Apache Commons-text library vulnerability

Must-share information (formatted with Markdown):

  • which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
    Developer Edition Version 8.9.6 (build 50800)
  • what are you trying to achieve
    Our internal security team has found vulnerability with apache-commons-text library. We checked and found SQ is also using that library with version 1.8
    So we want to know if we should ignore this or there is a mitigation recommended from SonarQube.
    Library was found in below location:

Details about vulnerability :

1 Like


Please refer to this thread:


1 Like

A post was merged into an existing topic: CVE-2022-42889 effect on SonarQube


Could I only replace the file from commons-text-1.8.jar to commons-text-1.10.0.jar in /opt/sonarqube-

I try it and SonarQube’s service startup successfully, any risk?

Hi @tsai_nat,

Welcome to the community!

As stated in the thread I referred to above,

SonarQube versions aren’t vulnerable to this because it doesn’t use the dependency in a way that would expose it to the vulnerability.

You should not be hacking your SonarQube instance. The risks are unknown but entirely on you.



Thanks for the reply, I understand.

I understand that SonarQube is not vulnerable to CVE-2022-42889, but it is planned a new version with the last commons-text jar ? I’m using 8.9 LTS, and unfortunately our Global security team has stringent policy about vulnarabilities. They expect the software to use non-vulnerable files.

Hi @morris_monaco,

You should consider upgrading to the latest version: 9.8. If you’re an LTS-only shop, then you’ll be pleased to know that 9.9 LTS will be released on 7 Feb.


Hello Ann
thank you for your tips. The version 9.8 or the next 9.9 LTS will solve the CVE-2022-42889 ? The commons-text jar is the last version ?
I don’t understand why 8.9 LTS it’s not update with the last version of jar commons-text . Normaly LTS meaning that software was supported for issues and bugs.


  • We just upgraded to the latest 9.8 version (EE) and

  • Our enterprise vulnerability scans still pick up on CVE-2022-42889.

  • In previous forum discussions it seems that this vulnerability does not affect sonarqube, but we have strict rules that vulnerable files cannot be used. It was also said manual patch is not recommended. In some replies I thought it was implied that the use of these vulnerabile files would be fixed in 9.8 or 9.9. Can I get a confirmation or an update on the progress for this?

Hello Jade,

Thank you for reaching out.

SQ 9.8 was shipped with commons-text 1.10.0, which patches CVE-2022-42889.
Which scanner did you use? Can you provide more details about your finding (e.g. on what path(s) this vulnerability was found)?

Thank you in advance.

1 Like