WordPress security company Wordfence on Thursday said it started detecting exploitation attempts targeting the newly disclosed flaw in Apache Commons Text on October 18, 2022.
The vulnerability, tracked as CVE-2022-42889 aka Text4Shell, has been assigned a severity ranking of 9.8 out of a possible 10.0 on the CVSS scale and affects versions 1.5 through 1.9 of the library.
It’s also similar to the now infamous Log4Shell vulnerability in that the issue is rooted in the manner string substitutions carried out during DNS, script, and URL lookups could lead to the execution of arbitrary code on susceptible systems when passing untrusted input.
“The attacker can send a crafted payload remotely using ‘script,’ ‘dns,’ and ‘url’ lookups to achieve arbitrary remote code execution,” the Zscaler ThreatLabZ team explained.
A successful exploitation of the flaw can enable a threat actor to open a reverse shell connection with the vulnerable application simply via a specially crafted payload, effectively opening the door for follow-on attacks.
images from Hacker News