1. Home
  2. Mapping Frameworks
  3. Known Exploited Vulnerabilities Home
  4. Other Injection Capability Group

Known Exploited Vulnerabilities Other Injection Capability Group

All Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
CVE-2022-22954 VMware Workspace ONE Access and Identity Manager Server-Side Template Injection Vulnerability primary_impact T1505.003 Web Shell
Comments
This vulnerability is exploited via server-side template injection to achieve remote code execution. This access is then used to establish backdoors. Adversaries have been observed chaining this with CVE-2022-22960 in order to escalate privileges to root.
References
  1. https://www.rapid7.com/blog/post/2022/04/29/widespread-exploitation-of-vmware-workspace-one-access-cve-2022-22954/
  2. https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-138b
  3. https://packetstormsecurity.com/files/166935/VMware-Workspace-ONE-Access-Template-Injection-Command-Execution.html
CVE-2022-22954 VMware Workspace ONE Access and Identity Manager Server-Side Template Injection Vulnerability exploitation_technique T1221 Template Injection
Comments
This vulnerability is exploited via server-side template injection to achieve remote code execution. This access is then used to establish backdoors. Adversaries have been observed chaining this with CVE-2022-22960 in order to escalate privileges to root.
References
  1. https://unit42.paloaltonetworks.com/cve-2022-22954-vmware-vulnerabilities/
  2. https://www.rapid7.com/blog/post/2022/04/29/widespread-exploitation-of-vmware-workspace-one-access-cve-2022-22954/
  3. https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-138b
  4. https://packetstormsecurity.com/files/166935/VMware-Workspace-ONE-Access-Template-Injection-Command-Execution.html
CVE-2019-3396 Atlassian Confluence Server and Data Center Server-Side Template Injection Vulnerability secondary_impact T1202 Indirect Command Execution
Comments
CVE-2019-3396 is a critical server-side template injection vulnerability in Atlassian Confluence Server and Data Center that could lead to remote code execution.
References
  1. https://cloud.google.com/blog/topics/threat-intelligence/game-over-detecting-and-stopping-an-apt41-operation/
  2. https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-209a
CVE-2019-3396 Atlassian Confluence Server and Data Center Server-Side Template Injection Vulnerability primary_impact T1090 Proxy
Comments
CVE-2019-3396 is a critical server-side template injection vulnerability in Atlassian Confluence Server and Data Center that could lead to remote code execution.
References
  1. https://cloud.google.com/blog/topics/threat-intelligence/game-over-detecting-and-stopping-an-apt41-operation/
  2. https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-209a
CVE-2019-3396 Atlassian Confluence Server and Data Center Server-Side Template Injection Vulnerability exploitation_technique T1133 External Remote Services
Comments
CVE-2019-3396 is a critical server-side template injection vulnerability in Atlassian Confluence Server and Data Center that could lead to remote code execution.
References
  1. https://cloud.google.com/blog/topics/threat-intelligence/game-over-detecting-and-stopping-an-apt41-operation/
  2. https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-209a
CVE-2021-26084 Atlassian Confluence Server and Data Center Object-Graph Navigation Language (OGNL) Injection Vulnerability secondary_impact T1496 Resource Hijacking
Comments
CVE-2021-26084 is a critical vulnerability affecting Atlassian Confluence Server and Data Center that allows unauthenticated remote code execution. This Object-Graph Navigation Language (OGNL) injection vulnerability enables attackers to execute arbitrary code on vulnerable Confluence instances
References
  1. https://thehackernews.com/2021/09/atlassian-confluence-rce-flaw-abused-in.html
  2. https://www.bleepingcomputer.com/news/security/atlassian-confluence-flaw-actively-exploited-to-install-cryptominers/
