Apache Commons Text CVE-2022-42889

mp2 · April 24, 2023, 4:52pm

Hello all,
our EDR reports this vulnerability in the following 3 files:

c:\program files\autopsy-4.20.0\autopsy\solr\server\solr-webapp\webapp\web-inf\lib\commons-text-1.6.jar
c:\program files\autopsy-4.20.0\autopsy\solr\solr\lib\commons-text-1.6.jar
c:\program files\autopsy-4.20.0\autopsy\modules\ext\commons-text-1.9.jar

Since it’s marked a critical CVE I’m curious if I could simply replace those with a newer version, 1.10.0 is available from Apache Commons or we have to wait for a new Autopsy release to address those.

Thank you in advance!

Mark_McKinnon · April 24, 2023, 7:46pm

I would not replace the libraries as they have not been tested with Autopsy and there could be issues with them. I will put this on the list of things that need to be looked at for a future release of Autopsy.

mp2 · March 13, 2025, 8:57am

I’ve just upgraded to 4.22.0 and it still seems to have the vulnerable commons-text-1.6.jar

Mark_McKinnon · March 13, 2025, 6:06pm

The commons-text-1.6.jar file is associated with Solr. According to Solr security news Solr™ Security News - Apache Solr, the CVE-2022-42869 is not affected.

Solr will have to be upgraded to a new release in order for the commons-text.jar file to be upgraded to a higher version.

Topic		Replies	Views
Log4j Remote Code Execution Vulnerability Available Autopsy Development	3	718	September 13, 2023
Is Autopsy 4.19.3 using Apache Log4j vulnerable to CVE-2021-44832 Autopsy Development	4	589	October 18, 2022
Solr 8.1.1.0 + Autopsy 4.11 Autopsy Help	4	1386	July 12, 2019
Ubuntu 20.04 - SOLR / ZOOKEPER Autopsy on Linux / macOS	3	1411	January 1, 2022
Autopsy 4.18 cluster solr problem Autopsy Help	3	817	April 22, 2021

Apache Commons Text CVE-2022-42889

Related topics