Critical Confluence Authorization Vulnerability Actively Exploited

Atlassian has warned that as of November 6th it has observed 'several active exploits' and reports of threat actors using ransomware in association with a critical Improper Authorization Vulnerability in Confluence Data Center and Server. 

CVE-2023-22518, first published on October 31st, 2023, is a Confluence vulnerability that affects all pre-existing versions of Data Center and Server. It was initially assigned a CVSS score of 9.1, which was increased to 10, the maximum, on November 6th.  

This is the second critical vulnerability in Atlassian Data Center and Server discovered in the same month, alongside CVE-2023-22515.   

Confluence Improper Authorization vulnerability in detail 

This vulnerability occurs due to Improper Authorization. The bug enables the attacker to: 

  • reset a Confluence instance, and to 
  • create a Confluence instance administrator account. 

This means the attacker can either reset the entire instance, causing the company to lose data unless it is backed up, or they can steal the data by creating an administrator account.   

What you need to do: mitigation of the Confluence Improper Authorization vulnerability 

Since all versions prior to the attack are affected, Atlassian urges users to immediately patch to the new versions released:  

  • 7.19.16, 
  • 8.3.4, 
  • 8.4.4, 
  • 8.5.3, 
  • 8.6.1. 

If patching is not possible straight away, remove the instance from being publicly accessible. This is a temporary measure that allows you to gain time by limiting the attack surface – if your instance is not Internet-facing, attackers cannot reach it as easily. 

Besides this, it is recommended to back-up your instance. 

If you cannot patch the instance and remove it from the internet, you can apply the following temporary solutions, which you can also find on Atlassian’s page

Block access to the following endpoints: 

  • /json/setup-restore.action 
  • /json/setup-restore-local.action 
  • /json/setup-restore-progress.action 

To do that, on each node, modify //confluence/WEB-INF/web.xml and add the following block of code (just before the tag at the end of the file): 

	<auth-constraint />

Then, restart your instance.   

How do you know if you were affected? 

If you cannot login anymore, it could be a sign that your Confluence instance has been compromised. Besides this, look out for: 

  • requests to /json/setup-restore* in your logs, 
  • installed unknown plugins (the malicious plugin was reported, according to Atlassian), 
  • corrupted data or encrypted files that were not encrypted before, 
  • new and unexpected members of the confluence-administrators group, 
  • new and unexpected user accounts. 

Cyscale customers are already protected, as the Cyscale cloud security platform surfaces assets affected by the Improper Authorization Vulnerability in Confluence Data Center and Server as long as their vulnerability scanner of choice has been updated.

Interesting? Share it

Stay Connected

Receive our latest blog posts and product updates.

Our Compliance toolbox

Check out our compliance platform for cloud-native and cloud-first organizations:

CSPM ToolMulti-Cloud Data SecurityGoogle Cloud SecurityAWS Security & ComplianceIAM Cloud SecurityPrevent Cloud Misconfiguration


What we’re up to

CIEM and IAM: The 2 Critical Components of Cloud Security
NIST CSF 2.0: A Detailed Roadmap for Modern Cybersecurity
Key Cloud Security Lessons from 2023's High-Profile Breaches
Cyscale Logo
Cyscale is an agentless cloud-native application protection platform (CNAPP) that automates the contextual analysis of cloud misconfigurations, vulnerabilities, access, and data, to provide an accurate and actionable assessment of risk.

Stay connected

Receive new blog posts and product updates from Cyscale

By clicking Subscribe, I agree to Cyscale’s Privacy Policy

© 2024 Cyscale Limited

crunch base icon
angel icon