diff --git a/_cases/2023/DIVD-2023-00042.md b/_cases/2023/DIVD-2023-00042.md new file mode 100644 index 00000000..c26311d6 --- /dev/null +++ b/_cases/2023/DIVD-2023-00042.md @@ -0,0 +1,63 @@ +--- +layout: case +# Title and excerpt will be used on /cases and the RSS feed so make sure they reflect the case well +title: "Confluence improper authorization vulnerability" +excerpt: "Confluence Data Center and Server allow unauthorized users to set Confluence in setup mode leading to the possibility to create administrator accounts that have the capabilities for RCE" +author: Wessel Baltus +lead: Wessel Baltus +researchers: +- Max van der horst +- Wessel Baltus +# You can use free text here as well. E.g. to indicate that some vulnerabilities don't have CVEs assigned (yet). +cves: +- CVE-2023-22518 +product: +- Confluence Data Center +- Confluence Server +versions: +- all versions prior to 7.19.16, 8.3.4, 8.4.4, 8.5.3, 8.6.1 +recommendation: "Upgrade to patched versions stated on atlassian website" +patch_status: Fully patched +#workaround: n/a +status : Open +start: 2023-11-11 +end: +timeline: +- start: 2023-10-31 + end: + event: "Vulnerability reported to Atlasssian Confluence" +- start: 2023-10-31 + end: + event: "Advisory released by atlassian " +- start: 2023-11-20 + end: + event: "DIVD created a list of vulnerable Confluence instancess" +- start: 2022-11-22 + end: + event: "First version of this case file" +#ips: +# ips is used for statistics after the case is closed. If it is not applicable, you can set IPs to n/a (e.g. stolen credentials) +# This field becomes mandatory when the case status is set to 'Closed' +--- +## Summary +​ +An improper authorization vulnerability has been identified inside Atlassian Confluence versions before (7.19.16; 8.3.4; 8.4.4; 8.5.3; 8.6.1). this allows an unauthorized user to set the Confluence server in setup-up mode, and using this setup mode create administrator accounts which can be used to facilitate remote code execution" +​ +## What you can do +​ +Upgrade to patched versions 7.19.16; 8.3.4; 8.4.4; 8.5.3; 8.6.1: +​ +## What we are doing +​ +DIVD is currently working to identify vulnerable parties and notify these. + We do this by scanning for exposed Atlassian Confluence instances and examining these instances to determine whether the vulnerability is present. + Owners of vulnerable instances receive a notification with the host information and remediation steps. +​ +{% comment %} Leave this here, so we see a timeline{% endcomment %} +{% include timeline.html %} +​ +​ +## More information +* List all resources here +* [Blog from Grafana](https://grafana.com/blog/2021/12/08/an-update-on-0day-cve-2021-43798-grafana-directory-traversal/) +* [CVE-2021-43798](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43798)