3rd November 2023
Summary
Earlier this week Atlassian has published a critical severity vulnerability in the Confluence Data Center and the Confluence Server. CVE-2023-22518 (CVSS:3.0: 9.1) is an Improper Authorization Vulnerability which may lead to significant data loss if exploited by an unauthenticated attacker. At this time, there are still no reports of an active exploit. There is no impact to confidentiality as an attacker cannot exfiltrate any instance data. Atlassian Cloud sites are not affected by this vulnerability. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.
All versions of Confluence Data Center and Server prior to the listed fixed versions below are affected by the vulnerability.
Fixed Versions
- 19.16 or later
- 3.4 or later
- 4.4 or later
- 5.3 or later
- 6.1 or later
The above versions apply to the Confluence Data Center and Server.
Recommendations
Due to the Critical severity of this vulnerability, organisations are recommended take immediate action to protect their instances.
If you are unable to perform patches, then Atlassian recommends the following mitigations:
- Back up your instance. (Instructions)
- Remove your instance from the internet until you can patch, if possible.
- If you cannot restrict external network access or patch, apply the following interim measures to mitigate known attack vectors by blocking access on the following endpoints on Confluence instances:
- /json/setup-restore.action
- /json/setup-restore-local.action
- /json/setup-restore-progress.action