What is CVE-2023-22518?
Atlassian recently reported CVE-2023-22518. Sensor networks from GreyNoise and Rapid7 have also detected mass exploitation as ransomware and cryptominers taking advantage of the rich sea of targets.
The vulnerability enables an unauthenticated remote adversary to reset the Confluence instance and create a new administrative account via the upload of a malicious site backup. Researchers discovered that it was possible to inject the header “X-Atlassian-Token: no-check” into a site backup upload request to the endpoint /json/setup-restore.action. Using this exploit an attacker can deploy a new site with attacker-defined users and settings, which can lead to remote command execution.
This is a critical vulnerability. Successful exploitation facilitates remote command execution, which can result in malware deployment or lateral movement within a private network. However, because the existing installation is overwritten, exploitation does not result in a loss of data confidentiality.
How bad is this?
CVE | CVSSv3 Score |
CVE-2023-22518 | 10 |
Severity: Critical
- Credentials are NOT required
- Mass exploitation in the wild
- Low level of complexity
- Publicly available proof-of-concept code
How is it exploited?
Exploitation is carried out via the upload of a malicious site backup by an unauthenticated attacker. Exploitation requires a single request and a low level of complexity.
How do I protect myself?
Atlassian recommends that vulnerable installations apply the patch that correlates to their version.
Product | Fixed Versions |
Confluence Data Center and Server |
|
Who is affected by this?
Current estimates based on Shodan and Censys queries indicate that roughly 5,600 endpoints across the internet are externally accessible.
Product | Affected Versions |
Confluence Data Center and Server | All versions are affected |
Mitigating Factors?
If patching is not possible, it is recommended to deny access to the vulnerable endpoints by making changes to the web.xml configuration file.
- /json/setup-restore.action
- /json/setup-restore-local.action
- /json/setup-restore-progress.action
For specific mitigation instructions please reference the additional resources.