# CVE-2023-22515-Scan

## About
This is simple scanner for [CVE-2023-22515](, a critical vulnerability in Atlassian Confluence Data Center and Server that is actively being exploited in the wild by threat actors in order "to create unauthorized Confluence administrator accounts and access Confluence instances". The vulnerability was initially described as a "privilege escalation" issue, but Atlassian later changed the classification to "broken access control" in their [security advisory](

## Timeline of CVE-2023-22515
- 4 October 2023: Atlassian publishes a [security advisory]( on CVE-2023-22515, which it then described as a critical "privilege escalation" vulnerability in Atlassian Confluence Data Center. The advisory covers vulnerable versions, patched versions, workarounds and IOCs.
- 5 October 2023: US CISA [adds CVE-2023-22515]( to their Known [Exploited Vulnerabilities Catalog]( On the same day, Rapid7 updates their [article]( on CVE-2023-22515, originally published on 4 October, to mention that Rapid7 security researcher [Stephen Fewer]( has confirmed the vulnerabilty to be fully unauthenticated and trivially exploitable. The update also mentioned that Rapid7 leveraged the `/server-info.action` endpoint to trigger the issue, which is different from the endpoints mentioned in the Atlassian advisory.
- 6 October 2023: Atlassian edits the description of CVE-2023-22515 in their [security advisory]( from "privilege escalation" to "broken access control".

## CVE-2023-22515-Scan details
This is a simple scanner that will attempt to determinie the vulnerability status of Atlassian Confluence by performing up to two HTTP GET requests per host and analyzing the reponses:
- A GET request to the provided URL (which should be the base URL for the app) to verifiy that the target is Atlassian Confluence and to obtain the product version.
- A GET request to `/server-info.action` to check the response code. Patch diffing showed that the patch for CVE-2023-22515 removes the `/server-info.action`  endpoint entirely. During testing, the following behavior was observed for this endpoint:
    - Unaffected versions (before 8.0.0), respond with a 404 status code
    - Vulnerable versions respond with a 200 status code
    - Patched versions respond with a 302 status code

## Tested versions
The scanner has been successfully tested against the following versions of Atlassian Confluence Server:
- 7.4.10 (not affected)
- 8.4.2 (vulnerable)
- 8.4.3 (patched)
- 8.5.0 (vulnerable)
- 8.6.0 (latest docker image - patched)

Since the script has been tested against a limited number of versions of Atlassian Confluence Server, *the scanner may not be fully reliable, especially for Confluence Data Center or for untested versions of Confluence Server*.

## Installation
- Clone the repo
git clone
- Enter the created directory
cd CVE-2023-22515-Scan
- Install the dependencies with pip. Depending on your local python3 setup, the required commands will be either:
pip install -r requirements.txt
pip3 install -r requirements.txt

## Usage
usage: [-h] [-f FILE] [-t TARGETS] [-o OUTPUT_DIR]

Scan Atlassian Confluence web instances for CVE-2023-22515

  -h, --help     show this help message and exit
  -f FILE        File containing a list of URLs to scan
  -t TARGETS     Comma-separated list of URLs to scan
  -o OUTPUT_DIR  Output directory
python -f urls.txt -o results
python -t, -o results`
## Vulnerability statuses
- `likely vulnerable`: The target is running a vulnerable version (or the version could not be detected) and has the vulnerable `/server-info.action` endpoint available.
- `likely not exploitable`: The target is running a vulnerable version, but the  `/server-info.action` endpoint is not accessible, which means it is likely patched.
- `not vulnerable`: The target is not running a vulnerable version, or the version could not be detected and the `/server-info.action` endpoint was not accessible.
- `unknown`: The vulnerability status could not be determined because an error was encountered while trying to access the `/server-info.action` endpoint.

## Output files
- `cve_2023_22515_scan.json` - JSON file with the product version, vulnerability status and other relevant information for any systems that were recognized by the script. Example contents:
    "target_url": "",
    "product": "Atlassian Confluence",
    "version": "8.5.0",
    "vulnerability_status": "likely vulnerable"
    "target_url": "",
    "product": "Atlassian Confluence",
    "version": "8.4.3",
    "vulnerability_status": "not vulnerable"
- `cve_2023_22515_scan.txt` - Text file with a human-readable breakdown of the results. This is identical to the report being printed to the console (minus the ANSI colors). Example contents:
``` - Product: Atlassian Confluence Version: 8.5.0 - vulnerability status: likely vulnerable - Product: Atlassian Confluence Version: 8.4.3 - vulnerability status: not vulnerable

## Patching
Please refer to the official [security advisory]( for information on affected versions and patched versions.

## Example output