On June 2, 2022, Atlassian published a security advisory for CVE-2022-26134, a critical unauthenticated remote code execution vulnerability in Confluence. There is a patch available from Atlassian or the recommendation to disconnect vulnerable system from the internet. As far as I can see till now, there is no Threat Campaigns Signature or Attack Signature to mitigate this attack.
A bit of analysis: Parts of the POC code and example curl command snippets looks like the following examples (after URL-decoding).
In POC code and example curl command snippets attackers are creating and using an HTTP Header to return the respone.
Example response header for whoami command:
Looking at another part of the POC code and example curl command snippets, this is achieved by using setHeader.
A full curl example would look like this (note: special characters are URL encoded):