-
-
Notifications
You must be signed in to change notification settings - Fork 2.1k
/
web_exploit_cve_2023_22518_confluence_auth_bypass.yml
42 lines (42 loc) · 1.6 KB
/
web_exploit_cve_2023_22518_confluence_auth_bypass.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
title: CVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Webserver)
id: a902d249-9b9c-4dc4-8fd0-fbe528ef965c
related:
- id: 27d2cdde-9778-490e-91ec-9bd0be6e8cc6
type: similar
status: experimental
description: |
Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.
references:
- https://confluence.atlassian.com/security/cve-2023-22518-improper-authorization-vulnerability-in-confluence-data-center-and-server-1311473907.html
- https://www.huntress.com/blog/confluence-to-cerber-exploitation-of-cve-2023-22518-for-ransomware-deployment
- https://github.com/ForceFledgling/CVE-2023-22518
author: Andreas Braathen (mnemonic.io)
date: 2023/11/14
tags:
- detection.emerging_threats
- attack.initial_access
- attack.t1190
- cve.2023.22518
logsource:
category: webserver
detection:
selection_method:
cs-method: 'POST'
selection_uris:
cs-uri-query|contains:
# Exploitable endpoints
- '/json/setup-restore-local.action'
- '/json/setup-restore-progress.action'
- '/json/setup-restore.action'
- '/server-info.action'
- '/setup/setupadministrator.action'
selection_status:
# Response code may be indicative of exploitation success, but is not always the case
sc-status:
- 200
- 302
- 405
condition: all of selection_*
falsepositives:
- Vulnerability scanners
level: medium