Improper Authorization in Atlassian Confluence Data Center and Server
CVE-2023-22518 is an improper authorization vulnerability affecting Atlassian Confluence Data Center and Server. According to Atlassian, all on-premises Confluence Data Center and Server versions are affected, while Atlassian Cloud is not. The flaw allows an unauthenticated attacker to reset Confluence and create a new Confluence instance administrator account. By obtaining this instance administrator account, the attacker gains access to all administrative actions available to a Confluence instance administrator. Public reporting and vendor guidance describe the issue as enabling unauthorized access through setup- and restore-related application paths, and subsequent abuse has been observed in the wild by threat actors and ransomware operators.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
3 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos (1 hidden).
This repository contains a Python-based exploitation tool targeting Atlassian Confluence Server instances vulnerable to CVE-2023-22518 (Improper Authorization). The main file, exploit.py, is a command-line tool that allows users to specify a single domain or a list of domains to test for the vulnerability. The script constructs and sends a specially crafted multipart/form-data POST request to the /json/setup-restore.action?synchronous=true endpoint of the target server, attempting to trigger the vulnerability. If successful, the tool outputs information indicating the server is vulnerable and may reveal the server path. The script supports proxying (e.g., through Burp Suite), custom timeouts, and output file saving. The repository also includes a requirements.txt for dependencies and a README.md with usage instructions. The exploit is a proof-of-concept and does not provide weaponized or post-exploitation payloads.
This repository provides an operational exploit for CVE-2023-22518, a critical improper authorization vulnerability in Atlassian Confluence Data Center and Server. The vulnerability allows unauthenticated attackers with network access to the Confluence instance to restore the database using a crafted backup file, potentially resulting in arbitrary admin access and command execution. The main exploit is implemented in 'exploit.py', a Python script that prompts the user for a target URL (typically /json/setup-restore.action) and a path to a ZIP file (the malicious backup). The script uploads the ZIP file via a POST request, exploiting the lack of proper authorization checks on the restore endpoint. If successful, the attacker may gain admin access (e.g., 'admin :: admin'). The repository also includes detailed markdown documentation (DETAIL.md, README.md) explaining the vulnerability, affected versions, exploitation steps, and additional endpoints of interest. Several file paths related to Confluence's attachment storage are mentioned, which may be useful for post-exploitation data extraction. The exploit is not part of a framework and is a standalone operational script.
This repository provides a Python exploit script (CVE-2023-22518.py) targeting Atlassian Confluence Server's backup-restore functionality (CVE-2023-22518). The exploit leverages vulnerable endpoints such as /setup/setup-restore.action and related JSON endpoints to upload crafted ZIP files, which can lead to arbitrary file upload and remote code execution. The script supports three modes: 'poc' (proof of concept, checks for vulnerability), 'exp' (exploits the vulnerability to upload files), and 'shell' (uploads a webshell plugin for persistent access). For full exploitation, a valid authenticated admin session (JSESSIONID) is typically required. The repository includes a docker-compose.yml for local testing with Confluence 8.6.0 and PostgreSQL, and references a webshell JAR (shellplug.jar) for post-exploitation. The code is operational and can be used to gain remote access to vulnerable Confluence servers.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
36 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
An improper authorization vulnerability in Atlassian Confluence Data Center and Server.
A Confluence server vulnerability referenced as being targeted via Remote ShellServlet access attempts, potentially enabling unauthorized command execution and remote code execution.
A critical vulnerability affecting Atlassian Confluence Data Center and Server (as listed in the report’s Dragonfly/TA17-293A exploited-vulnerabilities table).
A critical vulnerability affecting Atlassian Confluence Data Center and Server, referenced in the context of Dragonfly (Energetic Bear) activity.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.