A critical security flaw [2] [3] [4], known as CVE-2023-22518 [2] [3] [4], has been discovered in Atlassian’s Confluence Data Center and Server products. This flaw allows unauthorized attackers to gain access or privileges within a Confluence system [5]. While there is no evidence of active exploitation currently [3], previous vulnerabilities in the software have been exploited by threat actors [3].
Description
This vulnerability has been rated 9.1 out of 10 on the CVSS scale [3]. Atlassian has released patches to address the issue in specific versions of their products. Customers are advised to take immediate action to protect their instances [3]. It’s important to note that confidentiality is not impacted, as attackers cannot extract any instance data [3]. To safeguard their instances [3], customers should consider disconnecting publicly accessible instances from the internet until a patch can be applied. Users running unsupported versions should upgrade to a fixed version [3]. Atlassian Cloud sites are not affected by this vulnerability [1] [3].
Conclusion
Customers should be aware of the potential risks associated with this security flaw and take necessary precautions to protect their Confluence instances. Atlassian’s prompt release of patches demonstrates their commitment to addressing vulnerabilities. It is crucial for customers to apply these patches as soon as possible to prevent unauthorized access or privileges within their systems. Additionally, users should regularly update their software to ensure they are using the latest fixed version. By staying vigilant and proactive, customers can mitigate the potential impact of this vulnerability and maintain the security of their Confluence instances.
References
[1] https://www.helpnetsecurity.com/2023/10/31/cve-2023-22518/
[2] https://stackdiary.com/critical-bug-in-confluence-server-and-data-center-cve-2023-22518/
[3] https://thehackernews.com/2023/10/atlassian-warns-of-new-critical.html
[4] https://vulnera.com/newswire/atlassian-alerts-users-of-critical-confluence-flaw-risking-data-loss/
[5] https://securityonline.info/cve-2023-22518-a-critical-vulnerability-in-atlassian-confluence/
