Views:
Question:
Is DocuWare Fulltext affected by the CVE-2022-42889 vulnerability?

The vulnerability affects the following file: ...\DocuWare\Full-Text Server (x64)\solr\server\solr-webapp\webapp\WEB-INF\lib\commons-text-1.6.jar.

Answer:
By product design, DocuWare is not affected by this vulnerability as DocuWare does not use the functionality that can be exploited.

KBA is applicable to on-premises Organizations ONLY.
This article is valid for DocuWare versions: 7.6, 7.7, 7.8, 7.9, 7.10, CVE-2022-42889, Fulltext, Vulnerability, SOLR
Comments (3)
  • Pedro E. Gonzalez-Santini
    Mon, 02 Dec 2024 15:49:30 GMT
    Can the file be renamed or deleted or must it be left in place?
  • Pedro E. Gonzalez-Santini
    Fri, 30 Jan 2026 15:08:06 GMT
    DocuWare version 7.11 (as seen in the Presentation VM) shows the 1.10 jar file which does not have the vulnerability as described in https://nvd.nist.gov/vuln/detail/CVE-2022-42889

    That module is not used by DocuWare anyway. 
  • Joseph Horky
    Wed, 18 Feb 2026 17:46:50 GMT
    Hello Pedro, the file cannot be renamed or deleted, it must be left in place.

    You are correct, DocuWare version 7.11 has an updated file and no longer has the vulnerability.