Skip to main content

Atlassian Releases Security Updates for Critical Vulnerability in Confluence Data Center and Server

The security update addresses a template injection vulnerability in Confluence Data Center and Server

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

The security update addresses a template injection vulnerability in Confluence Data Center and Server


Threat details

Introduction

Atlassian has released a security update to address a vulnerability in Confluence Data Center and Server. The critical vulnerability, known as CVE-2023-22527, has a CVSSv3 score of 10 and is described as a template injection vulnerability on out-of-date versions of Confluence Data Center and Server. An unauthenticated attacker could exploit this vulnerability to achieve remote code execution (RCE) on an affected device.

Reference to previously issued high severity Cyber Alert

CC-4420 was issued as a high severity Cyber Alert in December 2023 to address CVE-2023-22522, a previously disclosed vulnerability in Confluence Data Center and Server.

Organisations who have updated to a version of Confluence Data Center and Server that remediates CVE-2023-22522 are no longer vulnerable to CVE-2023-22527, with the exception of version 8.4.5, which is still vulnerable.

Any organisations who are currently maintaining Confluence Data Center and Server version 8.4.5 are strongly encouraged to update to a version that remediates both vulnerabilities.

Exploitation of CVE-2023-22527

Active exploitation has been reported for CVE-2023-22527.


Threat updates

Date Update
24 Jan 2024 Exploitation of CVE-2023-22527

The Cyber Alert has been updated to reflect this change


Remediation advice

Affected organisations are encouraged to review the Atlassian security advisory and apply necessary updates to the latest version.



CVE Vulnerabilities

Status Published

CVE-2023-22527

Summary of Vulnerability A template injection vulnerability on older versions of Confluence Data Center and Server allows an unauthenticated attacker to achieve RCE on an affected instance. Customers using an affected version must take immediate action. Most recent supported versions of Confluence Data Center and Server are not affected by this vulnerability as it was ultimately mitigated during regular version updates. However, Atlassian recommends that customers take care to install the latest version to protect their instances from non-critical vulnerabilities outlined in Atlassian’s January Security Bulletin. See “What You Need to Do” for detailed instructions. {panel:bgColor=#deebff} Atlassian Cloud sites are not affected by this vulnerability. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue. {panel} Affected Versions ||Product||Affected Versions|| |Confluence Data Center and Server|8.0.x 8.1.x 8.2.x 8.3.x 8.4.x 8.5.0 8.5.1 8.5.2 8.5.3| Fixed Versions ||Product||Fixed Versions|| |Confluence Data Center and Server|8.5.4 (LTS)| |Confluence Data Center|8.6.0 or later (Data Center Only) 8.7.1 or later (Data Center Only)| What You Need To Do Immediately patch to a fixed version Atlassian recommends that you patch each of your affected installations to the latest version. The listed Fixed Versions are no longer the most up-to-date versions and do not protect your instance from other non-critical vulnerabilities as outlined in Atlassian’s January Security Bulletin. ||Product||Fixed Versions||Latest Versions|| |Confluence Data Center and Server|8.5.4 (LTS)|8.5.5 (LTS)| |Confluence Data Center|8.6.0 or later (Data Center Only) 8.7.1 or later (Data Center Only)|8.7.2 or later (Data Center Only)| For additional details, please see full advisory.

Last edited: 24 January 2024 4:15 pm