CVE-2022-42889 was published in the National Vulnerability Database on 13 October, 2022.  More information can be found at https://nvd.nist.gov/vuln/detail/CVE-2022-42889

A remote code execution vulnerability in Apache Commons Text string placeholder replacement class StringSubstitutor. When the class is used with defaults replacement resolvers, via StringSubstitutor.createInterpolator(), an input text attacker controlled by attacker can cause remote code execution. Other StringSubstitutor uses that supply own variable resolver are safe.

There is a new remote code execution vulnerability in Apache Commons Text (<1.10) CVE-2022-42889

It is some ways similar to Log4Shell vulnerability from a year ago, but usage of text substitution is not as widespread as is logging. There are safe ways to use StringSubstitutor (with constructor using explicit variable resolver) without using vulnerable StringSubstitutor.createInterpolator().

See also: https://nakedsecurity.sophos.com/2022/10/18/dangerous-hole-in-apache-commons-text-like-log4shell-all-over-again/ but note that while it is in some ways similar to the famous Log4Shell vulnerability, the usage of text substitution is not as widespread as is logging so opportunities to exploit it are reduced.