Sporadic scans for "server-info.action", possibly looking for Confluence Server and Data Center Vulnerability CVE-2023-22515
Last Updated: 2023-10-25 15:51:41 UTC
by Johannes Ullrich (Version: 1)
I noticed many scans for "/server-info.action" showing up in our "First Seen URLs" report. This URL didn't ring a bell at first but may be associated with CVE-2023-22515, a recent vulnerability in Confluence Server and Data Center.
Atlassian published an advisory describing this vulnerability on October 4th . The vulnerability is a broken access control vulnerability. Initially exploited against a small number of sites, exploit code is now widely available. The trivial exploit will allow an unauthenticated user to create an admin account. For example, a request to exploit this issue may look like:
POST /setup/setupadministrator.action HTTP/1.1
Host: [target host]
However, this isn't the only URL that is available for exploitation. Rapid7 first noted, and Atlassian later confirmed, that the vulnerability may also be exploited via the "/server-info.action" endpoint .
Today, I noticed that we did see some probes for the "
server-info.action" URL in addition to the
Please ensure that any filter you use covers both URLs and, even better, do not allow access to any Atlassian product from the open internet.