NopSec.com uses cookies to make interactions with the Company’s Websites easy and meaningful. When you visit one of the Company’s Websites, NopSec.com’s servers send a cookie to your computer. Standing alone, cookies do not personally identify you; they merely recognize your Web browser. Unless you choose to identify yourself to NopSec.com, either by responding to a promotional offer, opening an account, or filling out a Web form (such as a “Contact Us” or a “Free Trial” Web form), you remain anonymous to the Company. Please go to our privacy statement for details.

Acknowledge
More Menu Less Menu
Schedule a Demo
NopSec_Resource_JustInTime_Generic_1
Just in Time

Just in Time Bulletin: CVE-2023-22515 Confluence Broken Access and Privilege Escalation

Oct 19, 2023

What is CVE-2023-22515? 

Researchers have identified a highly critical vulnerability that impacts Confluence Server and Data Center instances. The vulnerability introduces the potential for an unauthenticated remote adversary to bypass access controls and escalate privileges. The scope of the vulnerability is not yet known, but appears to impact various “*.action” and “/setup/*.action” scripts. By submitting a crafted request to the “/server-info.action” endpoint point it’s possible to trigger the vulnerability, which places the Confluence server into an uncompleted setup state. Once the vulnerability is triggered, attackers can then craft a request to the “/setup/setupadministrator.action” endpoint, which results in the creation of an admin user account. 

The attack does not require credentials and can be exploited by unauthenticated remote adversaries. The rating for this vulnerability is a bit of a head scratcher. Authentication bypass and privilege escalation certainly warrant a critical rating, however CVSS scores of 9.8 and up are typically reserved for remote command execution vulnerabilities. Based on our research, there doesn’t appear to be a vector for command execution associated with this vulnerability. That said, Confluence is often used to manage highly sensitive data and the risk of unauthorized access is significant.

How bad is this?

Active exploitation today. Patch ASAP.

CVE CVSSv3 Score
CVE-2023-22515 10


Severity: Critical

  • Credentials are NOT required
  • Exploited in the wild
  • Mature exploit code on GitHub
  • Very low level of complexity

How is it exploited? 

Exploitation is trivial and exploit code publicly available. This is a pretty serious issue and should be addressed ASAP.

How do I protect myself?

Patch now if you’re operating an on-prem Confluence instance. If patching is not immediately possible, Atlassian recommends blocking access to all “/setup” endpoints. Instructions are detailed in the Atlassian advisory linked below. Atlassian cloud is not affected.

Affected Versions of Confluence Data Center and Confluence Server
  • 8.0.0
  • 8.0.1
  • 8.0.2
  • 8.0.3
  • 8.0.4
  • 8.1.0
  • 8.1.1
  • 8.1.3
  • 8.1.4
  • 8.2.0
  • 8.2.1
  • 8.2.2
  • 8.2.3
  • 8.3.0
  • 8.3.1
  • 8.3.2
  • 8.4.0
  • 8.4.1
  • 8.4.2
  • 8.5.0
  • 8.5.1

Mitigating Factors?

Versions prior to 8.0.0 are not affected.

Additional Resources About CVE-2023-22515