CVE-2023-22518 – CVE-2023-22518 is an improper authorization vul... (How to Fix)

Q: What is the severity of CVE-2023-22518?

CVE-2023-22518 has a CVSS score of 9.8 (CRITICAL). CVE-2023-22518 is an improper authorization vulnerability in Confluence Data Center and Server that allows unauthenticated attackers to reset the application and create administrator accounts. This leads to complete system compromise with administrative privileges. Only self-hosted Confluence instances are affected - Atlassian Cloud sites are not vulnerable.

📋 TL;DR

CVE-2023-22518 is an improper authorization vulnerability in Confluence Data Center and Server that allows unauthenticated attackers to reset the application and create administrator accounts. This leads to complete system compromise with administrative privileges. Only self-hosted Confluence instances are affected - Atlassian Cloud sites are not vulnerable.

💻 Affected Systems

Products:

Confluence Data Center
Confluence Server

Versions: All versions

Operating Systems: All supported operating systems

Default Config Vulnerable: ⚠️ Yes

Notes: Atlassian Cloud sites (atlassian.net domains) are NOT affected. Only self-hosted instances are vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system takeover: attacker gains full administrative control, can exfiltrate all data, modify/delete content, install backdoors, and disrupt availability.

🟠

Likely Case

Data breach and system compromise: attacker creates admin account, accesses sensitive information, and potentially deploys ransomware or other malware.

🟢

If Mitigated

Limited impact if network segmentation and access controls prevent external access to Confluence instances.

🌐 Internet-Facing: HIGH - Unauthenticated remote exploitation allows complete compromise of internet-facing Confluence instances.

🏢 Internal Only: HIGH - Even internally accessible instances are vulnerable to any network-accessible attacker.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is trivial and requires no authentication. Public exploit code is available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed versions: 8.3.3, 8.4.3, 8.5.2 or later

Vendor Advisory: https://confluence.atlassian.com/pages/viewpage.action?pageId=1311473907

Restart Required: Yes

Instructions:

1. Backup your Confluence instance. 2. Download and install the fixed version from Atlassian's website. 3. Restart Confluence. 4. Verify the fix by checking the version.

🔧 Temporary Workarounds

Network Isolation

all

Restrict network access to Confluence instances using firewalls or network security groups

Disable Setup Endpoint

linux

Block access to the vulnerable setup endpoint via web application firewall or reverse proxy

# Example nginx config to block /setup/* endpoints
location ~ ^/setup/ { deny all; }

🧯 If You Can't Patch

Immediately isolate Confluence instances from internet access using firewalls
Implement strict network segmentation and monitor for unauthorized access attempts

🔍 How to Verify

Check if Vulnerable:

Check if Confluence version is below 8.3.3, 8.4.3, or 8.5.2 and is self-hosted (not atlassian.net domain)

Check Version:

Check Confluence admin panel or view /rest/applinks/1.0/manifest endpoint

Verify Fix Applied:

Verify Confluence version is 8.3.3, 8.4.3, 8.5.2 or later and attempt to access setup endpoints returns proper authorization errors

📡 Detection & Monitoring

Log Indicators:

Unauthenticated access to /setup/* endpoints
Unexpected administrator account creation
Confluence reset events

Network Indicators:

Unusual traffic to Confluence setup endpoints from external IPs
POST requests to setup endpoints without authentication

SIEM Query:

source="confluence.log" AND (uri_path="/setup/*" OR event="account_created" OR event="system_reset")

📊 Metadata

CVE ID: CVE-2023-22518

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-863

Published: October 31, 2023

Last Updated: October 24, 2025

🔗 References

http://packetstormsecurity.com/files/176264/Atlassian-Confluence-Improper-Authorization-Code-Execution.html Exploit,Third Party Advisory,VDB Entry
https://confluence.atlassian.com/pages/viewpage.action?pageId=1311473907 Issue Tracking,Mitigation,Vendor Advisory
https://jira.atlassian.com/browse/CONFSERVER-93142 Issue Tracking,Mitigation,Vendor Advisory
http://packetstormsecurity.com/files/176264/Atlassian-Confluence-Improper-Authorization-Code-Execution.html Exploit,Third Party Advisory,VDB Entry
https://confluence.atlassian.com/pages/viewpage.action?pageId=1311473907 Issue Tracking,Mitigation,Vendor Advisory
https://jira.atlassian.com/browse/CONFSERVER-93142 Issue Tracking,Mitigation,Vendor Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-22518 US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-22518, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Confluence Data Center by Atlassian

Confluence Data Center by Atlassian

Confluence Data Center by Atlassian

Confluence Data Center by Atlassian

Confluence Data Center by Atlassian

Confluence Server by Atlassian

Confluence Server by Atlassian

Confluence Server by Atlassian

Confluence Server by Atlassian

Confluence Server by Atlassian

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Network Isolation

Disable Setup Endpoint

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities