Just in Time Bulletin: CVE-2023-22515 Confluence Broken Access and Privilege Escalation
What is CVE-2023-22515?
Researchers have identified a highly critical vulnerability that impacts Confluence Server and Data Center instances. The vulnerability introduces the potential for an unauthenticated remote adversary to bypass access controls and escalate privileges. The scope of the vulnerability is not yet known, but appears to impact various “*.action” and “/setup/*.action” scripts. By submitting a crafted request to the “/server-info.action” endpoint point it’s possible to trigger the vulnerability, which places the Confluence server into an uncompleted setup state. Once the vulnerability is triggered, attackers can then craft a request to the “/setup/setupadministrator.action” endpoint, which results in the creation of an admin user account.
The attack does not require credentials and can be exploited by unauthenticated remote adversaries. The rating for this vulnerability is a bit of a head scratcher. Authentication bypass and privilege escalation certainly warrant a critical rating, however CVSS scores of 9.8 and up are typically reserved for remote command execution vulnerabilities. Based on our research, there doesn’t appear to be a vector for command execution associated with this vulnerability. That said, Confluence is often used to manage highly sensitive data and the risk of unauthorized access is significant.
How bad is this?
Active exploitation today. Patch ASAP.
- Credentials are NOT required
- Exploited in the wild
- Mature exploit code on GitHub
- Very low level of complexity
How is it exploited?
Exploitation is trivial and exploit code publicly available. This is a pretty serious issue and should be addressed ASAP.
How do I protect myself?
Patch now if you’re operating an on-prem Confluence instance. If patching is not immediately possible, Atlassian recommends blocking access to all “/setup” endpoints. Instructions are detailed in the Atlassian advisory linked below. Atlassian cloud is not affected.
|Affected Versions of Confluence Data Center and Confluence Server|
Versions prior to 8.0.0 are not affected.