Atlassian Confluence- Unauthenticated OGNL injection vulnerability (RCE) # Confluence Pre-Auth Remote Code Execution via OGNL Injection (CVE-2022-26134) in Ruby
Confluence is a web-based corporate wiki developed by Australian software company Atlassian.
On June 02, 2022 Atlassian released a security advisory for their Confluence Server and Data Center applications, highlighting a critical severity unauthenticated remote code execution vulnerability. The OGNL injection vulnerability allows an unauthenticated user to execute arbitrary code on a Confluence Server or Data Center instance.
References:
- <https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>
- <https://attackerkb.com/topics/BH1D56ZEhs/cve-2022-26134/rapid7-analysis>
- <https://github.com/vulhub/vulhub/tree/master/confluence/CVE-2022-26134>
## Vulnerable Environment
Execute following command to start a Confluence Server 7.13.6:
```
docker-compose up -d
```
After the environment starts, visit ``http://your-ip:8090`` and you will see the installation guide, select "Trial installation", then you will be asked to fill in the license key. You should apply for a Confluence Server test certificate from Atlassian.
Following [this guide](https://github.com/vulhub/vulhub/tree/master/confluence/CVE-2019-3396) to complete the installation.
On the database configuration page, fill in the form with database address `db`, database name `confluence`, username `postgres`, password `postgres`.
## Exploit
Note: Exploit is still under development , any pull request ideas are welcomed
https://user-images.githubusercontent.com/24976957/172490114-2b81b6f1-9c4d-4542-9d8d-e4d7b4a82d9d.mov
[4.0K] /data/pocs/35a6816e092b3ac3f5a70f9f5eebefe1ce443e23
├── [2.5K] CVE-2022-26134.rb
├── [ 242] docker-compose.yml
└── [1.7K] README.md
0 directories, 3 files