Atlassian has warned of a serious security flaw in Confluence data centers and servers that “could lead to significant data loss if exploited by an unauthenticated attacker.”
Tracked as CVE-2023-22518, the vulnerability is rated 9.1 out of a maximum of 10 on the CVSS scoring system. This has been described as an example of an “improper authorization vulnerability”.
All versions of Confluence Data Center and Server are vulnerable to the bug, and it has been addressed in the following versions –
- 7.19.16 or later
- 8.3.4 or later
- 8.4.4 or later
- 8.5.3 or later, and
- 8.6.1 or later
That said, the Australian company stressed that there is “no impact on privacy as an attacker cannot breach the data in any case.”
No other details are provided about the flaw and the exact method by which an adversary could take advantage of it, presumably due to the fact that doing so could help threat actors plot an exploit.
Atlassian is also urging customers to take immediate action to secure their instances, and is recommending that those with access be disconnected from the public internet until the patch is applied.
Additionally, users who are running a version outside the support window are advised to upgrade to a fixed version. Atlassian Cloud sites are not affected by this issue.
Although there is no evidence of active exploitation in the wild, previously discovered vulnerabilities in the software, including the recently publicized CVE-2023-22515, have been weaponized by threat actors.