Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Divd 2023 00042 #688

Merged
merged 4 commits into from
Nov 28, 2023
Merged

Divd 2023 00042 #688

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
e0d77bf
Added casefile DIVD-2023-00042
Nov 27, 2023
2d2cc5f
Fixed typo in DIVD-2023-00042
WesselDIVD Nov 27, 2023
02c20c1
Fixed typos in DIVD-2023-00042
WesselDIVD Nov 27, 2023
43623d6
Fixed typos in DIVD-2023-00042 attempt 2
WesselDIVD Nov 27, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
63 changes: 63 additions & 0 deletions _cases/2023/DIVD-2023-00042.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
---
layout: case
# Title and excerpt will be used on /cases and the RSS feed so make sure they reflect the case well
title: "Confluence improper authorization vulnerability"
excerpt: "Confluence Data Center and Server allow unauthorized users to set Confluence in setup mode leading to the possibility to create administrator accounts that have the capabilities for RCE"
author: Wessel Baltus
lead: Wessel Baltus
researchers:
- Max van der horst
- Wessel Baltus
# You can use free text here as well. E.g. to indicate that some vulnerabilities don't have CVEs assigned (yet).
cves:
- CVE-2023-22518
product:
- Confluence Data Center
- Confluence Server
versions:
- all versions prior to 7.19.16, 8.3.4, 8.4.4, 8.5.3, 8.6.1
recommendation: "Upgrade to patched versions stated on atlassian website"
patch_status: Fully patched
#workaround: n/a
status : Open
start: 2023-11-11
end:
timeline:
- start: 2023-10-31
end:
event: "Vulnerability reported to Atlasssian Confluence"
- start: 2023-10-31
end:
event: "Advisory released by atlassian "
- start: 2023-11-20
end:
event: "DIVD created a list of vulnerable Confluence instancess"
- start: 2022-11-22
end:
event: "First version of this case file"
#ips:
# ips is used for statistics after the case is closed. If it is not applicable, you can set IPs to n/a (e.g. stolen credentials)
# This field becomes mandatory when the case status is set to 'Closed'
---
## Summary
An improper authorization vulnerability has been identified inside Atlassian Confluence versions before (7.19.16; 8.3.4; 8.4.4; 8.5.3; 8.6.1). this allows an unauthorized user to set the Confluence server in setup-up mode, and using this setup mode create administrator accounts which can be used to facilitate remote code execution"
## What you can do
Upgrade to patched versions 7.19.16; 8.3.4; 8.4.4; 8.5.3; 8.6.1:
## What we are doing
DIVD is currently working to identify vulnerable parties and notify these.
We do this by scanning for exposed Atlassian Confluence instances and examining these instances to determine whether the vulnerability is present.
Owners of vulnerable instances receive a notification with the host information and remediation steps.
{% comment %} Leave this here, so we see a timeline{% endcomment %}
{% include timeline.html %}
## More information
* List all resources here
* [Blog from Grafana](https://grafana.com/blog/2021/12/08/an-update-on-0day-cve-2021-43798-grafana-directory-traversal/)
* [CVE-2021-43798](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43798)