Vulnerability Details : CVE-2022-26134
Public exploit exists!
Used for ransomware!
In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are from 1.3.0 before 7.4.17, from 7.13.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and from 7.18.0 before 7.18.1.
Vulnerability category: Execute code
Products affected by CVE-2022-26134
- cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:confluence_server:7.18.0:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:confluence_data_center:7.18.0:*:*:*:*:*:*:*
CVE-2022-26134 is in the CISA Known Exploited Vulnerabilities Catalog
This issue is known to have been leveraged as part of a ransomware campaign.
CISA vulnerability name:
Atlassian Confluence Server and Data Center Remote Code Execution Vulnerability
CISA required action:
Immediately block all internet traffic to and from affected products AND apply the update per vendor instructions [https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html] OR remove the affected products by the due date on the right. Note: Once the update is succ
CISA description:
Atlassian Confluence Server and Data Center contain a remote code execution vulnerability that allows for an unauthenticated attacker to perform remote code execution.
Notes:
https://nvd.nist.gov/vuln/detail/CVE-2022-26134
Added on
2022-06-02
Action due date
2022-06-06
Exploit prediction scoring system (EPSS) score for CVE-2022-26134
97.39%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 100 %
Percentile, the proportion of vulnerabilities that are scored at or less
Metasploit modules for CVE-2022-26134
-
Atlassian Confluence Namespace OGNL Injection
Disclosure Date: 2022-06-02First seen: 2022-12-23exploit/multi/http/atlassian_confluence_namespace_ognl_injectionThis module exploits an OGNL injection in Atlassian Confluence servers. A specially crafted URI can be used to evaluate an OGNL expression resulting in OS command execution. Authors: - Unknown - bturner-r7 - jbaines-r7 - Spencer McIntyre
CVSS scores for CVE-2022-26134
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
134c704f-9b21-4f2e-91b3-4a467353bcc0 | 2025-02-04 |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2022-26134
-
The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.Assigned by: nvd@nist.gov (Primary)
-
The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.Assigned by:
- 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)
- nvd@nist.gov (Primary)
References for CVE-2022-26134
-
https://jira.atlassian.com/browse/CONFSERVER-79016
[CONFSERVER-79016] Remote code execution via OGNL injection in Confluence Server & Data Center - CVE-2022-26134 - Create and track feature requests for Atlassian products.Issue Tracking;Patch;Vendor Advisory
-
https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html
Confluence Security Advisory 2022-06-02 | Confluence Data Center and Server 7.18 | Atlassian DocumentationVendor Advisory
-
http://packetstormsecurity.com/files/167431/Through-The-Wire-CVE-2022-26134-Confluence-Proof-Of-Concept.html
Through The Wire CVE-2022-26134 Confluence Proof Of Concept ≈ Packet StormThird Party Advisory;VDB Entry
-
http://packetstormsecurity.com/files/167432/Confluence-OGNL-Injection-Proof-Of-Concept.html
Confluence OGNL Injection Proof Of Concept ≈ Packet StormThird Party Advisory;VDB Entry
-
http://packetstormsecurity.com/files/167449/Atlassian-Confluence-Namespace-OGNL-Injection.html
Atlassian Confluence Namespace OGNL Injection ≈ Packet StormExploit;Third Party Advisory;VDB Entry
-
http://packetstormsecurity.com/files/167430/Confluence-OGNL-Injection-Remote-Code-Execution.html
Confluence OGNL Injection Remote Code Execution ≈ Packet StormExploit;Third Party Advisory;VDB Entry
Jump to