Merge pull request #695 from WesselDIVD/DIVD-2023-00045

DIVD-2023-00045 case file add
DIVD-NL · Dec 19, 2023 · 3273a9c · 3273a9c
2 parents bed1193 + d8e9cff
commit 3273a9c
Show file tree

Hide file tree

Showing 2 changed files with 70 additions and 7 deletions.
diff --git a/_cases/2023/DIVD-2023-00042.md b/_cases/2023/DIVD-2023-00042.md
@@ -6,7 +6,7 @@ excerpt: "Confluence Data Center and Server allow unauthorized users to set Conf
 author: Wessel Baltus
 lead: Wessel Baltus
 researchers:
-- Max van der horst
+- Max van der Horst
 - Wessel Baltus
 # You can use free text here as well. E.g. to indicate that some vulnerabilities don't have CVEs assigned (yet).
 cves:
@@ -15,7 +15,7 @@ product:
 - Confluence Data Center
 - Confluence Server
 versions: 
-- all versions prior to 7.19.16, 8.3.4, 8.4.4, 8.5.3, 8.6.1
+- All versions prior to 7.19.16, 8.3.4, 8.4.4, 8.5.3, 8.6.1
 recommendation: "Upgrade to patched versions stated on atlassian website"
 patch_status: Fully patched
 #workaround: n/a
@@ -32,7 +32,7 @@ timeline:
 - start: 2023-11-20
   end:
   event: "DIVD created a list of vulnerable Confluence instancess"
-- start: 2022-11-22
+- start: 2023-11-22
   end:
   event: "First version of this case file"
 #ips: 
@@ -41,7 +41,7 @@ timeline:
 ---
 ## Summary
 
-An improper authorization vulnerability has been identified inside Atlassian Confluence versions before (7.19.16; 8.3.4; 8.4.4; 8.5.3; 8.6.1). this allows an unauthorized user to set the Confluence server in setup-up mode, and using this setup mode create administrator accounts which can be used to facilitate remote code execution" 
+An improper authorization vulnerability has been identified inside Atlassian Confluence versions before (7.19.16; 8.3.4; 8.4.4; 8.5.3; 8.6.1). This allows an unauthorized user to set the Confluence server in setup-up mode, and using this setup mode create administrator accounts which can be used to facilitate remote code execution" 
 
 ## What you can do
 
@@ -58,6 +58,4 @@ DIVD is currently working to identify vulnerable parties and notify these.
 
 
 ## More information
-* List all resources here
-* [Blog from Grafana](https://grafana.com/blog/2021/12/08/an-update-on-0day-cve-2021-43798-grafana-directory-traversal/)
-* [CVE-2021-43798](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43798)
+* [Atlassian advisory](https://confluence.atlassian.com/security/cve-2023-22518-improper-authorization-vulnerability-in-confluence-data-center-and-server-1311473907.html)
diff --git a/_cases/2023/DIVD-2023-00045.md b/_cases/2023/DIVD-2023-00045.md
@@ -0,0 +1,65 @@
+---
+layout: case
+# Title and excerpt will be used on /cases and the RSS feed so make sure they reflect the case well    
+title: "Confluence RCE Vulnerability In Confluence Data Center and Confluence Server"
+excerpt: "Confluence Data Center and Server RCE vulnerability allow an authorized user, including one with anonymous access, to inject unsafe user input into a Confluence page"
+author: Wessel Baltus
+lead: Wessel Baltus
+researchers:
+- Ralph Horn
+- Wessel Baltus
+# You can use free text here as well. E.g. to indicate that some vulnerabilities don't have CVEs assigned (yet).
+cves:
+- CVE-2023-22522
+product: 
+- Confluence Data Center
+- Confluence Server
+versions: 
+- All versions on Confluence Data Center and Server proir to 7.19.17 (LTS), 8.4.5, 8.5.4 (LTS)
+- All versions on Confluence Data Center only prior to 8.6.2, 8.7.1
+recommendation: "Upgrade to patched versions stated on Atlassian website"
+patch_status: Fully patched
+#workaround: n/a
+status : Open
+start: 2023-12-05
+end: 
+timeline:
+- start: 2023-12-05
+  end:
+  event: "Vulnerability reported to Atlasssian Confluence"
+- start: 2023-12-05
+  end:
+  event: "Advisory released by atlassian "
+- start: 2023-12-09
+  end:
+  event: "DIVD created a list of vulnerable Confluence instancess"
+- start: 2022-12-09
+  end:
+  event: "First version of this case file"
+#ips: 
+# ips is used for statistics after the case is closed. If it is not applicable, you can set IPs to n/a (e.g. stolen credentials)
+# This field becomes mandatory when the case status is set to 'Closed'
+---
+## Summary
+
+An remote code execution vulnerability has been identified inside Atlassian Confluence Data Center and Server. Data Center and Server versions prior to 7.19.17, 8.4.5, 8.5.4 and Data Center only versions prior to 8.6.2, 8.7.1 are vulnerable. The vulnerabilty allows an authenticated user, including one with anonymous access, to use template injection and obtain remote code execution.
+
+## What you can do
+
+Upgrade to patched versions for Data Center and Server: 7.19.17; 8.4.5; 8.5.4.
+Upgrade to patched versions for Data Center Only : 8.6.2; 8.7.1.
+
+
+## What we are doing
+
+DIVD is currently working to identify vulnerable parties and notify these.
+ We do this by scanning for exposed Atlassian Confluence instances and examining these instances to determine whether the vulnerability is present.
+ Owners of vulnerable instances receive a notification with the host information and remediation steps.
+
+{% comment %}  Leave this here, so we see a timeline{% endcomment %}
+{% include timeline.html %}
+
+
+## More information
+* [Atlassian advisory](https://confluence.atlassian.com/security/cve-2023-22522-rce-vulnerability-in-confluence-data-center-and-confluence-server-1319570362.html)
+* {% cve CVE-2023-22522 %}