Vulnerability Details : CVE-2023-22518
Public exploit exists!
Used for ransomware!
All versions of Confluence Data Center and Server are affected by this unexploited vulnerability. This Improper Authorization vulnerability allows an unauthenticated attacker to reset Confluence and create a Confluence instance administrator account. Using this account, an attacker can then perform all administrative actions that are available to Confluence instance administrator leading to - but not limited to - full loss of confidentiality, integrity and availability.
Atlassian Cloud sites are not affected by this vulnerability. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.
CVE-2023-22518 is in the CISA Known Exploited Vulnerabilities Catalog
This issue is known to have been leveraged as part of a ransomware campaign.
CISA vulnerability name:
Atlassian Confluence Data Center and Server Improper Authorization Vulnerability
CISA required action:
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
CISA description:
Atlassian Confluence Data Center and Server contain an improper authorization vulnerability that can result in significant data loss when exploited by an unauthenticated attacker. There is no impact on confidentiality since the attacker cannot exfiltrate any data.
Notes:
https://confluence.atlassian.com/security/cve-2023-22518-improper-authorization-vulnerability-in-confluence-data-center-and-server-1311473907.html; https://nvd.nist.gov/vuln/detail/CVE-2023-22518
Added on
2023-11-07
Action due date
2023-11-28
Exploit prediction scoring system (EPSS) score for CVE-2023-22518
96.18%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 100 %
Percentile, the proportion of vulnerabilities that are scored at or less
Metasploit modules for CVE-2023-22518
-
Atlassian Confluence Unauth JSON setup-restore Improper Authorization leading to RCE (CVE-2023-22518
Disclosure Date: 2023-10-31First seen: 2023-12-19exploit/multi/http/atlassian_confluence_unauth_backupThis Improper Authorization vulnerability allows an unauthenticated attacker to reset Confluence and create a Confluence instance administrator account. Using this account, an attacker can then perform all administrative actions that are available to Confluence instanc
CVSS scores for CVE-2023-22518
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
10.0
|
CRITICAL | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
3.9
|
6.0
|
Atlassian | |
9.1
|
CRITICAL | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H |
3.9
|
5.2
|
Atlassian | |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST | |
9.1
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H |
3.9
|
5.2
|
NIST |
CWE ids for CVE-2023-22518
-
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.Assigned by: nvd@nist.gov (Primary)
References for CVE-2023-22518
-
http://packetstormsecurity.com/files/176264/Atlassian-Confluence-Improper-Authorization-Code-Execution.html
Atlassian Confluence Improper Authorization / Code Execution ≈ Packet StormExploit;Third Party Advisory;VDB Entry
-
https://www.bleepingcomputer.com/news/security/atlassian-warns-of-exploit-for-confluence-data-wiping-bug-get-patching/
Atlassian warns of exploit for Confluence data wiping bug, get patching
-
https://www.securityweek.com/exploitation-of-critical-confluence-vulnerability-begins/
Exploitation of Critical Confluence Vulnerability Begins - SecurityWeek
-
https://github.com/RootUp/PersonalStuff/blob/master/check_cve_2023_22518.py
PersonalStuff/check_cve_2023_22518.py at master · RootUp/PersonalStuff · GitHub
-
https://confluence.atlassian.com/pages/viewpage.action?pageId=1311473907
CVE-2023-22518 - Improper Authorization Vulnerability In Confluence Data Center and Confluence Server | Atlassian Support | Atlassian DocumentationIssue Tracking;Mitigation;Vendor Advisory
-
https://www.rapid7.com/blog/post/2023/11/06/etr-rapid7-observed-exploitation-of-atlassian-confluence-cve-2023-22518/
Rapid7-Observed Exploitation of Atlassian Confluence CVE-2023-22518 | Rapid7 Blog
-
https://jira.atlassian.com/browse/CONFSERVER-93142
[CONFSERVER-93142] Improper Authorization in Confluence Data Center and Server - CVE-2023-22518 - Create and track feature requests for Atlassian products.Issue Tracking;Mitigation;Vendor Advisory
-
https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-22518.yaml
nuclei-templates/http/cves/2023/CVE-2023-22518.yaml at main · projectdiscovery/nuclei-templates · GitHub
Products affected by CVE-2023-22518
- cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:confluence_server:8.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:confluence_data_center:8.6.0:*:*:*:*:*:*:*