Apache Commons Text CVE-2022-42889

Hello all,
our EDR reports this vulnerability in the following 3 files:

  • c:\program files\autopsy-4.20.0\autopsy\solr\server\solr-webapp\webapp\web-inf\lib\commons-text-1.6.jar
  • c:\program files\autopsy-4.20.0\autopsy\solr\solr\lib\commons-text-1.6.jar
  • c:\program files\autopsy-4.20.0\autopsy\modules\ext\commons-text-1.9.jar

Since it’s marked a critical CVE I’m curious if I could simply replace those with a newer version, 1.10.0 is available from Apache Commons or we have to wait for a new Autopsy release to address those.

Thank you in advance!

I would not replace the libraries as they have not been tested with Autopsy and there could be issues with them. I will put this on the list of things that need to be looked at for a future release of Autopsy.

1 Like