Atlassian has issued a security advisory regarding a critical Remote Code Execution (RCE) vulnerability identified as CVE-2023-22527 in out-of-date versions of Confluence Data Center and Confluence Server. This security flaw poses a significant risk, allowing an unauthenticated attacker to exploit a template injection vulnerability and achieve RCE on affected versions.
Summary of Vulnerability:
CVE ID:
CVE-2023-22527
Affected Products:
Confluence Data Center
Confluence Server
Advisory Release Date:
Tue, Jan 16, 2024 01:00 EST
Severity:
Critical (10.0) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Details:This template injection vulnerability affects out-of-date versions of Confluence Data Center and Server, specifically versions 8 released before Dec. 5, 2023, and version 8.4.5, which no longer receives backported fixes. Immediate action is required by affected customers to patch their installations to the latest versions.
What You Need To Do:
Affected Versions:
Confluence Data Center and Server: 8.0.x, 8.1.x, 8.2.x, 8.3.x, 8.4.x, 8.5.0-8.5.3
Immediate Action:
Patch each affected installation to the latest version available.
Latest Versions: 8.5.4 (LTS), 8.5.5 (LTS) for Data Center and Server.
Mitigations: Unfortunately, there are no known workarounds for this vulnerability. The only solution is to update each affected product installation to the latest version.
Acknowledgments: This vulnerability was responsibly disclosed by Petrus Viet and reported via Atlassian's Bug Bounty program.
Support: For further assistance or if you did not receive an email advisory, visit Atlassian Support.
Frequently Asked Questions (FAQ):Additional details and clarifications can be found on the FAQ page.
References: