1. Home
  2. Mapping Frameworks
  3. Known Exploited Vulnerabilities Home
  4. Atlassian Confluence Data Center and Server Broken Access Control Vulnerability

Known Exploited Vulnerabilities CVE-2023-22515 Mappings

Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have exploited a previously unknown vulnerability in publicly accessible Confluence Data Center and Server instances to create unauthorized Confluence administrator accounts and access Confluence instances. Atlassian Cloud sites are not affected by this vulnerability. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
CVE-2023-22515 Atlassian Confluence Data Center and Server Broken Access Control Vulnerability secondary_impact T1078 Valid Accounts
Comments
This vulnerability is exploited through improper input validation in Atlassian Confluence, allowing remote attackers to translate arbitrary HTTP parameters into getter/setter sequences via the XWorks2 middleware. This vulnerability enables the creation of unauthorized Confluence administrator accounts and the upload of malicious plugins, granting attackers the ability to modify Java objects at runtime and execute arbitrary code. A nation-state actor known as Storm-0062 has been attributed to exploiting this vulnerability in the wild.
References
  1. https://thehackernews.com/2023/10/microsoft-warns-of-nation-state-hackers.html
  2. https://packetstormsecurity.com/files/175225/Atlassian-Confluence-Unauthenticated-Remote-Code-Execution.html
CVE-2023-22515 Atlassian Confluence Data Center and Server Broken Access Control Vulnerability secondary_impact T1059 Command and Scripting Interpreter
Comments
This vulnerability is exploited through improper input validation in Atlassian Confluence, allowing remote attackers to translate arbitrary HTTP parameters into getter/setter sequences via the XWorks2 middleware. This vulnerability enables the creation of unauthorized Confluence administrator accounts and the upload of malicious plugins, granting attackers the ability to modify Java objects at runtime and execute arbitrary code. A nation-state actor known as Storm-0062 has been attributed to exploiting this vulnerability in the wild.
References
  1. https://thehackernews.com/2023/10/microsoft-warns-of-nation-state-hackers.html
  2. https://packetstormsecurity.com/files/175225/Atlassian-Confluence-Unauthenticated-Remote-Code-Execution.html
CVE-2023-22515 Atlassian Confluence Data Center and Server Broken Access Control Vulnerability primary_impact T1059.007 JavaScript
Comments
This vulnerability is exploited through improper input validation in Atlassian Confluence, allowing remote attackers to translate arbitrary HTTP parameters into getter/setter sequences via the XWorks2 middleware. This vulnerability enables the creation of unauthorized Confluence administrator accounts and the upload of malicious plugins, granting attackers the ability to modify Java objects at runtime and execute arbitrary code. A nation-state actor known as Storm-0062 has been attributed to exploiting this vulnerability in the wild.
References
  1. https://thehackernews.com/2023/10/microsoft-warns-of-nation-state-hackers.html
  2. https://packetstormsecurity.com/files/175225/Atlassian-Confluence-Unauthenticated-Remote-Code-Execution.html
CVE-2023-22515 Atlassian Confluence Data Center and Server Broken Access Control Vulnerability primary_impact T1136 Create Account
Comments
This vulnerability is exploited through improper input validation in Atlassian Confluence, allowing remote attackers to translate arbitrary HTTP parameters into getter/setter sequences via the XWorks2 middleware. This vulnerability enables the creation of unauthorized Confluence administrator accounts and the upload of malicious plugins, granting attackers the ability to modify Java objects at runtime and execute arbitrary code. A nation-state actor known as Storm-0062 has been attributed to exploiting this vulnerability in the wild.
References
  1. https://thehackernews.com/2023/10/microsoft-warns-of-nation-state-hackers.html
  2. https://packetstormsecurity.com/files/175225/Atlassian-Confluence-Unauthenticated-Remote-Code-Execution.html
CVE-2023-22515 Atlassian Confluence Data Center and Server Broken Access Control Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
Comments
This vulnerability is exploited through improper input validation in Atlassian Confluence, allowing remote attackers to translate arbitrary HTTP parameters into getter/setter sequences via the XWorks2 middleware. This vulnerability enables the creation of unauthorized Confluence administrator accounts and the upload of malicious plugins, granting attackers the ability to modify Java objects at runtime and execute arbitrary code. A nation-state actor known as Storm-0062 has been attributed to exploiting this vulnerability in the wild.
References
  1. https://thehackernews.com/2023/10/microsoft-warns-of-nation-state-hackers.html
  2. https://packetstormsecurity.com/files/175225/Atlassian-Confluence-Unauthenticated-Remote-Code-Execution.html