SERVER-WEBAPP -- Snort has detected traffic exploiting vulnerabilities in web based applications on servers.
SERVER-WEBAPP Atlassian Confluence OGNL injection remote code execution attempt
This rule detects an attempted remote code execution attempt using OGNL injection against vulnerable versions of Atlassian Confluence by looking for the Unicode escape sequence of a single quote being sent to a vulnerable URI.
This rule detects an attempted remote code execution attempt using OGNL injection against vulnerable versions of Atlassian Confluence.
No public information
No known false positives
Cisco Talos Intelligence Group
Tactic: Initial Access
Technique: Exploit Public-Facing Application
For reference, see the MITRE ATT&CK vulnerability types here: https://attack.mitre.org
Command Injection
Command Injection attacks target applications that allow unsafe user-supplied input. Attackers transmit this input via forms, cookies, HTTP headers, etc. and exploit the applications permissions to execute system commands without injecting code.
CVE-2021-26084In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5. |
|