commons-text/src/conf/security/VEX.cyclonedx.xml at 8d3a87cdc8d2b069a76779f16cca7bddad549543 · apache/commons-text · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
<?xml version="1.0" encoding="UTF-8"?>
<!--
  ~ Licensed to the Apache Software Foundation (ASF) under one or more
  ~ contributor license agreements.  See the NOTICE file distributed with
  ~ this work for additional information regarding copyright ownership.
  ~ The ASF licenses this file to you under the Apache License, Version 2.0
  ~ (the "License"); you may not use this file except in compliance with
  ~ the License.  You may obtain a copy of the License at
  ~
  ~      http://www.apache.org/licenses/LICENSE-2.0
  ~
  ~ Unless required by applicable law or agreed to in writing, software
  ~ distributed under the License is distributed on an "AS IS" BASIS,
  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  ~ See the License for the specific language governing permissions and
  ~ limitations under the License.
  -->
<!--
  To update this document:
    1. Increment the `version` attribute in the <bom> element.
    2. Update the `timestamp` in the <metadata> section.
-->
<bom xmlns="http://cyclonedx.org/schema/bom/1.6"
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xsi:schemaLocation="http://cyclonedx.org/schema/bom/1.6 https://cyclonedx.org/schema/bom-1.6.xsd"
     serialNumber="urn:uuid:f70dec29-fc7d-41f2-8c60-97e9075e0e73"
     version="1">

  <metadata>
    <timestamp>2025-07-29T12:26:42Z</timestamp>
    <component type="library" bom-ref="main_component">
      <group>org.apache.commons</group>
      <name>commons-text</name>
      <cpe>cpe:2.3:a:apache:commons_text:*:*:*:*:*:*:*:*</cpe>
      <purl>pkg:maven/org.apache.commons/commons-text?type=jar</purl>
    </component>
    <manufacturer>
      <name>The Apache Software Foundation</name>
      <url>https://commons.apache.org</url>
      <contact>
        <name>Apache Commons PMC</name>
        <email>dev@commons.apache.org</email>
      </contact>
      <contact>
        <name>Apache Commons Security Team</name>
        <email>security@commons.apache.org</email>
      </contact>
    </manufacturer>
  </metadata>

  <vulnerabilities>
    <vulnerability>
      <id>CVE-2025-48924</id>
      <references>
        <reference>
          <id>GHSA-j288-q9x7-2f5v</id>
          <source>
            <url>https://github.com/advisories/GHSA-j288-q9x7-2f5v</url>
          </source>
        </reference>
      </references>
      <analysis>
        <state>exploitable</state>
        <responses>
          <response>update</response>
        </responses>
        <detail>
          CVE-2025-48924 is exploitable in Apache Commons Text versions 1.5 and later, but only when all the following conditions are met:

          * The consuming project includes a vulnerable version of Commons Text on the classpath.
            As of version `1.14.1`, Commons Text no longer references a vulnerable version of the `commons-lang3` library in its POM file.
          * Unvalidated or unsanitized user input is passed to the `StringSubstitutor` or `StringLookup` classes.
          * An interpolator lookup created via `StringLookupFactory.interpolatorLookup()` is used.

          If these conditions are satisfied, an attacker may cause an infinite loop by submitting a specially crafted input such as `${const:...}`.
        </detail>
        <firstIssued>2025-07-29T12:26:42Z</firstIssued>
        <lastUpdated>2025-07-29T12:26:42Z</lastUpdated>
      </analysis>
      <affects>
        <target>
          <ref>main_component</ref>
          <versions>
            <version>
              <range><![CDATA[vers:maven/>=1.5|<2]]></range>
              <status>affected</status>
            </version>
          </versions>
        </target>
      </affects>
    </vulnerability>
  </vulnerabilities>

  <annotations>
    <annotation>
      <annotator>
        <individual>
          <name>Apache Commons PMC</name>
          <email>dev@commons.apache.org</email>
        </individual>
      </annotator>
      <timestamp>2025-07-29T12:26:42Z</timestamp>
      <text>
        This document provides information about the **exploitability of known vulnerabilities** in the **dependencies** of Apache Commons Text.

        # When is a dependency vulnerability exploitable?

        Because Apache Commons libraries do **not** bundle their dependencies, a vulnerability in a dependency is only exploitable if **both** of the following conditions are true:

        1. The vulnerable dependency is included in the consuming project.
        2. Apache Commons Text is explicitly listed as affected by the vulnerability.

        # Notes and Limitations

        * This VEX document is **experimental** and provided **as-is**.
          The semantics of this document may change in the future.
        * The **absence** of a vulnerability entry does **not** indicate that Text is unaffected.
        * If a version of Text is not listed under the `affects` section of a vulnerability, that version may still be affected or not.
        * Only the **latest major version** of Text is currently assessed for vulnerabilities.
        * The `analysis` field in the VEX file uses **Markdown** formatting.
      </text>
    </annotation>
  </annotations>
</bom>