A vulnerability in the Apache Commons Text Java library, that allows remote code execution (RCE) when certain conditions are met in versions 1.5-1.9, was published on 13. October 2022 by Gary D. Gregory from Apache, and later assigned the CVE identifier: CVE-2022-42889.
Does Templafy use this library? Does this vulnerability affect Templafy?
Templafy does not have any Java code, neither on our servers, nor deployed to clients.
Templafy’s security engineers have analyzed the vulnerability and verified that the vulnerability only occurs when this specific Java library is used, and certain conditions are met. Hence, it does not affect Templafy.
Furthermore, we’ve verified that neither our codebase, nor any libraries we have deployed to servers or clients, contains references to, or are using, Apache Commons Text in any way.