Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2023-22515 PoC — Atlassian Confluence Server 安全漏洞

Source
https://github.com/edsonjt81/CVE-2023-22515-Scan.
Associated Vulnerability
Title:Atlassian Confluence Server 安全漏洞 (CVE-2023-22515)
Description:Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have exploited a previously unknown vulnerability in publicly accessible Confluence Data Center and Server instances to create unauthorized Confluence administrator accounts and access Confluence instances. Atlassian Cloud sites are not affected by this vulnerability. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.
Readme
# CVE-2023-22515-Scan

## About
This is simple scanner for [CVE-2023-22515](https://nvd.nist.gov/vuln/detail/CVE-2023-22515), a critical vulnerability in Atlassian Confluence Data Center and Server that is actively being exploited in the wild by threat actors in order "to create unauthorized Confluence administrator accounts and access Confluence instances". The vulnerability was initially described as a "privilege escalation" issue, but Atlassian later changed the classification to "broken access control" in their [security advisory](https://confluence.atlassian.com/security/cve-2023-22515-privilege-escalation-vulnerability-in-confluence-data-center-and-server-1295682276.html).

## Timeline of CVE-2023-22515
- 4 October 2023: Atlassian publishes a [security advisory](https://confluence.atlassian.com/security/cve-2023-22515-privilege-escalation-vulnerability-in-confluence-data-center-and-server-1295682276.html) on CVE-2023-22515, which it then described as a critical "privilege escalation" vulnerability in Atlassian Confluence Data Center. The advisory covers vulnerable versions, patched versions, workarounds and IOCs.
- 5 October 2023: US CISA [adds CVE-2023-22515](https://www.cisa.gov/news-events/alerts/2023/10/05/cisa-adds-three-known-exploited-vulnerabilities-catalog) to their Known [Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog). On the same day, Rapid7 updates their [article](https://www.rapid7.com/blog/post/2023/10/04/etr-cve-2023-22515-zero-day-privilege-escalation-in-confluence-server-and-data-center/) on CVE-2023-22515, originally published on 4 October, to mention that Rapid7 security researcher [Stephen Fewer](https://twitter.com/stephenfewer) has confirmed the vulnerabilty to be fully unauthenticated and trivially exploitable. The update also mentioned that Rapid7 leveraged the `/server-info.action` endpoint to trigger the issue, which is different from the endpoints mentioned in the Atlassian advisory.
- 6 October 2023: Atlassian edits the description of CVE-2023-22515 in their [security advisory](https://confluence.atlassian.com/security/cve-2023-22515-privilege-escalation-vulnerability-in-confluence-data-center-and-server-1295682276.html) from "privilege escalation" to "broken access control".

## CVE-2023-22515-Scan details
This is a simple scanner that will attempt to determinie the vulnerability status of Atlassian Confluence by performing up to two HTTP GET requests per host and analyzing the reponses:
- A GET request to the provided URL (which should be the base URL for the app) to verifiy that the target is Atlassian Confluence and to obtain the product version.
- A GET request to `/server-info.action` to check the response code. Patch diffing showed that the patch for CVE-2023-22515 removes the `/server-info.action`  endpoint entirely. During testing, the following behavior was observed for this endpoint:
    - Unaffected versions (before 8.0.0), respond with a 404 status code
    - Vulnerable versions respond with a 200 status code
    - Patched versions respond with a 302 status code

## Tested versions
The scanner has been successfully tested against the following versions of Atlassian Confluence Server:
- 7.4.10 (not affected)
- 8.4.2 (vulnerable)
- 8.4.3 (patched)
- 8.5.0 (vulnerable)
- 8.6.0 (latest docker image - patched)

Since the script has been tested against a limited number of versions of Atlassian Confluence Server, *the scanner may not be fully reliable, especially for Confluence Data Center or for untested versions of Confluence Server*.

## Installation
- Clone the repo
```
git clone https://github.com/ErikWynter/CVE-2023-22515-Scan.git
```
- Enter the created directory
```
cd CVE-2023-22515-Scan
```
- Install the dependencies with pip. Depending on your local python3 setup, the required commands will be either:
```
pip install -r requirements.txt
```
or:
```
pip3 install -r requirements.txt
```

## Usage
```
usage: cve_2023_22515_scan.py [-h] [-f FILE] [-t TARGETS] [-o OUTPUT_DIR]

Scan Atlassian Confluence web instances for CVE-2023-22515

options:
  -h, --help     show this help message and exit
  -f FILE        File containing a list of URLs to scan
  -t TARGETS     Comma-separated list of URLs to scan
  -o OUTPUT_DIR  Output directory
```
eg:
```
python cve_2023_22515_scan.py -f urls.txt -o results
```
```
python cve_2023_22515_scan.py -t http://192.168.10.10,http://192.168.10.11 -o results`
```
## Vulnerability statuses
- `likely vulnerable`: The target is running a vulnerable version (or the version could not be detected) and has the vulnerable `/server-info.action` endpoint available.
- `likely not exploitable`: The target is running a vulnerable version, but the  `/server-info.action` endpoint is not accessible, which means it is likely patched.
- `not vulnerable`: The target is not running a vulnerable version, or the version could not be detected and the `/server-info.action` endpoint was not accessible.
- `unknown`: The vulnerability status could not be determined because an error was encountered while trying to access the `/server-info.action` endpoint.

## Output files
- `cve_2023_22515_scan.json` - JSON file with the product version, vulnerability status and other relevant information for any systems that were recognized by the script. Example contents:
```
[
  {
    "target_url": "http://192.168.91.202:8091",
    "product": "Atlassian Confluence",
    "version": "8.5.0",
    "vulnerability_status": "likely vulnerable"
  },
  {
    "target_url": "http://192.168.91.200:8090",
    "product": "Atlassian Confluence",
    "version": "8.4.3",
    "vulnerability_status": "not vulnerable"
  }
]
```
- `cve_2023_22515_scan.txt` - Text file with a human-readable breakdown of the results. This is identical to the report being printed to the console (minus the ANSI colors). Example contents:
```
http://192.168.91.202:8091 - Product: Atlassian Confluence Version: 8.5.0 - vulnerability status: likely vulnerable
http://192.168.91.200:8090 - Product: Atlassian Confluence Version: 8.4.3 - vulnerability status: not vulnerable
```

## Patching
Please refer to the official [security advisory](https://confluence.atlassian.com/security/cve-2023-22515-privilege-escalation-vulnerability-in-confluence-data-center-and-server-1295682276.html) for information on affected versions and patched versions.

## Example output
![example_output](https://github.com/ErikWynter/CVE-2023-22515-Scan/assets/55885619/44397db0-9290-4be5-8057-fea0a273ba6a)
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →