CVE-2023-22515 Configuration

Installation

cscli scenarios install crowdsecurity/CVE-2023-22515

Description

https://www.rapid7.com/blog/post/2023/10/04/etr-cve-2023-22515-zero-day-privilege-escalation-in-confluence-server-and-data-center/

On October 4, 2023, Atlassian published a security advisory on CVE-2023-22515, a critical privilege escalation vulnerability affecting on-premises instances of Confluence Server and Confluence Data Center. Atlassian does not specify the root cause of the vulnerability or where exactly the flaw resides in Confluence implementations, though the indicators of compromise include mention of the /setup/* endpoints.

YAML Configuration

1## CVE-2023-22515
2type: trigger
3name: crowdsecurity/CVE-2023-22515
4description: "Detect CVE-2023-22515 exploitation"
5filter: |
6  Lower(evt.Parsed.file_ext) == '.action' &&
7  (Lower(evt.Parsed.file_dir) contains '/setup' || Lower(evt.Parsed.file_frag) == 'server-info') &&
8  evt.Parsed.file_frag != nil
9blackhole: 1m
10groupby: "evt.Meta.source_ip"
11labels:
12  type: exploit
13  remediation: true
14  classification:
15    - attack.T1595
16    - attack.T1190
17    - cve.CVE-2023-22515
18  spoofable: 0
19  confidence: 1
20  behavior: "http:exploit"
21  label: "Confluence CVE-2023-22515"
22  service: confluence

Hub configuration

« CVE-2023-22515 »
v0.1 by crowdsecurity
Attack scenarioremediation:truetype:exploit service:confluencespoofable:0MITRE:T1595MITRE:T1190confidence:1

Hub configuration

« CVE-2023-22515 »v0.1 by crowdsecurityAttack scenarioremediation:truetype:exploit service:confluenceCVE-2023-22515spoofable:0MITRE:T1595MITRE:T1190confidence:1

« CVE-2023-22515 »
v0.1 by crowdsecurity
Attack scenarioremediation:truetype:exploit service:confluencespoofable:0MITRE:T1595MITRE:T1190confidence:1