ID

VAR-202206-0004


CVE

CVE-2022-26134


TITLE

Atlassian  of  Confluence Data Center  and  Confluence Server  Vulnerability in improper invalidation of special elements used to represent language construction in

Trust: 0.8

sources: JVNDB: JVNDB-2022-011115

DESCRIPTION

In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are from 1.3.0 before 7.4.17, from 7.13.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and from 7.18.0 before 7.18.1. (DoS) It may be in a state. Atlassian Confluence Server is a server version of Atlassian's collaboration software with enterprise knowledge management functions and support for building enterprise WiKi. The affected versions are from 1.3.0 prior to 7.4.17, from 7.13.0 prior to 7.13.7, from 7.14.0 prior to 7.14.3, from 7.15.0 prior to 7.15.2, from 7.16.0 prior to 7.16.4, from 7.17.0 prior to 7.17.4, and from 7.18.0 prior to 7.18.1

Trust: 2.25

sources: NVD: CVE-2022-26134 // JVNDB: JVNDB-2022-011115 // CNVD: CNVD-2022-50013 // VULMON: CVE-2022-26134

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2022-50013

AFFECTED PRODUCTS

vendor:atlassianmodel:confluence data centerscope:ltversion:7.17.4

Trust: 1.0

vendor:atlassianmodel:confluence data centerscope:gteversion:1.3

Trust: 1.0

vendor:atlassianmodel:confluence data centerscope:gteversion:7.13.0

Trust: 1.0

vendor:atlassianmodel:confluence data centerscope:ltversion:7.14.3

Trust: 1.0

vendor:atlassianmodel:confluence data centerscope:ltversion:7.16.4

Trust: 1.0

vendor:atlassianmodel:confluence data centerscope:gteversion:7.15.0

Trust: 1.0

vendor:atlassianmodel:confluence serverscope:ltversion:7.15.2

Trust: 1.0

vendor:atlassianmodel:confluence serverscope:ltversion:7.4.17

Trust: 1.0

vendor:atlassianmodel:confluence data centerscope:gteversion:7.14.0

Trust: 1.0

vendor:atlassianmodel:confluence serverscope:ltversion:7.13.7

Trust: 1.0

vendor:atlassianmodel:confluence serverscope:gteversion:7.15.0

Trust: 1.0

vendor:atlassianmodel:confluence serverscope:ltversion:7.17.4

Trust: 1.0

vendor:atlassianmodel:confluence serverscope:gteversion:1.3

Trust: 1.0

vendor:atlassianmodel:confluence serverscope:ltversion:7.14.3

Trust: 1.0

vendor:atlassianmodel:confluence serverscope:gteversion:7.13.0

Trust: 1.0

vendor:atlassianmodel:confluence serverscope:gteversion:7.14.0

Trust: 1.0

vendor:atlassianmodel:confluence serverscope:ltversion:7.16.4

Trust: 1.0

vendor:atlassianmodel:confluence serverscope:gteversion:7.17.0

Trust: 1.0

vendor:atlassianmodel:confluence data centerscope:gteversion:7.16.0

Trust: 1.0

vendor:atlassianmodel:confluence data centerscope:eqversion:7.18.0

Trust: 1.0

vendor:atlassianmodel:confluence data centerscope:gteversion:7.17.0

Trust: 1.0

vendor:atlassianmodel:confluence serverscope:eqversion:7.18.0

Trust: 1.0

vendor:atlassianmodel:confluence data centerscope:ltversion:7.15.2

Trust: 1.0

vendor:atlassianmodel:confluence data centerscope:ltversion:7.4.17

Trust: 1.0

vendor:atlassianmodel:confluence serverscope:gteversion:7.16.0

Trust: 1.0

vendor:atlassianmodel:confluence data centerscope:ltversion:7.13.7

Trust: 1.0

vendor:atlassianmodel:confluence serverscope: - version: -

Trust: 0.8

vendor:atlassianmodel:confluence data centerscope: - version: -

Trust: 0.8

vendor:atlassianmodel:confluence server and data centerscope:eqversion:1.3.0,<7.4.17

Trust: 0.6

vendor:atlassianmodel:confluence server and data centerscope:eqversion:7.13.0,<7.13.7

Trust: 0.6

vendor:atlassianmodel:confluence server and data centerscope:eqversion:7.14.0,<7.14.3

Trust: 0.6

vendor:atlassianmodel:confluence server and data centerscope:eqversion:7.15.0,<7.15.2

Trust: 0.6

vendor:atlassianmodel:confluence server and data centerscope:eqversion:7.16.0,<7.16.4

Trust: 0.6

vendor:atlassianmodel:confluence server and data centerscope:eqversion:7.17.0,<7.17.4

Trust: 0.6

vendor:atlassianmodel:confluence server and data centerscope:eqversion:7.18.0,<7.18.1

Trust: 0.6

sources: CNVD: CNVD-2022-50013 // JVNDB: JVNDB-2022-011115 // NVD: CVE-2022-26134

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2022-26134
value: CRITICAL

Trust: 1.0

NVD: CVE-2022-26134
value: CRITICAL

Trust: 0.8

CNVD: CNVD-2022-50013
value: HIGH

Trust: 0.6

CNNVD: CNNVD-202206-442
value: CRITICAL

Trust: 0.6

VULMON: CVE-2022-26134
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2022-26134
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

