Another critical Confluence vulnerability - patch ASAP

published: Oct. 31, 2023

Take action: If you are still running Confluence Server or Datacenter, lock it from the Internet and patch immediately. And start considering shutting it down in the medium term, since Atlassian stops support for the server version of Confluence on February 14th, 2024.


Learn More

Atlassian has issued an urgent warning to enterprise administrators regarding a critical security vulnerability in its on-premise Confluence Data Center and Server products.

The flaw is tracked as CVE-2023-22518 (CVSS score 9.1, rescored to 10) - is an improper authorization vulnerability and can result in significant data loss if exploited by an unauthenticated attacker. No detailed information has been provided about the nature of the exploit.

Update - as of 7th of November, active ransomware and other cyberattacks against unpatched Atlassian Confluence Data Center and Server technology have driven up the CVSS score this vulnerability from its original 9.1 to 10.
The score has been raised "due to a change in scope of the attack," according to the Atlassian advisory, which added there have now been observed active exploits against against the bug, including ransomware

The flaw affects all versions of Confluence Data Center and Server prior to versions 7.19.16, 8.3.4, 8.4.4, 8.5.3, and 8.6.1.

Versions that have reached their End of Life might also be vulnerable.

Atlassian has recommended upgrading to the patched versions or later. It has also clarified that Atlassian Cloud sites, particularly those accessed via the atlassian.net domain, are not affected by this vulnerability.

As a precautionary measure, despite no reports of active exploitation, the company advises that all publicly accessible on-prem instances be upgraded immediately. If administrators are unable to patch their systems promptly, they should back up their instance and temporarily remove it from the internet or restrict external network access.

It's worth noting that vulnerabilities in Confluence Data Center and Server have been historically targeted by attackers. Earlier in the month, Atlassian released patches for another critical flaw, CVE-2023-22515, which was exploited by a state-backed threat actor. Even more, the previous vulnerability was used to attack a crime group website on the dark web.

Another critical Confluence vulnerability - patch ASAP