Atlassian Confluence Data Center and Server is vulnerable to a critical severity vulnerability, tracked as CVE-2023-22527. The vulnerability has a maximum CVSS score of 10. Successful exploitation of the vulnerability may lead to remote code execution. Petrus Viet discovered the vulnerability and reported it to Atlassian through their Bug Bounty program.
It is important to note that the vulnerability does not affect the Atlassian Cloud sites.
Acknowledging its active exploitation, CISA has added the vulnerability to its Known Exploited Vulnerabilities Catalog and requested users to patch it before February 14, 2024.
Confluence is a team collaboration software that helps create, collaborate, and organize the team’s work in one place. The software has three hosting options: Cloud, Server, and Data Server.
The vulnerability originates from a template injection flaw on out-of-date Confluence Data Center and Server versions. The vulnerability may allow an unauthenticated attacker to perform remote code execution on an affected version.
Affected Versions
- 8.0.x
- 8.1.x
- 8.2.x
- 8.3.x
- 8.4.x
- 8.5.0-8.5.3
As per the Atlassian advisory, “the vulnerability affects out-of-date Confluence Data Center and Server 8 versions released before Dec. 5, 2023, as well as 8.4.5, which no longer receives backported fixes as per our Security Bug Fix Policy.”
Note: The vulnerability does not affect version 7.19.x LTS.
Mitigation
Users must upgrade to the listed fixed versions:
- 8.5.4 (LTS)
- 8.6.0 (Data Center Only)
- 8.7.1 (Data Center Only)
Please refer to the Atlassian Security Advisory (CONFSERVER-93833) for more information.
Qualys Detection
Qualys customers can scan their devices with QID 731081 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.