ID: CVE-2022-26134

Last Modified: June 14, 2022

In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are from 1.3.0 before 7.4.17, from 7.13.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and from 7.18.0 before 7.18.1.

Twitter Activity

Tweets last week: 324

Remaining steady

Yahoo Activity

Yahoo results: 2110065408

Strongly raising

EPSS History

Current EPSS Score: 0.86384

Remaining steady


Reddit Activity

Reddit Posts: 37

Remaining steady

Github Repos

Github Repos: 56

Remaining steady

Exploits

Found exploits:

Attack Vector: Network

Attack Complexity: Low

Privileges Required: None

User Interaction: None

Scope: Unchanged

Confidentiality: High

Integrity: High

Availability: High

Base Score: 9.8

Exploitability Score: 3.9

Impact Score: 5.9

CVSS V3: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Specialize CVSS-Score

Access Vector: Network

Access Complexity: Low

Authentication: None

Confidentiality Impact: Partial

Integrity Impact: Partial

Availability Impact: Partial

Base Score: 7.5

Exploitability Score: 10.0

Impact Score: 6.4

CVSS V2: AV:N/AC:L/Au:N/C:P/I:P/A:P

Specialize CVSS-Score

CWE-74

['alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR Jsp.Webshell.TinyUploader upload attempt"; flow:to_server,established; content:"java.io.FileOutputStream"; fast_pattern:only; content:"<%"; content:"request"; within:100; content:"write"; content:"getParameter"; within:100; isdataat:!600; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2022-26134; reference:url,community.atlassian.com/t5/Confluence-discussions/CVE-2022-26134-Critical-severity-unauthenticated-remote-code/td-p/20456533; classtype:trojan-activity; sid:59927; rev:2;)\n', 'alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-BACKDOOR Jsp.Webshell.Chopper webshell download attempt"; flow:to_client,established; file_data; content:"DriverManager.getConnection"; content:"ServletOutputStream"; content:"ResultSetMetaData"; content:"request.getParameter"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2022-26134; reference:url,community.atlassian.com/t5/Confluence-discussions/CVE-2022-26134-Critical-severity-unauthenticated-remote-code/td-p/20456533; classtype:trojan-activity; sid:59928; rev:2;)\n', 'alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-BACKDOOR Jsp.Webshell.Behinder download attempt"; flow:to_client,established; file_data; content:"<%"; content:"java.util.*"; content:"extends ClassLoader"; fast_pattern:only; content:"defineClass"; content:"getInstance(|22|AES|22|)"; content:"decodeBuffer"; distance:0; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2022-26134; reference:url,community.atlassian.com/t5/Confluence-discussions/CVE-2022-26134-Critical-severity-unauthenticated-remote-code/td-p/20456533; classtype:trojan-activity; sid:59929; rev:2;)\n', 'alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-BACKDOOR Jsp.Webshell.Noop download attempt"; flow:to_client,established; file_data; content:"java.util.*"; content:"java.io.FileOutputStream"; distance:0; content:"request.getParameter(|22|name|22|)"; within:200; fast_pattern; content:"request.getParameter(|22|contentString|22|)"; isdataat:!300,relative; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2022-26134; reference:url,community.atlassian.com/t5/Confluence-discussions/CVE-2022-26134-Critical-severity-unauthenticated-remote-code/td-p/20456533; classtype:trojan-activity; sid:59930; rev:2;)\n', 'alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR Jsp.Webshell.Chopper upload attempt"; flow:to_server,established; content:"DriverManager.getConnection"; content:"ServletOutputStream"; content:"ResultSetMetaData"; content:"request.getParameter"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2022-26134; reference:url,community.atlassian.com/t5/Confluence-discussions/CVE-2022-26134-Critical-severity-unauthenticated-remote-code/td-p/20456533; classtype:trojan-activity; sid:59931; rev:2;)\n', 'alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR Jsp.Webshell.Behinder upload attempt"; flow:to_server,established; content:"<%"; content:"java.util.*"; content:"extends ClassLoader"; fast_pattern:only; content:"defineClass"; content:"getInstance(|22|AES|22|)"; content:"decodeBuffer"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2022-26134; reference:url,community.atlassian.com/t5/Confluence-discussions/CVE-2022-26134-Critical-severity-unauthenticated-remote-code/td-p/20456533; classtype:trojan-activity; sid:59932; rev:2;)\n', 'alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR Jsp.Webshell.Noop upload attempt"; flow:to_server,established; content:"java.util.*"; content:"java.io.FileOutputStream"; distance:0; content:"request.getParameter(|22|name|22|)"; within:200; fast_pattern; content:"confluence"; nocase; content:"request.getParameter(|22|contentString|22|)"; isdataat:!300,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2022-26134; reference:url,community.atlassian.com/t5/Confluence-discussions/CVE-2022-26134-Critical-severity-unauthenticated-remote-code/td-p/20456533; classtype:trojan-activity; sid:59933; rev:2;)\n', 'alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Atlassian Confluence OGNL expression injection attempt"; flow:to_server,established; content:"${"; fast_pattern; http_uri; content:"java"; distance:0; http_uri; content:"|28|"; distance:0; http_uri; content:"}"; distance:0; http_uri; pcre:"/\\x24\\x7b[^\\x7d]*?javax?\\x2e[^\\x7d]*?\\x28/Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2022-26134; classtype:attempted-user; sid:59934; rev:2;)\n', 'alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Atlassian Confluence OGNL expression injection attempt"; flow:to_server,established; content:"${"; fast_pattern; http_uri; content:"atlassian."; distance:0; http_uri; content:"|28|"; distance:0; http_uri; content:"}"; distance:0; http_uri; pcre:"/\\x24\\x7b[^\\x7d]*?atlassian\\x2e[^\\x7d]*?\\x28/Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2022-26134; classtype:attempted-user; sid:59941; rev:2;)\n', 'alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Atlassian Confluence OGNL expression injection attempt"; flow:to_server,established; content:"${"; http_uri; content:"sun.misc.Unsafe"; distance:0; fast_pattern; http_uri; content:"|28|"; distance:0; http_uri; content:"}"; distance:0; http_uri; pcre:"/\\x24\\x7b[^\\x7d]*?sun\\x2emisc\\x2eUnsafe[^\\x7d]*?\\x28/Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2022-26134; classtype:attempted-user; sid:59947; rev:1;)\n', 'alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Atlassian Confluence OGNL expression injection attempt"; flow:to_server,established; content:"${"; http_uri; content:"com.opensymphony."; distance:0; fast_pattern; http_uri; content:"|28|"; distance:0; http_uri; content:"}"; distance:0; http_uri; pcre:"/\\x24\\x7b[^\\x7d]*?com\\x2eopensymphony\\x2e(xwork2|webwork)\\x2e(Servlet)?ActionContext[^\\x7d]*?\\x28/Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2022-26134; classtype:attempted-user; sid:59948; rev:1;)\n']

