This repository contains a simple application using Apache Commons Text 1.9 which is vulnerable to CVE-2022-42889.
Build and run the application via docker:
docker build . -t vulnerable-app
docker run vulnerable-app
$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
d01d5cf33f60 vulnerable-app "java -jar demo-0.0.…" 11 seconds ago Up 11 seconds awesome_brown
$ docker container exec -it d01d5cf33f60 ash
/opt/app # ls /tmp
hsperfdata_root rce_test
As you can see, the file rce_test
exists. Which indicates RCE was succesful.