Security Vulnerability of the Week 13/06/22

Weekly review of vulnerability, this week we have a lot to unpack

Previous Issues of vulnerability Weekly

This week we deep dive into Confluence RCE vulnerability, Follina exploits and weaponization, and GitLab vulnerability for account takeover.


Atlassian Confluence & Jira

Atlassian Confluence

Beginning of June (2-june-2022) Atlassian warned of two zero days. Atlassian credited cybersecurity firm Volexity for identifying the flaw, which is being tracked as CVE-2022-26134.

A new strain of ransomware is affecting and targeting both vulnerabilities  CVE-2022-26134. and reports on Atlassian support confirm files are getting locked and encrypted.

Several attempts since weaponization have been seen (source Graynoise)

Credit Graynoise

Currently, Atlassian tracks the vulnerability: with the available workaround

Both Confluence Server and Data Center are affected by an injection that allows an unauthenticated attacker to execute random code (RCE and Injection)

The affected versions are
from 1.3.0 before 7.4.17,
from 7.13.0 before 7.13.7,
from 7.14.0 before 7.14.3,
from 7.15.0 before 7.15.2,
from 7.16.0 before 7.16.4,
from 7.17.0 before 7.17.4,
and from 7.18.0 before 7.18.1.
CVE Database/ Atlassian

Atlassian has been hit by another critical vulnerability in April with a rating of 9.9:

Also, another variant of the vulnerability Currently Tracked as CVE-2021-26084, CVSS score: 9.8

As the two vulnerabilities are highly exploitable if there are server exposed with authentication is important to patch them

Both vulnerabilities are affected by the Object-graph Navigation Language (OGNL) injection.

Both vulnerabilities is currently high in dangerousness as there are multiple exploits available in the wild:

An example of the payload :

curl -v http://localhost:8090/%24%7B%40java.lang.Runtime%40getRuntime%28%29.exec%28%22touch%20/tmp/pwned%22%29%7D/

This is just an encoding for an OGNL expression including java.lang.Runtime to execute a system command: touch /tmp/pwned.COPY

{@java.lang.Runtime@getRuntime().exec(“touch /tmp/pwned”)}

Current Version of Atlassian Vulnerable on the web

According to stats from internet asset discovery platform Censys, there are about 9,325 services across 8,347 distinct hosts running a vulnerable version of Atlassian Confluence, with most instances located in the U.S., China, Germany, Russia, and France.

For a live dashboard:

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), besides adding the zero-day bug to its Known Exploited Vulnerabilities Catalog, has also urged federal agencies to immediately block all internet traffic to and from the affected products and either apply the patches or remove the instances by June 6, 2022, 5 p.m. ET.


Released versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1 which contain a fix for this issue.


If you are unable to upgrade Confluence immediately, then as a temporary workaround, you can mitigate the CVE-2022-26134 issue by updating the following files for the specific version of the product.

More details on the various version in the advisory:


A bit dwarfed by the Atlassian vulnerability above GitLab had a serious authentication issue affecting all all versions of GitLab Enterprise Edition (EE) starting from 11.10 before 14.9.5, all versions starting from 14.10 before 14.10.4, and all versions starting from 15.0 before 15.0.1.

CVE-2022-1680, the issue has a CVSS severity score of 9.9

The vulnerability was discovered by the internal security team:

Official Advisory:

“When group SAML SSO is configured, the SCIM feature (available only on Premium+ subscriptions) may allow any owner of a Premium group to invite arbitrary users through their username and email, then change those users’ email addresses via SCIM to an attacker-controlled email address and thus — in the absence of 2FA — take over those accounts,” GitLab said.

Having achieved this, a malicious actor can also change the display name and username of the targeted account, the DevOps platform provider cautioned in its advisory published on June 1, 2022.


it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.


MAC Hardware Vulnerability

Credit Techspot

A new hardware attack targeting the novel M1 Processor has been recently demonstrated. The attacker can execute arbitrary code on the affected Mac OS

The vulnerability is rooted in pointer authentication codes (PACs), a line of defence introduced in arm64e architecture that aims to detect and secure against unexpected changes to pointers — objects that store a memory address — in memory.

the paper’s lead co-author Ph.D. student Joseph Ravichandran on the processor vulnerability: The idea behind pointer authentication is that if all else has failed, you still can rely on it to prevent attackers from gaining control of your system. We’ve shown that pointer authentication as a last line of defence isn’t as absolute as we once thought it was

Like other vulnerabilities (like spectre) the vulnerability is difficult to replicate. As for spectre the vulnerability fix might lead more likely to the exclusion of the corruptable area so steps in the future to mitigate the vulnerability needs to be carefully considered.

An example of the pointer leak:

The researcher have used the vulnerability for kernel-based attacks but remains very speculative and no weaponization seen in the wild.

Apple said in a statement shared with The Hacker News, pointing out PACMAN’s diminished potential for in-the-wild exploitation.

The researchers do say there is “no immediate call for alarm” because there needs to be a myriad of other breakages in order to for this ‘last line of defence’ to be cracked. The researchers presented their findings to Apple, who responded with a statement to TechCrunch.

Windows – Follina

The vulnerability CVE-2022-30190 (CVSS score: 7.8) has currently no fix available. Currently Tracked in

The discovery from the  Japanese cybersecurity research team nao_sec started when they discovered a malicious Word file uploaded to VirusTotal from the Belarusian IP address.

The vulnerability exploit get triggered by chaining an HTML file from a remote template that leads to running malicious Powershell code.

The situation is more dangerous as the code is run via the MSDT tool normally run by the support desk to diagnose issues.

