CVE-2023-22515

Warnung

Exploit

EPSS 94.35%
Veröffentlicht 04.10.2023 14:15:10
Zuletzt bearbeitet 24.10.2025 13:39:01
Quelle security@atlassian.com
CVE-Watchlists
Login
Unerledigt
Login

Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have exploited a previously unknown vulnerability in publicly accessible Confluence Data Center and Server instances to create unauthorized Confluence administrator accounts and access Confluence instances. 

Atlassian Cloud sites are not affected by this vulnerability. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.

Betroffene Produkte Warnungen 1 Metriken 4 CWE 1 Referenzen 8

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Atlassian ≫ Confluence Data Center Version >= 8.0.0 < 8.3.3

Atlassian ≫ Confluence Data Center Version >= 8.4.0 < 8.4.3

Atlassian ≫ Confluence Data Center Version >= 8.5.0 < 8.5.2

Atlassian ≫ Confluence Server Version >= 8.0.0 < 8.3.3

Atlassian ≫ Confluence Server Version >= 8.4.0 < 8.4.3

Atlassian ≫ Confluence Server Version >= 8.5.0 < 8.5.2

05.10.2023: CISA Known Exploited Vulnerabilities (KEV) Catalog

Atlassian Confluence Data Center and Server Broken Access Control Vulnerability

Schwachstelle

Atlassian Confluence Data Center and Server contains a broken access control vulnerability that allows an attacker to create unauthorized Confluence administrator accounts and access Confluence.

Beschreibung

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable. Check all affected Confluence instances for evidence of compromise per vendor instructions and report any positive findings to CISA.

Erforderliche Maßnahmen

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	94.35%	1

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
134c704f-9b21-4f2e-91b3-4a467353bcc0	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
security@atlassian.com	10	3.9	6	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

http://packetstormsecurity.com/files/175225/Atlassian-Confluence-Unauthenticated-Remote-Code-Execution.html

Third Party Advisory

Exploit

VDB Entry

https://confluence.atlassian.com/display/KB/FAQ+for+CVE-2023-22515

Vendor Advisory

https://confluence.atlassian.com/pages/viewpage.action?pageId=1295682276

Vendor Advisory

https://jira.atlassian.com/browse/CONFSERVER-92475

Vendor Advisory

Issue Tracking

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-22515

US Government Resource

https://nvd.nist.gov/vuln/detail/CVE-2023-22515

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-22515

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-22515

EUVD