Atlassian has addressed a vulnerability in the Confluence Data Center and Confluence Server. CVE-2023-22518 has been given a critical severity vulnerability and a CVSS score of 9.1. Atlassian has not released much information regarding this improper authorization vulnerability. The advisory states that no proof of active exploitation is available for the vulnerability.
The advisory states, “Atlassian Cloud sites are not affected by this vulnerability. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.”
CISA has added the CVE-2023-22518 to its Known Exploited Vulnerabilities Catalog, requesting users to patch it before 28 Nov 2023.
Confluence is a team collaboration software developed and marketed by Atlassian. The software helps create, collaborate, and organize the team’s work in one place. The software has three hosting options: Cloud, Server, and Data Server. This vulnerability does not affect the Atlassian Cloud hosting option.
The vulnerability affects all the versions of the Confluence Data Center and Confluence Server.
Users must upgrade to the listed fixed versions:
- 7.19.16 or later
- 8.3.4 or later
- 8.4.4 or later
- 8.5.3 or later
- 8.6.1 or later
Please refer to the Atlassian Security Advisory (CONFSERVER-93142) for more information.
Atlassian has suggested temporary mitigation in case users are unable to upgrade to the patched versions:
- Back up your instance. (Instructions: https://confluence.atlassian.com/doc/production-backup-strategy-38797389.html)
- Remove your instance from the internet until you can patch it, if possible. Instances accessible to the public internet, including those with user authentication, should be restricted from external network access until you can patch.
Qualys customers can scan their devices with QIDs 378982 and 730966 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.