HTTP Header doesn’t lie
CVE-2022-26134 : Atlassian Confluence Sever ver 7.18.1 RCE PoC via OGNL injection vulnerability
Hasn’t been a good 12 months for Atlassian.
Good thread by Kevin Beaumont:
There’s a little more detail in this Bleeping Computer article (though it mostly restates what’s in the Volexity post): Critical Atlassian Confluence zero-day actively used in attacks
We just put ours behind our vpn only. Figured it was fairly bad when their workaround was “have you tried turning it off?”