Is CVE-2023-22515 also exploitable via server-info.action?

Manuel
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
October 10, 2023

Rapid7 mentions in their blog post that they exploited the vulnerability CVE-2023-22515 with the endpoint /server-info.action which isn't mentioned in the advisory. Also if it is the case, that this endpoint allows also the creation of an admin account, the workaround won't work.

Can Atlassian confirm this and update the advisory with the additional IoC?

2 answers

1 vote
Tim Eddelbüttel
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
October 10, 2023

I'll asked this as well in the ticket: https://jira.atlassian.com/browse/CONFSERVER-92475

0 votes
Darren DeHaven
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
October 26, 2023

Reading the exploit, it appears the workaround doesn't prevent a DoS (triggering a 403 to your system), but does prevent the bad actors from gaining access to your system.

 

From the exploit: https://github.com/Chocapikk/CVE-2023-22515/blob/main/exploit.py

# It appears the "server-info.action" is used to trigger confluence into a special setup mode. 

self.base_url}/server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=false"

# then "server-info.action" is used to add an account

def trigger_vulnerability(self):
status, _ = self.send_request("GET", f"{self.base_url}/server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=false")
return status == 200

With the workaround, a bad actor can trigger your confluence into a special setup mode (then all your users will get a 403), but the bad actor will be blocked from adding an admin account.

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events