CVE-2023-22515 Scanner – Detecting Atlassian Confluence Vulnerability

This is simple scanner for CVE-2023-22515, a critical vulnerability in Atlassian Confluence Data Center and Server that is actively being exploited in the wild by threat actors in order “to create unauthorized Confluence administrator accounts and access Confluence instances”.

The vulnerability was initially described as a “privilege escalation” issue, but Atlassian later changed the classification to “broken access control” in their security advisory.

Timeline Of CVE-2023-22515

4 October 2023: Atlassian publishes a security advisory on CVE-2023-22515, which it then described as a critical “privilege escalation” vulnerability in Atlassian Confluence Data Center.
- The advisory covers vulnerable versions, patched versions, workarounds and IOCs.
5 October 2023: US CISA adds CVE-2023-22515 to their Known Exploited Vulnerabilities Catalog.
- On the same day, Rapid7 updates their article on CVE-2023-22515, originally published on 4 October, to mention that Rapid7 security researcher Stephen Fewer has confirmed the vulnerabilty to be fully unauthenticated and trivially exploitable.
- The update also mentioned that Rapid7 leveraged the /server-info.action endpoint to trigger the issue, which is different from the endpoints mentioned in the Atlassian advisory.
6 October 2023: Atlassian edits the description of CVE-2023-22515 in their security advisory from “privilege escalation” to “broken access control”.

CVE-2023-22515-Scan Details

This is a simple scanner that will attempt to determinie the vulnerability status of Atlassian Confluence by performing up to two HTTP GET requests per host and analyzing the reponses:

A GET request to the provided URL (which should be the base URL for the app) to verifiy that the target is Atlassian Confluence and to obtain the product version.
A GET request to /server-info.action to check the response code. Patch diffing showed that the patch for CVE-2023-22515 removes the /server-info.action endpoint entirely. During testing, the following behavior was observed for this endpoint:
- Unaffected versions (before 8.0.0), respond with a 404 status code
- Vulnerable versions respond with a 200 status code
- Patched versions respond with a 302 status code

Tested Versions

The scanner has been successfully tested against the following versions of Atlassian Confluence Server:

7.4.10 (not affected)
8.4.2 (vulnerable)
8.4.3 (patched)
8.5.0 (vulnerable)
8.6.0 (latest docker image – patched)

Since the script has been tested against a limited number of versions of Atlassian Confluence Server, the scanner may not be fully reliable, especially for Confluence Data Center or for untested versions of Confluence Server.

Installation

Clone the repo

git clone https://github.com/ErikWynter/CVE-2023-22515-Scan.git

Enter the created directory

cd CVE-2023-22515-Scan

Install the dependencies with pip. Depending on your local python3 setup, the required commands will be either:

pip install -r requirements.txt

or:

pip3 install -r requirements.txt

Usage

usage: cve_2023_22515_scan.py [-h] [-f FILE] [-t TARGETS] [-o OUTPUT_DIR]

Scan Atlassian Confluence web instances for CVE-2023-22515

options:
  -h, --help     show this help message and exit
  -f FILE        File containing a list of URLs to scan
  -t TARGETS     Comma-separated list of URLs to scan
  -o OUTPUT_DIR  Output directory

eg:

python cve_2023_22515_scan.py -f urls.txt -o results

python cve_2023_22515_scan.py -t http://192.168.10.10,http://192.168.10.11 -o results`

Vulnerability Statuses

likely vulnerable: The target is running a vulnerable version (or the version could not be detected) and has the vulnerable /server-info.action endpoint available.
likely not exploitable: The target is running a vulnerable version, but the /server-info.action endpoint is not accessible, which means it is likely patched.
not vulnerable: The target is not running a vulnerable version, or the version could not be detected and the /server-info.action endpoint was not accessible.
unknown: The vulnerability status could not be determined because an error was encountered while trying to access the /server-info.action endpoint.

Output Files

cve_2023_22515_scan.json – JSON file with the product version, vulnerability status and other relevant information for any systems that were recognized by the script. Example contents:

[
  {
    "target_url": "http://192.168.91.202:8091",
    "product": "Atlassian Confluence",
    "version": "8.5.0",
    "vulnerability_status": "likely vulnerable"
  },
  {
    "target_url": "http://192.168.91.200:8090",
    "product": "Atlassian Confluence",
    "version": "8.4.3",
    "vulnerability_status": "not vulnerable"
  }
]

cve_2023_22515_scan.txt – Text file with a human-readable breakdown of the results. This is identical to the report being printed to the console (minus the ANSI colors). Example contents:

http://192.168.91.202:8091 - Product: Atlassian Confluence Version: 8.5.0 - vulnerability status: likely vulnerable
http://192.168.91.200:8090 - Product: Atlassian Confluence Version: 8.4.3 - vulnerability status: not vulnerable

Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.