Cyber Resilience

CVE-2023-22518

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linked

Published: 31 October 2023

Published
31 October 2023
Modified
24 October 2025
KEV Added
07 November 2023
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9437 100.0th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-22518 is a critical-severity Incorrect Authorization (CWE-863) vulnerability in Atlassian Confluence Data Center. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2023-22518 is an improper authorization vulnerability, tracked under CWE-863, that affects all versions of Confluence Data Center and Server. The flaw permits an unauthenticated attacker to reset a Confluence instance and provision a new instance administrator account, after which any administrative actions become possible and result in complete loss of confidentiality, integrity, and availability. Atlassian Cloud sites hosted under atlassian.net domains are explicitly unaffected.

An unauthenticated remote attacker can exploit the issue over the network with low attack complexity to obtain full administrative control of the affected Confluence deployment. Once the administrator account is created, the attacker can perform any instance-level operations, including data exfiltration, modification, or destruction.

Atlassian has published official advisories and a Jira issue detailing the vulnerability and associated mitigation steps; practitioners should consult the referenced Atlassian pages for patch availability and recommended actions.

The EPSS score reached a peak of 0.9708 and remains at 0.9437, reflecting sustained high exploitation interest after public disclosure, with exploit code appearing in public repositories such as Packet Storm.

EU & UK References

Vulnerability details

All versions of Confluence Data Center and Server are affected by this unexploited vulnerability. This Improper Authorization vulnerability allows an unauthenticated attacker to reset Confluence and create a Confluence instance administrator account. Using this account, an attacker can then perform…

more

all administrative actions that are available to Confluence instance administrator leading to - but not limited to - full loss of confidentiality, integrity and availability. Atlassian Cloud sites are not affected by this vulnerability. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.

CWE(s)
KEV Date Added
07 November 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

atlassian
confluence data center
8.6.0 · 1.0 — 7.19.16 · 7.20.0 — 8.3.4 · 8.4.0 — 8.4.4
atlassian
confluence server
8.6.0 · 1.0 — 7.19.16 · 7.20.0 — 8.3.4 · 8.4.0 — 8.4.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authorization checks on all access requests, blocking the unauthenticated reset and admin-account creation path described in CVE-2023-22518.

prevent

Explicitly limits the set of actions permitted without identification or authentication, eliminating the unauthenticated administrative reset capability exploited by this flaw.

prevent

Requires successful identification and authentication before any system access, closing the unauthenticated entry point that allows an attacker to reach the vulnerable reset function.

References