added confluence metadata and minor matcher updates (#3929)

patch-1
Sandeep Singh 2022-03-19 16:12:08 +05:30 committed by GitHub
parent bf8b545fed
commit ec2246ee22
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 43 additions and 14 deletions

View File

@ -1,21 +1,25 @@
id: CVE-2015-8399
info:
author: princechaddha
name: Atlassian Confluence configuration files read
severity: medium
description: Atlassian Confluence before 5.8.17 allows remote authenticated users to read configuration files via the decoratorName parameter to (1) spaces/viewdefaultdecorator.action or (2) admin/viewdefaultdecorator.action.
reference: https://jira.atlassian.com/browse/CONFSERVER-39704?src=confmacro
tags: cve,cve2015,atlassian,confluence
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
cvss-score: 4.30
cve-id: CVE-2015-8399
cwe-id: CWE-200
metadata:
shodan-query: http.component:"Atlassian Confluence"
tags: cve,cve2015,atlassian,confluence
requests:
- method: GET
path:
- "{{BaseURL}}/spaces/viewdefaultdecorator.action?decoratorName"
matchers-condition: and
matchers:
- type: status
@ -23,8 +27,8 @@ requests:
- 200
- type: word
part: body
words:
- "confluence-init.properties"
- "View Default Decorator"
condition: and
part: body

View File

@ -12,6 +12,8 @@ info:
cvss-score: 6.10
cve-id: CVE-2018-5230
cwe-id: CWE-79
metadata:
shodan-query: http.component:"Atlassian Confluence"
tags: cve,cve2018,atlassian,confluence,xss
requests:

View File

@ -5,12 +5,14 @@ info:
severity: critical
description: The Widget Connector macro in Atlassian Confluence Server before version 6.6.12 (the fixed version for 6.6.x), from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before 6.13.3 (the fixed version for 6.13.x), and from version 6.14.0 before 6.14.2 (the fixed version for 6.14.x), allows remote attackers to achieve path traversal and remote code execution on a Confluence Server or Data Center instance via server-side template injection.
reference: https://github.com/x-f1v3/CVE-2019-3396
tags: cve,cve2019,atlassian,confluence,lfi,rce
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.80
cve-id: CVE-2019-3396
cwe-id: CWE-22
metadata:
shodan-query: http.component:"Atlassian Confluence"
tags: cve,cve2019,atlassian,confluence,lfi,rce
requests:
- raw:

View File

@ -5,7 +5,6 @@ info:
severity: critical
name: Confluence Server OGNL injection - RCE
description: In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an authenticated user, and in some instances an unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance. The vulnerable endpoints can be accessed by a non-administrator user or unauthenticated user if 'Allow people to sign up to create their account' is enabled. To check whether this is enabled go to COG > User Management > User Signup Options. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.
tags: cve,cve2021,rce,confluence,injection,ognl
reference:
- https://jira.atlassian.com/browse/CONFSERVER-67940
- https://github.com/httpvoid/CVE-Reverse/tree/master/CVE-2021-26084
@ -16,6 +15,9 @@ info:
cvss-score: 9.80
cve-id: CVE-2021-26084
cwe-id: CWE-74
metadata:
shodan-query: http.component:"Atlassian Confluence"
tags: cve,cve2021,rce,confluence,injection,ognl
requests:
- raw:

View File

@ -7,12 +7,14 @@ info:
reference:
- https://packetstormsecurity.com/files/164401/Atlassian-Confluence-Server-7.5.1-Arbitrary-File-Read.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-26085
tags: cve,cve2021,confluence,atlassian,lfi
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.30
cve-id: CVE-2021-26085
cwe-id: CWE-862
metadata:
shodan-query: http.component:"Atlassian Confluence"
tags: cve,cve2021,confluence,atlassian,lfi
requests:
- method: GET

View File

@ -5,6 +5,8 @@ info:
author: aashiq
severity: info
description: Searches for ServiceDesk login panels by trying to query the "/servicedesk/customer/user/login" endpoint
metadata:
shodan-query: http.component:"Atlassian Confluence"
tags: servicedesk,confluence,jira,panel,login
requests:

View File

@ -5,9 +5,10 @@ info:
author: philippedelteil
severity: info
description: Allows you to detect Atlassian Confluence instances
tags: tech,confluence,atlassian
metadata:
shodan-query: https://www.shodan.io/search?query=http.component%3A%22atlassian+confluence%22
shodan-query: http.component:"Atlassian Confluence"
tags: tech,confluence,atlassian
requests:
- method: GET
@ -19,19 +20,18 @@ requests:
redirects: true
stop-at-first-match: true
matchers-condition: and
matchers-condition: or
matchers:
- type: word
words:
- '-Confluence-'
- '-confluence-'
part: header
condition: or
words:
- '-confluence-'
case-insensitive: true
- type: word
part: body
words:
- 'confluence-base-url'
part: body
extractors:
- type: regex

View File

@ -8,14 +8,29 @@ info:
reference:
- https://bitbucket.org/atlassian/confluence-business-blueprints/pull-requests/144/issue-60-conf-45342-ssrf-in-sharelinks
- https://github.com/assetnote/blind-ssrf-chains#confluence
tags: confluence,atlassian,ssrf,jira,oast
metadata:
shodan-query: http.component:"Atlassian Confluence"
tags: confluence,atlassian,ssrf,oast
requests:
- method: GET
path:
- '{{BaseURL}}/rest/sharelinks/1.0/link?url=https://{{interactsh-url}}/'
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "http"
- type: word
part: body
words:
- "faviconURL"
- "domain"
condition: and
- type: status
status:
- 200