⚠ Actively exploited in ransomware campaigns

This vulnerability is on the CISA Known Exploited Vulnerabilities list and has been used in known ransomware attacks. CISA required action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.. Due date: 2023-11-28.

CVE-2023-22518

CWE-863 — Incorrect Authorization29 documents14 sources

Severity

9.8CRITICAL

EPSS

94.4%

top 0.03%

CISA KEV

KEVRansomware

Added 2023-11-07

Due 2023-11-28

Exploit

Exploited in wild

Active exploitation observed

Affected products

Atlassian Confluence Data Center Atlassian Confluence Server

Timeline

PublishedOct 31

KEV addedNov 7

Latest updateNov 14

KEV dueNov 28

CISA Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Description

All versions of Confluence Data Center and Server are affected by this unexploited vulnerability. This Improper Authorization vulnerability allows an unauthenticated attacker to reset Confluence and create a Confluence instance administrator account. Using this account, an attacker can then perform all administrative actions that are available to Confluence instance administrator leading to - but not limited to - full loss of confidentiality, integrity and availability. Atlassian Cloud sites ar…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages4 packages

▶NVDatlassian/confluence_data_center1.0 — 7.19.16+4

▶CVEListV5atlassian/confluence_data_center>= 1.0.0

▶NVDatlassian/confluence_server1.0 — 7.19.16+4

▶CVEListV5atlassian/confluence_server>= 1.0.0

🔴Vulnerability Details

GHSA

GHSA-8prx-84h6-4fr5: All versions of Confluence Data Center and Server are affected by this unexploited vulnerability↗2023-10-31

▶

CVEList

CVE-2023-22518: All versions of Confluence Data Center and Server are affected by this unexploited vulnerability↗2023-10-31

▶

VulnCheck

Atlassian Confluence Data Center and Server Improper Authorization Vulnerability↗2023

▶

💥Exploits & PoCs

Metasploit

Atlassian Confluence Unauth JSON setup-restore Improper Authorization leading to RCE (CVE-2023-22518)↗

▶

Nuclei

Atlassian Confluence Server - Improper Authorization

▶

🔍Detection Rules

Suricata

ET WEB_SPECIFIC_APPS Atlassian Confluence CVE-2023-22518 Vulnerable Server Detected Version 7.x M1↗2023-11-06

▶

Suricata

ET WEB_SPECIFIC_APPS Atlassian Confluence CVE-2023-22518 Vulnerable Server Detected M1 Version 1.x-6.x↗2023-11-06

▶

Suricata

ET EXPLOIT Possible Atlassian Confluence Improper Authentication Validation Exploitation Attempt set (CVE-2023-22518)↗2023-11-06

▶

Suricata

ET WEB_SPECIFIC_APPS Atlassian Confluence CVE-2023-22518 Vulnerable Server Detected Version 7.x M2↗2023-11-06

▶

Suricata

ET WEB_SPECIFIC_APPS Atlassian Confluence CVE-2023-22518 Vulnerable Server Detected Version 8.x M2↗2023-11-06

▶

📋Vendor Advisories

CISA

Atlassian Confluence Data Center and Server Improper Authorization Vulnerability↗2023-11-07

▶

Atlassian

CVE-2023-22518 - Improper Authorization Vulnerability in Confluence Data Center and Server↗

▶

🕵️Threat Intelligence

Sentinelone

C3RB3R Ransomware | Ongoing Exploitation of CVE-2023-22518 Targets Unpatched Confluence Servers↗2023-11-14

▶

Sentinelone

C3RB3R Ransomware | Ongoing Exploitation of CVE-2023-22518 Targets Unpatched Confluence Servers↗2023-11-14

▶

Trendmicro

Cerber Ransomware Exploits Atlassian Confluence Vulnerability CVE-2023-22518↗2023-11-10

▶

Trendmicro

Cerber Ransomware Exploits Atlassian Confluence Vulnerability CVE-2023-22518↗2023-11-10

▶

Trendmicro

Cerber Ransomware Exploits Atlassian Confluence Vulnerability CVE-2023-22518↗2023-11-10

▶