This advisory is for organizations that use Confluence Data Center and Confluence Server on premises. If your organization does not use this product, this notification may be discarded.
Summary
Atlassian has released a warning regarding a critical vulnerability in “out of date” versions of Confluence Data Center and Confluence Server. Atlassian describes this as a template injection vulnerability which would allow unauthenticated attackers to perform remote code execution (RCE). Atlassian has informed their customers that most latest supported versions of Confluence Data Center and Server are not affected by this vulnerability as it was ultimately mitigated during regular updates. Organizations which have not applied recent patches will need to apply updates to address this vulnerability.
“Atlassian Cloud sites are not affected by this vulnerability. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.”
CVE-2023-22527 – RCE Vulnerability in Confluence Data Center and Confluence Server
CSVVv3.1: 10.0
Affected Platforms
|
Product
|
Affected Versions
|
|
Confluence Data Center and Server
|
8.0.x
|
|
|
8.1.x
|
|
|
8.2.x
|
|
|
8.3.x
|
|
|
8.4.x
|
|
|
8.5.0 – 8.5.3
|
Mitigations
Users running out of date versions should immediately patch to at least the Fixed Version, and ideally to the Latest Version (to address additionally discovered vulnerabilities.)
|
Product
|
Fixed Versions
|
Latest Version
|
|
Confluence Data Center and Server
|
8.5.4 (LTS)
|
8.5.5 (LTS)
|
|
Confluence Data Center
|
8.6.0 (Data Center Only)
|
8.7.2 (Data Center Only)
|
|
8.7.1 (Data Center Only)
|
Additional Resources
https://confluence.atlassian.com/security/cve-2023-22527-rce-remote-code-execution-vulnerability-in-confluence-data-center-and-confluence-server-1333990257.html
https://www.bleepingcomputer.com/news/security/atlassian-warns-of-critical-rce-flaw-in-older-confluence-versions/
https://nvd.nist.gov/vuln/detail/CVE-2023-22527
