CVE-2022-26134

Warnung

Exploit

EPSS 94.41%
Veröffentlicht 03.06.2022 22:15:07
Zuletzt bearbeitet 24.10.2025 13:38:30
Quelle security@atlassian.com
CVE-Watchlists
Login
Unerledigt
Login

In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are from 1.3.0 before 7.4.17, from 7.13.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and from 7.18.0 before 7.18.1.

Betroffene Produkte Warnungen 2 Metriken 4 CWE 1 Referenzen 10

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Atlassian ≫ Confluence Data Center Version >= 1.3 < 7.4.17

Atlassian ≫ Confluence Data Center Version >= 7.13.0 < 7.13.7

Atlassian ≫ Confluence Data Center Version >= 7.14.0 < 7.14.3

Atlassian ≫ Confluence Data Center Version >= 7.15.0 < 7.15.2

Atlassian ≫ Confluence Data Center Version >= 7.16.0 < 7.16.4

Atlassian ≫ Confluence Data Center Version >= 7.17.0 < 7.17.4

Atlassian ≫ Confluence Data Center Version7.18.0

Atlassian ≫ Confluence Server Version >= 1.3 < 7.4.17

Atlassian ≫ Confluence Server Version >= 7.13.0 < 7.13.7

Atlassian ≫ Confluence Server Version >= 7.14.0 < 7.14.3

Atlassian ≫ Confluence Server Version >= 7.15.0 < 7.15.2

Atlassian ≫ Confluence Server Version >= 7.16.0 < 7.16.4

Atlassian ≫ Confluence Server Version >= 7.17.0 < 7.17.4

Atlassian ≫ Confluence Server Version7.18.0

02.06.2022: CISA Known Exploited Vulnerabilities (KEV) Catalog

Atlassian Confluence Server and Data Center Remote Code Execution Vulnerability

Schwachstelle

Atlassian Confluence Server and Data Center contain a remote code execution vulnerability that allows for an unauthenticated attacker to perform remote code execution.

Beschreibung

Immediately block all internet traffic to and from affected products AND apply the update per vendor instructions [https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html] OR remove the affected products by the due date on the right. Note: Once the update is successfully deployed, agencies can reassess the internet blocking rules.

Erforderliche Maßnahmen

03.06.2022: CERT.at Warnung

https://www.cert.at/de/warnungen/2022/6/kritische-sicherheitslucke-in-atlassian-confluence-workarounds-verfugbar

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	94.41%	1

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	7.5	10	6.4	AV:N/AC:L/Au:N/C:P/I:P/A:P
134c704f-9b21-4f2e-91b3-4a467353bcc0	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.

http://packetstormsecurity.com/files/167449/Atlassian-Confluence-Namespace-OGNL-Injection.html

Third Party Advisory

Exploit

VDB Entry

http://packetstormsecurity.com/files/167430/Confluence-OGNL-Injection-Remote-Code-Execution.html

Third Party Advisory

Exploit

VDB Entry

http://packetstormsecurity.com/files/167431/Through-The-Wire-CVE-2022-26134-Confluence-Proof-Of-Concept.html

Third Party Advisory

VDB Entry

http://packetstormsecurity.com/files/167432/Confluence-OGNL-Injection-Proof-Of-Concept.html