CVE-2023-22515

2025-12-10

64.225.115.99

united states 

Atlassian 

Confluence Data Center and Server 

GET /server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=0&cache36eAkMpkepuzpRwFHqaTsmlUJ69 HTTP/1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0
Host: blog.██████
X-Forwarded-For: █████████████
Accept-Encoding: gzip
Connection: close

CVE-2023-22515 is a critical vulnerability identified in Atlassian Confluence Data Center and Server. This vulnerability, classified as a broken access control issue, allows remote attackers to exploit publicly accessible Confluence instances to create unauthorized Confluence administrator accounts. Once an attacker gains administrative access, they can perform a wide range of malicious activities, including exfiltrating content, accessing system credentials, and installing malicious plugins.
The vulnerability does not affect Atlassian Cloud sites. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue. The vulnerability has a CVSS score of 10, indicating its critical nature. The attack vector is network-based, requiring no authentication and low complexity, making it highly exploitable.
The issue was reported by a handful of customers and has been actively exploited in the wild. Attackers have leveraged this zero-day vulnerability to gain unauthorized access to Confluence instances, leading to significant security breaches. The vulnerability affects Confluence Data Center and Server versions prior to 8.0.0.
Atlassian has provided several updates and advisories to address this issue. They recommend upgrading to the latest fixed versions of Confluence Data Center and Server to mitigate the risk. Additionally, Atlassian has provided threat detection support and reinforced the actions required to secure affected instances. Organizations are advised to work with their local security teams or specialist security forensics firms for further investigation and to contact Atlassian Support for additional assistance.

Upgrade Confluence: Upgrade each of your affected Confluence Data Center and Server installations to one of the fixed versions (or any later version) provided by Atlassian.
Modify Configuration: On each node, modify the /confluence/WEB-INF/web.xml file to include the necessary security configurations as recommended by Atlassian.
Monitor for Indicators of Compromise: Regularly check for indicators of compromise, such as unauthorized administrator accounts and unusual activity within Confluence instances.
Engage Security Experts: Work with your local security team or a specialist security forensics firm to conduct a thorough investigation of your Confluence instances.
Contact Atlassian Support: Reach out to Atlassian Support for additional assistance and guidance on securing your Confluence instances.
Implement Network Segmentation: Ensure that Confluence instances are not publicly accessible and are protected by appropriate network segmentation and firewalls.
Regular Patching: Maintain a regular patching schedule to ensure all software is up to date with the latest security fixes.