Atlassian Releases Security Updates for Critical Vulnerability in Confluence Data Center and Server
The security update addresses a template injection vulnerability in Confluence Data Center and Server
Summary
The security update addresses a template injection vulnerability in Confluence Data Center and Server
Affected platforms
The following platforms are known to be affected:
Threat details
Introduction
Atlassian has released a security update to address a vulnerability in Confluence Data Center and Server. The critical vulnerability, known as CVE-2023-22527, has a CVSSv3 score of 10 and is described as a template injection vulnerability on out-of-date versions of Confluence Data Center and Server. An unauthenticated attacker could exploit this vulnerability to achieve remote code execution (RCE) on an affected device.
Reference to previously issued high severity Cyber Alert
CC-4420 was issued as a high severity Cyber Alert in December 2023 to address CVE-2023-22522, a previously disclosed vulnerability in Confluence Data Center and Server.
Organisations who have updated to a version of Confluence Data Center and Server that remediates CVE-2023-22522 are no longer vulnerable to CVE-2023-22527, with the exception of version 8.4.5, which is still vulnerable.
Any organisations who are currently maintaining Confluence Data Center and Server version 8.4.5 are strongly encouraged to update to a version that remediates both vulnerabilities.
Exploitation of CVE-2023-22527
Active exploitation has been reported for CVE-2023-22527.
Threat updates
Date | Update |
---|---|
24 Jan 2024 |
Exploitation of CVE-2023-22527
The Cyber Alert has been updated to reflect this change |
Remediation advice
Affected organisations are encouraged to review the Atlassian security advisory and apply necessary updates to the latest version.
Definitive source of threat updates
Last edited: 24 January 2024 4:15 pm