Confluence Pre-Auth Remote Code Execution via OGNL Injection (CVE-2022-26134) in Ruby
Confluence is a web-based corporate wiki developed by Australian software company Atlassian.
On June 02, 2022 Atlassian released a security advisory for their Confluence Server and Data Center applications, highlighting a critical severity unauthenticated remote code execution vulnerability. The OGNL injection vulnerability allows an unauthenticated user to execute arbitrary code on a Confluence Server or Data Center instance.
References:
- https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html
- https://attackerkb.com/topics/BH1D56ZEhs/cve-2022-26134/rapid7-analysis
- https://github.com/vulhub/vulhub/tree/master/confluence/CVE-2022-26134
Vulnerable Environment
Execute following command to start a Confluence Server 7.13.6:
docker-compose up -dAfter the environment starts, visit http://your-ip:8090 and you will see the installation guide, select "Trial installation", then you will be asked to fill in the license key. You should apply for a Confluence Server test certificate from Atlassian.
Following this guide to complete the installation.
On the database configuration page, fill in the form with database address db, database name confluence, username postgres, password postgres.
Exploit
Note: Exploit is still under development , any pull request ideas are welcomed