CVE-2021-26084 Atlassian Confluence Server and Data Center Object-Graph Navigation Language (OGNL) Injection Vulnerability primary_impact T1059 Command and Scripting Interpreter
Comments
CVE-2021-26084 is a critical vulnerability affecting Atlassian Confluence Server and Data Center that allows unauthenticated remote code execution. This Object-Graph Navigation Language (OGNL) injection vulnerability enables attackers to execute arbitrary code on vulnerable Confluence instances
References
  1. https://thehackernews.com/2021/09/atlassian-confluence-rce-flaw-abused-in.html
  2. https://www.bleepingcomputer.com/news/security/atlassian-confluence-flaw-actively-exploited-to-install-cryptominers/
CVE-2021-36380 Sunhillo SureLine OS Command Injection Vulnerablity primary_impact T1059.004 Unix Shell
Comments
To trigger this vulnerability, an attacker sends a specially crafted POST request to the webserver at the URL /cgi/networkDiag.cgi . Within this request, the attacker inserts a Linux command as part of the ipAddr or dnsAddr POST parameters. When the webserver processes the POST request, the command the attacker has inserted into the parameter will be executed.
References
  1. https://blog.sonicwall.com/en-us/2023/11/sunhillo-sureline-command-injection-vulnerability/
  2. https://www.bleepingcomputer.com/news/security/mirai-ddos-malware-variant-expands-targets-with-13-router-exploits/
  3. https://www.recordedfuture.com/vulnerability-database/CVE-2021-36380
  4. https://www.nccgroup.com/us/research-blog/technical-advisory-sunhillo-sureline-unauthenticated-os-command-injection-cve-2021-36380/
CVE-2021-36380 Sunhillo SureLine OS Command Injection Vulnerablity exploitation_technique T1190 Exploit Public-Facing Application
Comments
To trigger this vulnerability, an attacker sends a specially crafted POST request to the webserver at the URL /cgi/networkDiag.cgi . Within this request, the attacker inserts a Linux command as part of the ipAddr or dnsAddr POST parameters. When the webserver processes the POST request, the command the attacker has inserted into the parameter will be executed.
References
  1. https://blog.sonicwall.com/en-us/2023/11/sunhillo-sureline-command-injection-vulnerability/
  2. https://www.bleepingcomputer.com/news/security/mirai-ddos-malware-variant-expands-targets-with-13-router-exploits/
  3. https://www.recordedfuture.com/vulnerability-database/CVE-2021-36380
  4. https://www.nccgroup.com/us/research-blog/technical-advisory-sunhillo-sureline-unauthenticated-os-command-injection-cve-2021-36380/
CVE-2023-22527 Atlassian Confluence Data Center and Server Template Injection Vulnerability primary_impact T1496 Resource Hijacking
Comments
CVE-2023-22527 is a template injection vulnerability that allows an unauthenticated adversary to achieve remote code execution. Adversaries have been observed exploiting this vulnerability for cryptomining purposes.
References
  1. https://www.trendmicro.com/en_us/research/24/h/cve-2023-22527-cryptomining.html
CVE-2023-22527 Atlassian Confluence Data Center and Server Template Injection Vulnerability exploitation_technique T1221 Template Injection
Comments
CVE-2023-22527 is a template injection vulnerability that allows an unauthenticated adversary to achieve remote code execution. Adversaries have been observed exploiting this vulnerability for cryptomining purposes.
References
  1. https://www.trendmicro.com/en_us/research/24/h/cve-2023-22527-cryptomining.html

Capabilities

Capability ID Capability Name Number of Mappings
CVE-2019-3396 Atlassian Confluence Server and Data Center Server-Side Template Injection Vulnerability 3
CVE-2022-22954 VMware Workspace ONE Access and Identity Manager Server-Side Template Injection Vulnerability 2
CVE-2021-26084 Atlassian Confluence Server and Data Center Object-Graph Navigation Language (OGNL) Injection Vulnerability 2
CVE-2021-36380 Sunhillo SureLine OS Command Injection Vulnerablity 2
CVE-2023-22527 Atlassian Confluence Data Center and Server Template Injection Vulnerability 2