KNOWLEDGE BASE

Security vulnerabilities CVE-2022-42889 and CVE-2022-33980


Published: 19 Oct 2022
Last Modified Date: 11 Nov 2022

Issue

Apache Commons Text versions 1.5 - 1.9 and Apache Commons Configuration versions 2.4 - 2.7 are impacted by CVE-2022-42889 and CVE-2022-33980. Using untrusted values in the methods StringSubstitutor.replace or StringSubstitutor.replaceIn, an attacker could potentially execute a remote code execution (RCE) attack.

Environment

Tableau products

Resolution

Based on currently available information, Tableau products are not impacted by CVE-2022-42889 or CVE-2022-33980 because Tableau does not use the vulnerable methods StringSubstitutor.replace or StringSubstitutor.replaceIn.
Did this article resolve the issue?