Confluence Data Center and Server has a template injection vulnerability [CVE-2023-22527] that allows an unauthenticated attacker to achieve remote code execution (RCE) on an affected instance.
Affected versions:
Out-of-date Confluence Data Center and Server versions released before Dec. 5, 2023 as well as 8.4.5, which no longer receives backported fixes in accordance with our Security Bug Fix Policy, are affected.
- 8.0.
x
- 8.1.
x
- 8.2.
x
- 8.3.
x
- 8.4.
x
- 8.5.0-8.5.3
Does not impact:
- Does not impact cloud instances.
- Most recent, supported versions of Confluence Data Center and Server are not affected, as the vulnerability was ultimately mitigated during regular version updates.
Severity: 10 CVSS score (Critical)
What To Do
Atlassian recommends patching immediately to the latest version. Use vulnerability detection to search for “CVE-2023-22527.”
Take immediate action and install the latest version to protect affected instances from non-critical vulnerabilities, as outlined in the Atlassian January Security Bulletin.
Resources
- Atlassian, “FAQ for CVE-2023-22527”
- Atlassian, “January 2024 Security Bulletin”
- NIST, “CVE-2023-22527 Detail”
- October 28, 2024: Vulnerability Detection in the SPM app moved from Risks to Findings.
- January 26, 2024: Vulnerability Detection available.
- January 25, 2024: Published.
Feedback
0 comments
Please sign in to leave a comment.