Vulnerability in WhatsAppParser caused by Apache Commons Text 1.8 dependency #1374
Assignees
Labels
Comments
|
I just received a private POC about this by Xavier from Fastly, forwarded by CERT.br, where arbitrary local commands could be executed by WA parser. Original POC sent didn't work, because we perform a basic clean up of all message body strings, but it was easy to fix the POC and execute "calc.exe" in examiners machine while processing the case. So I'll roll a 4.0.6 fixing release. |
|
Affects 3.18.1 <= version <= 4.0.5 |
lfcnassif
added a commit
that referenced
this issue
Oct 19, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I'm not sure if it affects us, but since CVE-2022-42889 is a about a possible RCE, it's safer to upgrade the library.
The text was updated successfully, but these errors were encountered: