Atlassian has warned of a critical security flaw in Confluence Data Center and Server that could result in "significant data loss if exploited by an unauthenticated attacker."
Tracked as CVE-2023-22518, the vulnerability is rated 9.1 out of a maximum of 10 on the CVSS scoring system. It has been described as an instance of "improper authorization vulnerability."
All versions of Confluence Data Center and Server are susceptible to the bug, and it has been addressed in the following versions -
- 7.19.16 or later
- 8.3.4 or later
- 8.4.4 or later
- 8.5.3 or later, and
- 8.6.1 or later
That said, the Australian company emphasized that "there is no impact to confidentiality as an attacker cannot exfiltrate any instance data."
No other details about the flaw and the exact method by which an adversary can take advantage of it have been made available, likely owing to the fact that doing so could enable threat actors to devise an exploit.
Atlassian is also urging customers to take immediate action to secure their instances, recommending those that are accessible to the public internet be disconnected until a patch can be applied.
What's more, users who are running versions that are outside of the support window are advised to upgrade to a fixed version. Atlassian Cloud sites are not affected by the issue.
While there is no evidence of active exploitation in the wild, previously discovered shortcomings in the software, including the recently publicized CVE-2023-22515, have been weaponized by threat actors.
Update
Atlassian on November 2, 2023, updated its advisory to once again urge customers to apply the patches following the public release of critical information about the vulnerability that it said could lead to a greater likelihood of exploitation.
"There are still no reports of an active exploit, though customers must take immediate action to protect their instances," it further added. "If you already applied the patch, no further action is required."