emerging vulnerabilities

The Confluence CVE-2023-22515 vulnerability: Overview, detection, and remediation

October 13, 2023

The Confluence Cve-2023-22515 Vulnerability: Overview, Detection, And Remediation

On October 4, 2023, Atlassian disclosed an advisory for CVE-2023-22515, a broken access control vulnerability that allows an unauthenticated user to create Confluence administrator accounts.

Key points and observations:

  • October 4, 2023: Advisory is publicly disclosed by Atlassian.
  • October 5, 2023: CISA adds CVE-2023-22515 to Known Exploited Vulnerabilities Catalog.
  • October 5, 2023: A security researcher was able to exploit the vulnerability.
  • October 10, 2023: Rapid7 publishes a detailed article on the vulnerability and how it can be exploited
  • October 11, 2023: Microsoft Threat Intelligence reports that they have witnessed nation-state actors exploiting the vulnerability since at least September 14, 2023, along with early indicators of compromise.

This vulnerability is trivial to exploit and affects a wide range of Atlassian Confluence Server versions.

Check if your system is vulnerable

The following versions of Confluence Data Center and Confluence are impacted by CVE-2023-22515. If you are running one of these versions, your system is vulnerable.

  • 8.0.0 - 8.0.4 (included)
  • 8.1.0 - 8.1.4 (included)
  • 8.2.0 - 8.2.3 (included)
  • 8.3.0 - 8.3.2 (included)
  • 8.4.0 - 8.4.3 (included)
  • 8.5.0 - 8.5.1 (included)

According to Atlassian, versions prior to 8.0.0 are not vulnerable, and neither are Atlassian Cloud Sites.

Remediate affected systems

To remediate a vulnerable Confluence Data Center or Server instance, make sure to upgrade it to one of the following versions:

  • 8.3.3 or later
  • 8.4.3 or later
  • 8.5.2 (LTS) or later

Considering this vulnerability is—at the time of writing—under active exploitation, we recommend patching as soon as possible, especially for internet-facing instances.

How the CVE-2023-22215 vulnerability works

Without going into too much detail (a post from Rapid7 explains all the details), the vulnerability relies on the fact that it is possible to re-enable the setup process without being authenticated, then to give access to setup endpoints so that an attacker can create new administrator users.

Exploitation flow of the vulnerability
Exploitation flow of the vulnerability

To ease reproduction for security teams, we have put together a Docker lab environment with a vulnerable Confluence instance and step-by-step instructions on how to exploit the vulnerability.

Activity in the wild

Starting from October 5th, we have witnessed extensive exploitation of this vulnerability in the wild, from a number of different source IP addresses, in a large number of environments we monitor.

HTTP requests to /server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete*, based on a sampling of live traffic. Times are in UTC.
HTTP requests to /server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete*, based on a sampling of live traffic. Times are in UTC.

We used our modular honeypot framework, HASH, to deploy Confluence honeypots. Based on this, we were able to identify that attackers have been attempting to create the following malicious Confluence users:

User name Full name
Atlassian_SU Atlassian_SU
pleasepatch pleasepatch
kh4sh3i kh4sh3i
YourNewAdminLogin YourNewAdminLogin
s9wixhxfox admin

In addition, we have seen scanning or exploitation activity from a number of IP addresses. We only report IP addresses we have a high confidence for, and that we have seen in at least 5 distinct environments or directly exploiting our honeypots.

We have also observed activity from the following HTTP user agents:

Nuclei - Open-source project (github.com/projectdiscovery/nuclei)
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 Assetnote/1.0.0

Detection opportunities

You can identify exploitation attempts by detecting the following HTTP requests:

  • GET /server-info.action, with one of the URL parameters below:
  • POST /setup/setupadministrator.action
  • POST /setup/finishsetup.action (optionally - not required to exploit the vulnerability)

Upon successful exploitation of this vulnerability, an administrator user is created. You can therefore review administrator users and identify any newly created or suspicious admin user.

In the example below, we can see a malicious user that was created through the exploitation of the vulnerability:

Malicious user created by exploiting the vulnerability
Malicious user created by exploiting the vulnerability

How Datadog can help

When using a Datadog integration to send HTTP server logs (such as nginx or HAProxy), you can use the following query to identify potential probing or exploitation of this vulnerability:

@http.url_details.path:("server-info.action" OR "/setup/setupadministrator.action")

Although Datadog Application Performance Monitoring (APM) is not usually installed on Confluence servers, you can use it to identify scanning activity on unrelated services, using the following query:

@http.url_details.path:/server-info.action @http.url_details.queryString.bootstrapStatusProvider.applicationConfig.setupComplete:(0 OR false)


CVE-2023-22515 presents a significant security risk, as it allows unauthenticated users to create administrator accounts in vulnerable versions of Atlassian Confluence Server. At the time of writing, this vulnerability is under active exploitation and affects a wide range of Confluence Server versions. As such, we recommend upgrading to non-vulnerable versions of Confluence Data Center and Confluence Server as soon as possible.

We hope that the details provided in this blog post, the list of potentially malicious IP addresses, and the lab environment to reproduce the vulnerability will help security practitioners better understand, detect, and mitigate this threat.

Related Content