CNVD: CNVD-2022-50013
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2022-26134
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2022-26134
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2022-50013 // VULMON: CVE-2022-26134 // JVNDB: JVNDB-2022-011115 // CNNVD: CNNVD-202206-442 // NVD: CVE-2022-26134

PROBLEMTYPE DATA

problemtype:CWE-917

Trust: 1.0

problemtype:Improper invalidation of special elements used to represent language constructs (CWE-917) [NVD evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2022-011115 // NVD: CVE-2022-26134

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202206-442

TYPE

injection

Trust: 0.6

sources: CNNVD: CNNVD-202206-442

PATCH

title:Patch for Command execution vulnerability in Atlassian Confluence Server and Data Centerurl:https://www.cnvd.org.cn/patchInfo/show/337616

Trust: 0.6

title:Atlassian Confluence Server Repair measures for injecting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=196250

Trust: 0.6

title: - url:https://github.com/skhalsa-sigsci/CVE-2022-26134-LAB

Trust: 0.1

title: - url:https://github.com/badboy-sft/CVE-2022-26134

Trust: 0.1

title: - url:https://github.com/CyberDonkyx0/CVE-2022-26134

Trust: 0.1

title: - url:https://github.com/AmoloHT/CVE-2022-26134

Trust: 0.1

sources: CNVD: CNVD-2022-50013 // VULMON: CVE-2022-26134 // CNNVD: CNNVD-202206-442

EXTERNAL IDS

db:NVDid:CVE-2022-26134

Trust: 3.9

db:PACKETSTORMid:167430

Trust: 2.4

db:PACKETSTORMid:167432

Trust: 2.4

db:PACKETSTORMid:167449

Trust: 2.4

db:PACKETSTORMid:167431

Trust: 1.8

db:JVNDBid:JVNDB-2022-011115

Trust: 0.8

db:CNVDid:CNVD-2022-50013

Trust: 0.6

db:CS-HELPid:SB2022060301

Trust: 0.6

db:EXPLOIT-DBid:50952

Trust: 0.6

db:CXSECURITYid:WLB-2022060031

Trust: 0.6

db:CNNVDid:CNNVD-202206-442

Trust: 0.6

db:VULMONid:CVE-2022-26134

Trust: 0.1

sources: CNVD: CNVD-2022-50013 // VULMON: CVE-2022-26134 // JVNDB: JVNDB-2022-011115 // CNNVD: CNNVD-202206-442 // NVD: CVE-2022-26134

REFERENCES

url:http://packetstormsecurity.com/files/167430/confluence-ognl-injection-remote-code-execution.html

Trust: 3.0

url:http://packetstormsecurity.com/files/167431/through-the-wire-cve-2022-26134-confluence-proof-of-concept.html

Trust: 2.4

url:http://packetstormsecurity.com/files/167432/confluence-ognl-injection-proof-of-concept.html

Trust: 2.4

url:http://packetstormsecurity.com/files/167449/atlassian-confluence-namespace-ognl-injection.html

Trust: 2.4

url:https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html

Trust: 2.4

url:https://jira.atlassian.com/browse/confserver-79016

Trust: 2.4

url:https://nvd.nist.gov/vuln/detail/cve-2022-26134

Trust: 0.8

url:https://www.cisa.gov/known-exploited-vulnerabilities-catalog

Trust: 0.8

url:https://www.cybersecurity-help.cz/vdb/sb2022060301

Trust: 0.6

url:https://cxsecurity.com/cveshow/cve-2022-26134/

Trust: 0.6

url:https://cxsecurity.com/issue/wlb-2022060031

Trust: 0.6

url:https://www.exploit-db.com/exploits/50952

Trust: 0.6

sources: JVNDB: JVNDB-2022-011115 // CNNVD: CNNVD-202206-442 // NVD: CVE-2022-26134

CREDITS

h3v0x

Trust: 0.6

sources: CNNVD: CNNVD-202206-442

SOURCES

db:CNVDid:CNVD-2022-50013
db:VULMONid:CVE-2022-26134
db:JVNDBid:JVNDB-2022-011115
db:CNNVDid:CNNVD-202206-442
db:NVDid:CVE-2022-26134

LAST UPDATE DATE

2024-11-23T19:42:33.503000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2022-50013date:2022-07-07T00:00:00
db:VULMONid:CVE-2022-26134date:2023-08-08T00:00:00
db:JVNDBid:JVNDB-2022-011115date:2023-08-18T08:23:00
db:CNNVDid:CNNVD-202206-442date:2022-07-01T00:00:00
db:NVDid:CVE-2022-26134date:2024-11-21T06:53:29.950

SOURCES RELEASE DATE

db:CNVDid:CNVD-2022-50013date:2022-07-21T00:00:00
db:VULMONid:CVE-2022-26134date:2022-06-03T00:00:00
db:JVNDBid:JVNDB-2022-011115date:2023-08-18T00:00:00
db:CNNVDid:CNNVD-202206-442date:2022-06-03T00:00:00
db:NVDid:CVE-2022-26134date:2022-06-03T22:15:07.717