DIVD-2023-00042 - Confluence improper authorization vulnerability
| Our reference | DIVD-2023-00042 |
| Case lead | Wessel Baltus |
| Researcher(s) | |
| CVE(s) | |
| Products |
|
| Versions |
|
| Recommendation | Upgrade to patched versions stated on atlassian website |
| Patch status | Fully patched |
| Status | Closed |
| Last modified | 14 Apr 2024 21:53 |
Summary
An improper authorization vulnerability has been identified inside Atlassian Confluence versions before (7.19.16; 8.3.4; 8.4.4; 8.5.3; 8.6.1). This allows an unauthorized user to set the Confluence server in setup-up mode, and using this setup mode create administrator accounts which can be used to facilitate remote code execution”
What you can do
Upgrade to patched versions 7.19.16; 8.3.4; 8.4.4; 8.5.3; 8.6.1:
What we are doing
DIVD is currently working to identify vulnerable parties and notify these. We do this by scanning for exposed Atlassian Confluence instances and examining these instances to determine whether the vulnerability is present. Owners of vulnerable instances receive a notification with the host information and remediation steps.
Timeline
| Date | Description |
|---|---|
| 31 Oct 2023 | Vulnerability reported to Atlasssian Confluence |
| 31 Oct 2023 | Advisory released by atlassian |
| 20 Nov 2023 | DIVD created a list of vulnerable Confluence instances |
| 22 Nov 2023 | First version of this case file |
| 14 Dec 2023 | Because of overlap merged with DIVD-2023-00045 |
gantt
title DIVD-2023-00042 - Confluence improper authorization vulnerability
dateFormat YYYY-MM-DD
axisFormat %e %b %Y
section Case
DIVD-2023-00042 - Confluence improper authorization vulnerability (155 days) :2023-11-11, 2024-04-14
section Events
Vulnerability reported to Atlasssian Confluence : milestone, 2023-10-31, 0d
Advisory released by atlassian : milestone, 2023-10-31, 0d
DIVD created a list of vulnerable Confluence instances : milestone, 2023-11-20, 0d
First version of this case file : milestone, 2023-11-22, 0d
Because of overlap merged with DIVD-2023-00045 : milestone, 2023-12-14, 0d