Merge pull request #81 from BugAlertDotOrg/ConfluenceAuthorization

Vulnerability: Confluence (CVE-2023-22518)
BugAlertDotOrg · Oct 31, 2023 · d56aa5a · d56aa5a
2 parents a0e36b8 + 9d2863e
commit d56aa5a
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 9 deletions.
diff --git a/.github/workflows/added_posts.yml b/.github/workflows/added_posts.yml
@@ -40,8 +40,8 @@ jobs:
           readarray -t added_files <<<"$(jq -r '.[]' <<<'${{ steps.files.outputs.added }}')"
           for added_file in ${added_files[@]}; do
             if [[ $added_file == content/notices/* ]]; then
-              echo "File added: ${added_file}. Sleeping for two minutes to await the Pelican build."
-              sleep 120
+              echo "File added: ${added_file}. Sleeping for three minutes to await the Pelican build."
+              sleep 180
               python3 "${GITHUB_WORKSPACE}/notice_communication/__main__.py" "${added_file}"
             fi
           done
diff --git a/content/notices/2023-10-31-confluence.md b/content/notices/2023-10-31-confluence.md
@@ -0,0 +1,19 @@
+---
+Title: Privilege escalation in Atlassian Confluence (CVE-2023-22515)
+Date: 2023-10-31 14:45
+Category: Services & System Applications
+Tags: Confluence, Atlassian, High Severity, CVE-2023-22518
+Slug: confluence
+Summary: An authorization vulnerability exploitable by unauthenticated users has been discovered in Atlassian Confluence, and has been assigned a bug alert severity of 'very high'. Exploitation of the vulnerability can cause substanial data loss. Atlassian recommends removing installations from the Internet immediately if they cannot be patched.
+---
+
+| :exclamation:  SMS and phone notifications are not working in the United States due to new compliance requirements. Bug Alert is working with our telephony provider to resolve this as soon as possible.   |
+|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+
+On Tuesday, October 31st, 2023, [Atlassian released a Security Advisory](https://confluence.atlassian.com/security/cve-2023-22518-improper-authorization-vulnerability-in-confluence-data-center-and-confluence-server-1311473907.html) stating that Confluence Server and Data Center editions are vulnerable to an authorization vulnerability which allows an unauthenticated attacker to cause significant data loss. Patches are available.
+
+Now that a patch has been made available, it's likely that additional attackers will inspect the differences in the application binaries between the fixed and vulnerable versions, and develop attack methods rapidly. At this time, Atlassian is advising customers to remove Confluence Server and Data Center from being available from the Internet if they cannot be patched immediately, either by shutting them down, or by firewalling them off.
+
+This vulnerability been assigned CVE-2023-22518.
+
+If you have feedback (did you agree/disagree that a notice should have been sent?) or questions, please comment on the discussion thread linked below. This notice cost the project approximately $100 USD to send. If you would like to support the project, [you can learn more here](https://bugalert.org/content/pages/financial-support.html).
diff --git a/notice_communication/__main__.py b/notice_communication/__main__.py
@@ -20,13 +20,13 @@ def main():
     filename = sys.argv[1]
     summary, category, title, slug, tags = get_content_meta(filename)
     url = f"https://bugalert.org/{filename.replace('md', 'html')}"
-    if os.getenv('TWITTER_BEARER_TOKEN') and category != "dev":
-        twitter = get_twitter_client()
-        tweet_summary = summary[:220] if len(summary) > 220 else summary
-        ellipsis = "..." if len(summary) > 220 else ""
-        hashtag = "#BugAlertNews" if category == "bug_alert_news" else "#BugAlertNotice"
-        tweet = f"{f'{tweet_summary}{ellipsis}'} {url}?src=tw {hashtag}"
-        twitter.create_tweet(text=tweet)
+    #if os.getenv('TWITTER_BEARER_TOKEN') and category != "dev":
+    #    twitter = get_twitter_client()
+    #    tweet_summary = summary[:220] if len(summary) > 220 else summary
+    #    ellipsis = "..." if len(summary) > 220 else ""
+    #    hashtag = "#BugAlertNews" if category == "bug_alert_news" else "#BugAlertNotice"
+    #    tweet = f"{f'{tweet_summary}{ellipsis}'} {url}?src=tw {hashtag}"
+    #    twitter.create_tweet(text=tweet)
 
     if category == "bug_alert_news":
         return