

pietermartin Oct 18, 2022 Maintainer

antheil
Oct 18, 2022

pietermartin
Oct 18, 2022
Maintainer