⚠ Actively exploited in ransomware campaigns
This vulnerability is on the CISA Known Exploited Vulnerabilities list and has been used in known ransomware attacks. CISA required action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable. Check all affected Confluence instances for evidence of compromise per vendor instructions and report any positive findings to CISA.. Due date: 2023-10-13.

CVE-2023-22515

CWE-20Improper Input Validation21 documents13 sources
Severity
9.8CRITICAL
EPSS
94.3%
top 0.05%
CISA KEV
KEVRansomware
Added 2023-10-05
Due 2023-10-13
Exploit
Exploited in wild
Active exploitation observed
Affected products
2
Atlassian Confluence Data CenterAtlassian Confluence Server
Timeline
PublishedOct 4
KEV addedOct 5
KEV dueOct 13
Latest updateNov 15
CISA Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable. Check all affected Confluence instances for evidence of compromise per vendor instructions and report any positive findings to CISA.

Description

Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have exploited a previously unknown vulnerability in publicly accessible Confluence Data Center and Server instances to create unauthorized Confluence administrator accounts and access Confluence instances. Atlassian Cloud sites are not affected by this vulnerability. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this iss

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages4 packages

NVDatlassian/confluence_data_center8.0.08.3.3+2
CVEListV5atlassian/confluence_data_center18 versions+17
NVDatlassian/confluence_server8.0.08.3.3+2
CVEListV5atlassian/confluence_server18 versions+17

🔴Vulnerability Details

3
CVEList
CVE-2023-22515: Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have exploited a previously unknown vulnerab2023-10-04
GHSA
GHSA-g458-xvmc-qg2r: Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have exploited a previously unknown vulnerab2023-10-04
VulnCheck
Atlassian Confluence Data Center and Server Broken Access Control Vulnerability2023

💥Exploits & PoCs

1
Nuclei
Atlassian Confluence - Privilege Escalation

🔍Detection Rules

6
Suricata
ET WEB_SPECIFIC_APPS Atlassian Confluence CVE-2023-22515 Vulnerable Server Detected M22023-10-12
Suricata
ET WEB_SPECIFIC_APPS Atlassian Confluence CVE-2023-22515 Step 2/2 Attempt2023-10-12
Suricata
ET WEB_SPECIFIC_APPS Atlassian Confluence CVE-2023-22515 Step 1/2 Attempt2023-10-12
Suricata
ET WEB_SPECIFIC_APPS Atlassian Confluence CVE-2023-22515 Vulnerable Server Detected M12023-10-12
Suricata
ET WEB_SPECIFIC_APPS Atlassian Confluence CVE-2023-22515 Step 2/2 Success2023-10-12

📋Vendor Advisories

2
CISA
Atlassian Confluence Data Center and Server Broken Access Control Vulnerability2023-10-05
Atlassian
CVE-2023-22515 - Broken Access Control Vulnerability in Confluence Data Center and Server

🕵️Threat Intelligence

5
Qualys
Atlassian Confluence Broken Access Control Vulnerability (CVE-2023-22515)2023-11-15
Qualys
Atlassian Confluence (CVE-2023-22515): Broken Access Control Bug | Qualys2023-11-15
Bleepingcomputer
CISA, FBI urge admins to patch Atlassian Confluence immediately2023-10-16
Threat Intel
Ukrainian Cyber Alliance
Greynoiseio
The Fifth Day Of Tagsmas (2023): Unauthorized Admin Accounts on Atlassian Confluence Server and Data Center (CVE-2023-22515)