Rapid7 mentions in their blog post that they exploited the vulnerability CVE-2023-22515 with the endpoint /server-info.action which isn't mentioned in the advisory. Also if it is the case, that this endpoint allows also the creation of an admin account, the workaround won't work.
Can Atlassian confirm this and update the advisory with the additional IoC?
I'll asked this as well in the ticket: https://jira.atlassian.com/browse/CONFSERVER-92475
Reading the exploit, it appears the workaround doesn't prevent a DoS (triggering a 403 to your system), but does prevent the bad actors from gaining access to your system.
From the exploit: https://github.com/Chocapikk/CVE-2023-22515/blob/main/exploit.py
# It appears the "server-info.action" is used to trigger confluence into a special setup mode.
self.base_url}/server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=false"
# then "server-info.action" is used to add an account
def trigger_vulnerability(self):
status, _ = self.send_request("GET", f"{self.base_url}/server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=false")
return status == 200
With the workaround, a bad actor can trigger your confluence into a special setup mode (then all your users will get a 403), but the bad actor will be blocked from adding an admin account.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.