DIVD-NL · Maximand · Nov 28, 2023 · Nov 27, 2023 · Nov 27, 2023 · Nov 27, 2023
diff --git a/_cases/2023/DIVD-2023-00042.md b/_cases/2023/DIVD-2023-00042.md
@@ -0,0 +1,63 @@
+---
+layout: case
+# Title and excerpt will be used on /cases and the RSS feed so make sure they reflect the case well
+title: "Confluence improper authorization vulnerability"
+excerpt: "Confluence Data Center and Server allow unauthorized user to set Confluence in setup mode leading to the possibility to create administrator accounts that have the capabilities for RCE"
+author: Wessel Baltus
+lead: Wessel Baltus
+researchers:
+- Max van der horst
+- Wessel Baltus
+# You can use free text here as well. E.g. to indicate that some vulnerabilities don't have CVEs assigned (yet).
+cves:
+- CVE-2023-22518
+product: 
+- Confluence Data Center
+- Confluence Server
+versions: 
+- all versions affected
+recommendation: "Upgrade to patched versions stated on atlassian website"
+patch_status: Full patched
+#workaround: n/a
+status : Open
+start: 2023-11-11
+end: 
+timeline:
+- start: 2023-10-31
+  end:
+  event: "Vulnerability reported to Atlasssian Confluence"
+- start: 2023-10-31
+  end:
+  event: "Advisory released by atlassian "
+- start: 2023-11-20
+  end:
+  event: "DIVD created a list of vulnerable Confluence instancess"
+- start: 2022-11-22
+  end:
+  event: "First version of this case file"
+#ips: 
+# ips is used for statistics after the case is closed. If it is not applicable, you can set IPs to n/a (e.g. stolen credentials)
+# This field becomes mandatory when the case status is set to 'Closed'
+---
+## Summary
+
+An improper authorization vulnerability has been identified inside Atlassian Confluence versions before (7.19.16; 8.3.4; 8.4.4; 8.5.3; 8.6.1). this allows an unauthorized used to set the Confluence server in setup-up mode, and using this setup mode create administrator accounts which can be used to facilitate remote code execution" 
+
+## What you can do
+
+Upgrade to patched versions 7.19.16; 8.3.4; 8.4.4; 8.5.3; 8.6.1:
+
+## What we are doing
+
+DIVD is currently working to identify vulnerable parties and notify these.
+ We do this by scanning for exposed Atlassian Confluence instances and examining this instance to determine whether the vulnerability is present.
+ Owners of vulnerable instances receive a notification with the host information and remediation steps.
+
+{% comment %}  Leave this here, so we see a timeline{% endcomment %}
+{% include timeline.html %}
+
+
+## More information
+* List all resources here
+* [Blog from Grafana](https://grafana.com/blog/2021/12/08/an-update-on-0day-cve-2021-43798-grafana-directory-traversal/)
+* [CVE-2021-43798](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43798)