Remediation/ workaround

There is still no available patch the step to fix this are:

  • To disable the MSDT URL Protocol (modify the register: reg export HKEY_CLASSES_ROOT\ms-msdt filename)

For additional workaround:

Increase dangerousness

Microsoft Defender for Endpoint hasn’t been able to detect the flaw according to the research by Kevin Beaumont who gave a name to this new Microsoft Office code execution vulnerability.

Nonetheless, the following signatures have been released

  • Trojan:Win32/Mesdetty.A  (blocks msdt command line)
  • Trojan:Win32/Mesdetty.B  (blocks msdt command line)
  • Behavior:Win32/MesdettyLaunch.A!blk (terminates the process that launched msdt command line)
  • Trojan:Win32/MesdettyScript.A (to detect HTML files that contain msdt suspicious command being dropped)
  • Trojan:Win32/MesdettyScript.B (to detect HTML files that contain msdt suspicious command being dropped)

Follina in the Wild:

Researchers have seen malicious documents exploiting Follina with targets in Russia, India, the Philippines, Belarus, and Nepal. An undergraduate researcher first noticed the flaw in August 2020, but it was first reported to Microsoft on April 21. Researchers also noted that Follina hacks are particularly useful to attackers because they can stem from malicious documents without relying on Macros, the much-abused Office document feature that Microsoft has worked to rein in.

New recent detection have detected potential state sponsor attacks: Follina –

More than 1000 spam email have been recently seen,.

“This campaign masqueraded as a salary increase and utilized an RTF with the exploit payload downloaded from 45.76.53[.]253,” the company said in a series of tweets.

the campaign follows a recent attack

Dog Walk Follina extended attack

Despite the fact that an unofficial security patch has been made available for a new Windows zero-day vulnerability in the Microsoft Support Diagnostic Tool (MSDT), the following flaws continue to get exploited in the wild.

The DOGWALK vulnerability leverage a startup folder exploit. The vulnerability get exploited at when the payload is launched at next user login

DogWalk was originally disclosed by security researcher Imre Rad in January 2020 after Microsoft, having acknowledged the problem, deemed it as not a security issue.

Following some example of virtual patching of this vulnerability

Previous Issues of vulnerability Weekly

Francesco is an internationally renowned public speaker, with multiple interviews in high-profile publications (eg. Forbes), and an author of numerous books and articles, who utilises his platform to evangelize the importance of Cloud security and cutting-edge technologies on a global scale.

Discuss this blog with our community on Slack

Join our AppSec Phoenix community on Slack to discuss this blog and other news with our professional security team

From our Blog

Explore ASPM’s role in modern application security, offering a panoramic view that extends beyond code vulnerabilities. This guide demystifies concepts like traceability, reachability analysis, and asset lineage, pivotal for securing digital assets. Learn how ASPM empowers organizations with actionable insights for precise vulnerability management. #Cybersecurity #ASPM #ApplicationSecurity
Francesco Cipollone
Explore the transformative role of ASPM in cybersecurity. Uncover how Application Security Posture Management aligns business and security objectives for effective vulnerability management and risk reduction. Discover Phoenix Security’s innovative approach to tackling the staggering challenge of CVEs with a strategic focus on prioritization. #ASPM #Cybersecurity #VulnerabilityManagement
Francesco Cipollone
Explore the critical insights into the latest container security vulnerabilities named leaky vessels, including CVE-2024-21626, CVE-2024-23651, CVE-2024-23653, and CVE-2024-23652, BuildKit flaws, with our comprehensive guide on mitigation strategies, best practices for application security, and tips for robust vulnerability management in Docker and Kubernetes environments. Stay ahead in securing your container deployments against potential threats with ASPM help
Francesco Cipollone

Jeevan Singh

Founder of Manicode Security

Jeevan Singh is the Director of Security Engineering at Rippling, with a background spanning various Engineering and Security leadership roles over the course of his career. He’s dedicated to the integration of security practices into software development, working to create a security-aware culture within organizations and imparting security best practices to the team.
In his role, Jeevan handles a range of tasks, from architecting security solutions to collaborating with Engineering Leadership to address security vulnerabilities at scale and embed security into the fabric of the organization.

James Berthoty

Founder of Latio Tech

James Berthoty has over ten years of experience across product and security domains. He founded Latio Tech to help companies find the right security tools for their needs without vendor bias.

Christophe Parisel

Senior Cloud Security Architect

Senior Cloud Security Architect

Chris Romeo

Security Journey

Chris Romeo is a leading voice and thinker in application security, threat modeling, and security champions and the CEO of Devici and General Partner at Kerr Ventures. Chris hosts the award-winning “Application Security Podcast,” “The Security Table,” and “The Threat Modeling Podcast” and is a highly rated industry speaker and trainer, featured at the RSA Conference, the AppSec Village @ DefCon, OWASP Global AppSec, ISC2 Security Congress, InfoSec World and All Day DevOps. Chris founded Security Journey, a security education company, leading to an exit in 2022. Chris was the Chief Security Advocate at Cisco, spreading security knowledge through education and champion programs. Chris has twenty-six years of security experience, holding positions across the gamut, including application security, security engineering, incident response, and various Executive roles. Chris holds the CISSP and CSSLP certifications.

Jim Manico

Founder of Manicode Security

Jim Manico is the founder of Manicode Security, where he trains software developers on secure coding and security engineering. Jim is also the founder of Brakeman Security, Inc. and an investor/advisor for Signal Sciences. He is the author of Iron-Clad Java: Building Secure Web Applications (McGraw-Hill), a frequent speaker on secure software practices, and a member of the JavaOne Rockstar speaker community. Jim is also a volunteer for and former board member of the OWASP foundation.

Join our Mailing list!

Get all the latest news, exclusive deals, and feature updates.