CVE-2023-22518 confluence #349
Conversation
…users/admins login pages
…ke camelCase, skip response content-type check
am0o0
changed the title
|
@amammad could you add links to a vulnerable and a non-vulnerable docker container here? |
|
Hii @maoning :) Please set a Postgres db first, It can be used for both vulnerable and non-vulnerable versions, so please don't re-install it for each confluence version: docker run --name confluencePG -e POSTGRES_USER=confluence -e POSTGRES_PASSWORD=confluence -e POSTGRES_DB=confluence -p "0.0.0.0:5432:5432" -d postgresPlease first spin up the vulnerable version because by using this way you can upgrade it without setting up the database docker again: Setup Vulnerable version: docker run -v /data/your-confluence-home:/var/atlassian/application-data/confluence --name="confluence" -d -p 8090:8090 -p 8091:8091 atlassian/confluence:8.5.1-ubuntu-jdk11run the plugin now :) ShutDown Vulnerable version: docker stop confluence
docker rm confluenceSetup Non-vulnerable version: docker run -v /data/your-confluence-home:/var/atlassian/application-data/confluence --name="confluence" -d -p 8090:8090 -p 8091:8091 atlassian/confluence:8.6.1-ubuntu-jdk11 |
|
for initializing the confluence server you need a trial license, if you can't get one please tell me to send you to your email. |
|
Hi @am0o0, I will soon be taking a look at this PR, but I see that it is using the ~tooryx |
The confluence detector requires feature from release 0.0.20
Fix a typo in the description of the plugin, on the CVE number.
Modify exception logging to use format strings.
Merge declaration and initialization of variable `body`
Remove single-line `;`
Remove unnecessary newline
| .setSeverity(Severity.CRITICAL) | ||
| .setTitle("Atlassian Confluence Data Center Improper Authorization CVE-2023-22515") | ||
| .setDescription( | ||
| "All versions of Confluence Data Center and Server are affected by this vulnerability." |
There was a problem hiding this comment.
This is a bit misleading: this seems to indicate that there is no possible recommendation (i.e. "all versions are affected"). Could you please rework the description? Maybe skipping completely the first sentence.
| "All versions of Confluence Data Center and Server are affected by this vulnerability." | ||
| + " This Improper Authorization vulnerability allows an unauthenticated attacker" | ||
| + " to reset Confluence and create a Confluence instance administrator account.") | ||
| .setRecommendation( |
There was a problem hiding this comment.
Please make this simpler, like "Patch the confluence version to one of the following versions: 7.19.16, [...]"
|
|
||
| @VisibleForTesting | ||
| String buildRootUri(NetworkService networkService) { | ||
| return String.format("http://%s/", toUriAuthority(networkService.getNetworkEndpoint())); |
There was a problem hiding this comment.
This will not work for https, please use buildWebApplicationRootUrl instead
| .addFormDataPart("buildIndex", "false") | ||
| .addFormDataPart( | ||
| "file", | ||
| "someRandomStr14212134.zip", |
There was a problem hiding this comment.
Please consider making someRandomStr14212134 a constant
…_FILE_NAME and RANDOM_ZIP_FILE_CONTENT constants, use `buildWebApplicationRootUrl` to support https
|
@tooryx thanks for the quick review, I hope these changes make this plugin better than before. |
|
Thank you for being so quick to incorporate comments, @am0o0. I will wait for my changes on |
related to #342
Thanks to Project discovery for their awsome blog post and exploit.
https://blog.projectdiscovery.io/atlassian-confluence-auth-bypass/