ArcGIS Trust Center

Commons-text Vulnerability

There has been a recent string of media-hyped open-source component vulnerabilities over the last several weeks, which includes Apache Commons-text CVE-2022-42889, with a base critical impact severity, however the vulnerability is actively being reassessed by the National Vulnerability Database team.

While Commons-text is utilized across a number of ArcGIS products, we have validated that the base ArcGIS Enterprise deployment (Portal for ArcGIS, ArcGIS Server, ArcGIS Datastore) and ArcGIS Pro are not vulnerable.  A security scanner run against these products may incorrectly flag the vulnerability as present.  This is because some security scanners detect a vulnerable version of Commons-text, however we have confirmed that the library, when present in these products, is not used a way that would make it vulnerable to this CVE.

Esri continues to inventory our products and systems potentially impacted by the vulnerability.  If a product is impacted, information will be added here.


Inline Feedbacks
View all comments

Next Article

2022 ArcGIS Online year in review

Read this article