History:
Atlassian has been made aware of a critical vulnerability, CVE-2023-22515, a Broken Access Control vulnerability in Confluence Data Center and Server. External attackers may exploit this vulnerability in publicly accessible Confluence Data Center and Server instances to create unauthorised Confluence administrator accounts and access Confluence instances. Atlassian Cloud sites are not affected by this vulnerability.
External attackers can exploit a vulnerability in publicly accessible Confluence Data Center and Server instances. This allows them to create unauthorized Confluence administrator accounts and access the said instances. The vulnerability seems to impact the /setup/*.action and /server-info.action endpoints but no further technical details are provided yet.
Confluence Data Center and Server versions:
Note: Versions prior to 8.0.0 are not affected.
Even after an updating Confluence to a fixed version, ensure you check all affected Confluence instances for:
confluence-administrators group./setup/*.action in network access logs./setup/setupadministrator.action in an exception message in the Confluence home directory (atlassian-confluence-security.log) /server-info.action in network access logs, as mentionned by Rapid7 [2].It is recommended to upgrade to one of the following fixed versions (or any later version):
If upgrading is not immediately possible, you should:
Block access to the /setup/* endpoints. This can be done at the network layer or by modifying configuration files as described:
On each node, modify /<confluence-install-dir>/confluence/WEB-INF/web.xml to include:
<security-constraint>\n <web-resource-collection>\n <url-pattern>/setup/*</url-pattern>\n <http-method-omission>*</http-method-omission>\n </web-resource-collection>\n <auth-constraint />\n </security-constraint>\nRestart Confluence.