This is simple scanner for CVE-2023-22515, a critical vulnerability in Atlassian Confluence Data Center and Server that is actively being exploited in the wild by threat actors in order “to create unauthorized Confluence administrator accounts and access Confluence instances”.
The vulnerability was initially described as a “privilege escalation” issue, but Atlassian later changed the classification to “broken access control” in their security advisory.
/server-info.action
endpoint to trigger the issue, which is different from the endpoints mentioned in the Atlassian advisory.This is a simple scanner that will attempt to determinie the vulnerability status of Atlassian Confluence by performing up to two HTTP GET requests per host and analyzing the reponses:
/server-info.action
to check the response code. Patch diffing showed that the patch for CVE-2023-22515 removes the /server-info.action
endpoint entirely. During testing, the following behavior was observed for this endpoint: The scanner has been successfully tested against the following versions of Atlassian Confluence Server:
Since the script has been tested against a limited number of versions of Atlassian Confluence Server, the scanner may not be fully reliable, especially for Confluence Data Center or for untested versions of Confluence Server.
git clone https://github.com/ErikWynter/CVE-2023-22515-Scan.git
cd CVE-2023-22515-Scan
pip install -r requirements.txt
or:
pip3 install -r requirements.txt
usage: cve_2023_22515_scan.py [-h] [-f FILE] [-t TARGETS] [-o OUTPUT_DIR]
Scan Atlassian Confluence web instances for CVE-2023-22515
options:
-h, --help show this help message and exit
-f FILE File containing a list of URLs to scan
-t TARGETS Comma-separated list of URLs to scan
-o OUTPUT_DIR Output directory
eg:
python cve_2023_22515_scan.py -f urls.txt -o results
python cve_2023_22515_scan.py -t http://192.168.10.10,http://192.168.10.11 -o results`
likely vulnerable
: The target is running a vulnerable version (or the version could not be detected) and has the vulnerable /server-info.action
endpoint available.likely not exploitable
: The target is running a vulnerable version, but the /server-info.action
endpoint is not accessible, which means it is likely patched.not vulnerable
: The target is not running a vulnerable version, or the version could not be detected and the /server-info.action
endpoint was not accessible.unknown
: The vulnerability status could not be determined because an error was encountered while trying to access the /server-info.action
endpoint.cve_2023_22515_scan.json
– JSON file with the product version, vulnerability status and other relevant information for any systems that were recognized by the script. Example contents:[
{
"target_url": "http://192.168.91.202:8091",
"product": "Atlassian Confluence",
"version": "8.5.0",
"vulnerability_status": "likely vulnerable"
},
{
"target_url": "http://192.168.91.200:8090",
"product": "Atlassian Confluence",
"version": "8.4.3",
"vulnerability_status": "not vulnerable"
}
]
cve_2023_22515_scan.txt
– Text file with a human-readable breakdown of the results. This is identical to the report being printed to the console (minus the ANSI colors). Example contents:http://192.168.91.202:8091 - Product: Atlassian Confluence Version: 8.5.0 - vulnerability status: likely vulnerable
http://192.168.91.200:8090 - Product: Atlassian Confluence Version: 8.4.3 - vulnerability status: not vulnerable
Kali Linux 2024.4, the final release of 2024, brings a wide range of updates and…
This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for…
GPOHunter is a comprehensive tool designed to analyze and identify security misconfigurations in Active Directory…
Across small-to-medium enterprises (SMEs) and managed service providers (MSPs), the top priority for cybersecurity leaders…
The free and open-source security platform SecHub, provides a central API to test software with…
Don't worry if there are any bugs in the tool, we will try to fix…