Atlassian is investigating reports from a few customers regarding the potential exploitation of an undisclosed vulnerability in publicly accessible Confluence Data Center and Server instances, allowing unauthorized access and the creation of administrator accounts.
Here’s what Atlassian stated:-
“Cloud sites are not affected by this vulnerability. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.”
Document
FREE Demo
Deploy Advanced AI-Powered Email Security Solution
Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware
Microsoft has observed nation-state threat actor Storm-0062 exploiting CVE-2023-22515 in the wild since September 14, 2023. CVE-2023-22515 was disclosed on October 4, 2023. Storm-0062 is tracked by others as DarkShadow or Oro0lxy.
— Microsoft Threat Intelligence (@MsftSecIntel) October 10, 2023
According to Netlas, it has been reported that the vulnerability has been actively exploited in real-world scenarios.
CVE-2023-22515: Privilege Escalation in Atlassian Confluence Data&Server, 9.0 rating 🔥0-day vuln, which already exploited in the wild. Search at https://t.co/hv7QKSqxTR:👉🏻 Link: https://t.co/k7JMAv2BIH#cybersecurity #vulnerability_map pic.twitter.com/1R4GaDrel9
— Netlas.io (@Netlas_io) October 5, 2023
Flaw profile
-
CVE ID: CVE-2023-22515
-
Description: Broken Access Control Vulnerability in Confluence Data Center and Server
-
Advisory Release Date: Wed, Oct 4th, 2023 06:00 PDT
-
Related Jira Ticket(s): CONFSERVER-92475
-
Severity: Critical
-
CVSS Score: 10.00
IPs Detected
These four IP addresses were detected transmitting exploit traffic linked to CVE-2023-22515:-
-
192.69.90[.]31
-
104.128.89[.]92
-
23.105.208[.]154
-
199.193.127[.]231
Atlassian has classified this vulnerability as Critical with a CVSS score 10 based on their severity levels. That’s why they have recommended users assess its relevance according to their specific IT setup.
Versions Affected & Fixed
Here below, we have mentioned all the Confluence Data Center and Confluence Server versions that are affected:-
-
8.0.0
-
8.0.1
-
8.0.2
-
8.0.3
-
8.0.4
-
8.1.0
-
8.1.1
-
8.1.3
-
8.1.4
-
8.2.0
-
8.2.1
-
8.2.2
-
8.2.3
-
8.3.0
-
8.3.1
-
8.3.2
-
8.4.0
-
8.4.1
-
8.4.2
-
8.5.0
-
8.5.1
Here below, we have mentioned all the Confluence Data Center and Confluence Server versions that are fixed:-
-
8.3.3 or later
-
8.4.3 or later
-
8.5.2 (Long-Term Support release) or later
PT Swarm team stated that they are able to reproduce the issue.
⚠️ We have reproduced CVE-2023-22515 in Atlassian Confluence.Broken access control allows unauthenticated users to gain administrative access to the web application! Update your software ASAP! pic.twitter.com/MlE4ygyf3E
— PT SWARM (@ptswarm) October 10, 2023
Recommendation
For Confluence Data Center and Server instances publicly accessible, temporarily restrict external access until the upgrade.
If that’s not possible, apply for interim protection by blocking /setup/* endpoint access at the network level or by adjusting Confluence configuration files.
Then restart the Confluence, as this step restricts access to unnecessary setup pages in Confluence.