Condition Configuration
OR
OR
Alle Schwachstellen für atlassian
Alle Schwachstellen für atlassian
Alle Schwachstellen für atlassian
Alle Schwachstellen für atlassian
Alle Schwachstellen für atlassian
Alle Schwachstellen für atlassian
Alle Schwachstellen für atlassian
Alle Schwachstellen für atlassian
Alle Schwachstellen für atlassian
Alle Schwachstellen für atlassian
Alle Schwachstellen für atlassian
Alle Schwachstellen für atlassian
Alle Schwachstellen für atlassian
Alle Schwachstellen für atlassian
Date: June 14, 2022

CWE-ID: Not defined
Base Score V2: Not defined
Exploitability Score V2: Not defined
Impact Score V2: Not defined
Base Score V3: Not defined
Exploitability Score V3: Not defined
Impact Score V3: Not defined
Cvss Vector V2: Not defined
Cvss Vector V3: Not defined
Configuration:
added:
cpe:2.3:a:atlassian:confluence_data_center:7.18.0:*:*:*:*:*:*:*
cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*
cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*
cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*
cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*
cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*
cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*
cpe:2.3:a:atlassian:confluence_server:7.18.0:*:*:*:*:*:*:*
cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*
cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*
cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*
cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*
cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*
cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*



                    <?xml version="1.0" ?>
<set operator="and">
    <set operator="or">
        <prop key="application" value="cpe:2.3:a:atlassian:confluence_data_center:7.18.0:*:*:*:*:*:*:*"/>
        <prop key="application" value="cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*"/>
        <prop key="application" value="cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*"/>
        <prop key="application" value="cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*"/>
        <prop key="application" value="cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*"/>
        <prop key="application" value="cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*"/>
        <prop key="application" value="cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*"/>
        <prop key="application" value="cpe:2.3:a:atlassian:confluence_server:7.18.0:*:*:*:*:*:*:*"/>
        <prop key="application" value="cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*"/>
        <prop key="application" value="cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*"/>
        <prop key="application" value="cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*"/>
        <prop key="application" value="cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*"/>
        <prop key="application" value="cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*"/>
        <prop key="application" value="cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*"/>
    </set>
    <prop key="program_influence" value="input"/>
    <prop key="range" value="remote"/>
</set>

                  
                      <?xml version="1.0" ?>
<set operator="and">
    <prop key="target" value="host"/>
    <set operator="or">
        <prop key="program_influence" value="input"/>
        <prop key="program_influence" value="output"/>
        <prop key="program_influence" value="existence"/>
    </set>
    <prop key="data" value="any"/>
    <set operator="or">
        <prop key="data_influence" value="read"/>
        <prop key="data_influence" value="write"/>
        <prop key="data_influence" value="delete"/>
    </set>
    <set operator="or">
        <prop key="range" value="remote"/>
        <prop key="range" value="local"/>
    </set>
</set>