NopSec.com uses cookies to make interactions with the Company’s Websites easy and meaningful. When you visit one of the Company’s Websites, NopSec.com’s servers send a cookie to your computer. Standing alone, cookies do not personally identify you; they merely recognize your Web browser. Unless you choose to identify yourself to NopSec.com, either by responding to a promotional offer, opening an account, or filling out a Web form (such as a “Contact Us” or a “Free Trial” Web form), you remain anonymous to the Company. Please go to our privacy statement for details.

Acknowledge
More Menu Less Menu
Schedule a Demo
NopSec_Resource_JustInTime_Generic_1
Just in Time

Just in Time Bulletin: CVE-2023-22518 Atlassian Confluence Authorization Bypass

Nov 10, 2023

What is CVE-2023-22518? 

Atlassian recently reported CVE-2023-22518. Sensor networks from GreyNoise and Rapid7 have also detected mass exploitation as ransomware and cryptominers taking advantage of the rich sea of targets.  

The vulnerability enables an unauthenticated remote adversary to reset the Confluence instance and create a new administrative account via the upload of a malicious site backup. Researchers discovered that it was possible to inject the header “X-Atlassian-Token: no-check” into a site backup upload request to the endpoint /json/setup-restore.action. Using this exploit an attacker can deploy a new site with attacker-defined users and settings, which can lead to remote command execution. 

This is a critical vulnerability. Successful exploitation facilitates remote command execution, which can result in malware deployment or lateral movement within a private network. However, because the existing installation is overwritten, exploitation does not result in a loss of data confidentiality.

How bad is this?

CVE CVSSv3 Score
CVE-2023-22518 10


Severity: Critical

  • Credentials are NOT required
  • Mass exploitation in the wild
  • Low level of complexity
  • Publicly available proof-of-concept code

How is it exploited? 

Exploitation is carried out via the upload of a malicious site backup by an unauthenticated attacker. Exploitation requires a single request and a low level of complexity.

How do I protect myself?

Atlassian recommends that vulnerable installations apply the patch that correlates to their version.

Product Fixed Versions
Confluence Data Center and Server
  • 7.19.16
  • 8.3.4
  • 8.4.4
  • 8.5.3
  • 8.6.1

 

Who is affected by this? 

Current estimates based on Shodan and Censys queries indicate that roughly 5,600 endpoints across the internet are externally accessible.

Product Affected Versions
Confluence Data Center and Server All versions are affected

 

Mitigating Factors?

If patching is not possible, it is recommended to deny access to the vulnerable endpoints by making changes to the web.xml configuration file.

  • /json/setup-restore.action
  • /json/setup-restore-local.action
  • /json/setup-restore-progress.action

For specific mitigation instructions please reference the additional resources.

Additional Resources About CVE-2023-22518