Atlassian Confluence Data Center and Server are vulnerable to a privilege escalation vulnerability. CVE-2023-22515 is a critical severity vulnerability with a CVSS score of 10. A remote attacker may exploit the vulnerability in a low-complexity attack without user interaction. Successful exploitation of the vulnerability may allow attackers to create unauthorized Confluence administrator accounts and access Confluence instances.
Atlassian has mentioned in their advisory that their customers informed them about the exploitation of the vulnerability in publicly accessible Confluence Data Center and Server instances.
Atlassian has mentioned in the advisory that Atlassian Cloud sites are unaffected by the vulnerability. The confluence site, accessible via an atlassian.net domain hosted by Atlassian, will not be vulnerable to this issue.
CISA has added CVE-2023-22515 to its Known Exploited Vulnerabilities Catalog and recommended users to patch it before October 26, 2023.
Indicators of Compromise
The advisory recommends checking all affected Confluence instances for the following indicators of compromise:
- Unexpected members of the
- Unexpected newly created user accounts
- Requests to
/setup/*.actionin network access logs
- Presence of
/setup/setupadministrator.actionin an exception message in
atlassian-confluence-security.login the Confluence home directory
The vulnerability affects the following versions of the Confluence Data Center and Confluence Server:
Users must upgrade to the listed fixed versions:
- 8.3.3 or later
- 8.4.3 or later
- 8.5.2 (Long-Term Support release) or later
Please refer to the Atlassian Security Advisory (CONFSERVER-92475) for more information.
Atlassian recommends restricting external network access to the affected instance in case users cannot upgrade to the fixed version.
Additionally, users can mitigate known attack vectors for this vulnerability by restricting access to the
/setup/* endpoints on Confluence instances. These adjustments can be made to Confluence configuration files or at the network layer.
/<confluence-install-dir>/confluence/WEB-INF/web.xmland add the following block of code (just before the
</web-app>tag at the end of the file) on each node:
- Restart Confluence.
Qualys customers can scan their devices with QIDs 730931 and 378914 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.