Vulnerabilities

CVE-2023-22527 - RCE vulnerability | Critical Insight

Written by Critical Insight | Jan 18, 2024 2:50:00 PM

This advisory is for organizations that use Confluence Data Center and Confluence Server on premises. If your organization does not use this product, this notification may be discarded.

Summary

Atlassian has released a warning regarding a critical vulnerability in “out of date” versions of Confluence Data Center and Confluence Server.  Atlassian describes this as a template injection vulnerability which would allow unauthenticated attackers to perform remote code execution (RCE).  Atlassian has informed their customers that most latest supported versions of Confluence Data Center and Server are not affected by this vulnerability as it was ultimately mitigated during regular updates.  Organizations which have not applied recent patches will need to apply updates to address this vulnerability. 

“Atlassian Cloud sites are not affected by this vulnerability.  If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.”

CVE-2023-22527 – RCE Vulnerability in Confluence Data Center and Confluence Server

                CSVVv3.1: 10.0 

Affected Platforms

Product

Affected Versions

Confluence Data Center and Server

8.0.x

 

8.1.x

 

8.2.x

 

8.3.x

 

8.4.x

 

8.5.0 – 8.5.3

 

Mitigations

Users running out of date versions should immediately patch to at least the Fixed Version, and ideally to the Latest Version (to address additionally discovered vulnerabilities.)

Product

Fixed Versions

Latest Version

Confluence Data Center and Server

8.5.4 (LTS)

8.5.5 (LTS)

Confluence Data Center

8.6.0 (Data Center Only)

8.7.2 (Data Center Only)

8.7.1 (Data Center Only)

 

Additional Resources

https://confluence.atlassian.com/security/cve-2023-22527-rce-remote-code-execution-vulnerability-in-confluence-data-center-and-confluence-server-1333990257.html

https://www.bleepingcomputer.com/news/security/atlassian-warns-of-critical-rce-flaw-in-older-confluence-versions/

https://nvd.nist.gov/vuln/detail/CVE-2023-22527