External risk intelligence

Confluence Data Center and Server Unauthorized Administrator Account Creation

CVE advisoryKnown Exploit

CVE-2023-22515

External attackers can exploit a vulnerability in Atlassian Confluence Data Center and Server to create unauthorized administrator accounts, potentially leading to data compromise and business disruption.

5Halo Surface Signal

Atlassian Confluence Data Center

8.0.0 to before 8.3.38.4.0 to before 8.4.38.5.0 to before 8.5.2

External exposure likelihood

Halo Surface Signal score for CVE-2023-22515

Confluence Data Center and Server are enterprise collaboration platforms frequently deployed as public-facing web applications to facilitate remote access for employees and external collaborators, making them inherently exposed to the public internet by design in many common deployment patterns.

Horizon Alert

Summary of the vulnerability and why it matters

Organizations using Atlassian Confluence Data Center and Server may be exposed to risks due to a flaw in the software. This vulnerability could allow external attackers to gain unauthorized administrative access to Confluence instances. Such access could lead to significant business disruption and compromise of sensitive information.

Confluence Data Center and Server
Unauthorized administrator account creation
Data access and system compromise

Attack Path

How an attacker could exploit the issue

The vulnerability allows external attackers to gain unauthorized administrative access to Confluence instances. This can occur when Confluence Data Center or Server is publicly accessible, enabling an attacker to exploit the flaw. Once access is gained, an attacker can create new administrator accounts. This bypasses normal access controls and provides elevated privileges within the Confluence environment.

Publicly accessible instances are exposed.
Attacker creates administrator accounts.
Unauthorized access and control result.

Live Threat

Current exploitation, exposure, and threat context

The vulnerability in Confluence Data Center and Server presents a significant risk as external attackers can exploit it to gain unauthorized administrative access. This access allows for the creation of new administrator accounts and the compromise of sensitive Confluence data. While Atlassian Cloud sites are unaffected, organizations using on-premises or self-managed Confluence instances require immediate attention. The known exploitation and critical severity indicate a high level of business risk.

Attacker skill: Low
Required access: None
Business risk: High, treat as urgent

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability allows external attackers to create unauthorized administrator accounts and access Confluence instances. Organizations should prioritize identifying all affected Confluence Data Center and Server assets. Prompt action is necessary to mitigate potential business risk and unauthorized data access.

Find affected Confluence assets.
Reduce exposure or isolate affected systems.
Apply the vendor fix and validate.
Monitor for related issues.

Frequently asked questions

What is Atlassian Confluence Data Center and Server?

Confluence Data Center and Server are collaboration software products developed by Atlassian. They are used by teams to create, organize, share, and discuss work, enabling centralized knowledge management and project collaboration [7, 8, 9].

What type of vulnerability is CVE-2023-22515?

CVE-2023-22515 is classified as a broken access control vulnerability. This weakness allows unauthenticated attackers to bypass security restrictions and create unauthorized administrator accounts on affected Confluence instances [2, 5].

How can CVE-2023-22515 be exploited?

Attackers can exploit this vulnerability by sending a request to the `/server-info.action` endpoint with a specific parameter that forces the application into setup mode. This bypasses authentication and allows the attacker to create a new administrator account [15, 16].

What is the relevance of CVE-2023-22515 according to CISA?

CISA has added CVE-2023-22515 to its Known Exploited Vulnerabilities Catalog due to active exploitation. The agency, along with the FBI and MS-ISAC, warns of widespread exploitation due to the ease with which this vulnerability can be leveraged to gain initial access to Confluence instances [1].

What actions should be taken regarding CVE-2023-22515?

Organizations running affected versions of Confluence Data Center and Server should immediately upgrade to a patched version. If an upgrade is not immediately possible, restricting external network access to vulnerable systems is advised. Additionally, it is recommended to conduct threat detection and audit for any signs of compromise, such as unexpected administrator accounts [1, 11, 12].

References

Cyber Threat Intelligence (CTI)

Sources: threatActor

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.