Atlassian is warning customers about a critical new privilege escalation flaw in many versions of its Confluence product that attackers have been exploiting in the wild.
Many privilege escalation flaws are only locally exploitable, but this appears to be one of the uncommon cases where the flaw may be remotely exploitable. In its advisory, Atlassian said that customers had alerted the company to exploitation of a new flaw (CVE-2023-22515) in the Confluence Server and Data Center products.
“Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have exploited a previously unknown vulnerability in publicly accessible Confluence Data Center and Server instances to create unauthorized Confluence administrator accounts and access Confluence instances,” the advisory says.
The company did not disclose any further details about the attacks or exploitation scenarios, but has released updated versions of the affected products to address the bug. Researchers at Rapid7 said there are some oddities with this bug.
“It’s unusual, though not unprecedented, for a privilege escalation vulnerability to carry a critical severity rating. Atlassian’s advisory implies that the vulnerability is remotely exploitable, which is typically more consistent with an authentication bypass or remote code execution chain than a privilege escalation issue by itself. It’s possible that the vulnerability could allow a regular user account to elevate to admin — notably, Confluence allows for new user sign-ups with no approval, but this feature is disabled by default,” said Caitlin Condon of Rapid7.
The vulnerability affects version 8.0 and later of Confluence Server and Data Center. The fixed versions are 8.3.3 or later, 8.4.3 or later, and 8.5.2 or later.
Any organization running a vulnerable version that is not able to upgrade should limit network access to any vulnerable instance.
“Additionally, you can mitigate known attack vectors for this vulnerability by blocking access to the /setup/* endpoints on Confluence instances. This is possible at the network layer or by making the following changes to Confluence configuration files,” the Atlassian advisory says.
The company also recommends that organizations look for any unexpected members of the Confluence administrators group in a vulnerable instance, as an indicator of compromise.