Home > Security Bulletins > Atlassian Confluence Remote Code Execution Vulnerability – CVE-2023-22527 (and more)

Atlassian Confluence Remote Code Execution Vulnerability – CVE-2023-22527 (and more)

17th January 2024 (updated: 22nd January 2024)

Introduction

Atlassian has released a security advisory on a remote code execution vulnerability in Atlassian Confluence Data Center and Server.

CVE-2023-22527 (CVSS 3.1: 10.0 [CRITICAL]) is initially caused by a template injection vulnerability which can be escalated to remote code execution.

Software updates with security patches for this vulnerability have been released and are detailed below. Atlassian Cloud is not affected by this vulnerability.

Additionally, Atlassian released their January 2024 security bulletin containing 28 high-severity vulnerabilities which have been fixed in the latest versions of their products, as detailed at the end of this post.

Affected Versions

Confluence Data Center and Server:

  • 8.0.x
  • 8.1.x
  • 8.2.x
  • 8.3.x
  • 8.4.x
  • 8.5.0-8.5.3

Version 7.19.x LTS is not affected.

Recommendations

Atlassian recommends immediate patching of out-of-date versions by installing the latest version.

Confluence Data Center and Server

  • Patch released: 8.5.4 (LTS)
  • Latest version: 8.5.5 (LTS)

Confluence Data Center

  • Patch released: 8.6.0 (Data Center Only)
  • Latest version: 8.7.12(Data Center Only)

More Vulnerabilities

CVE-2022-42252 (CVSS:3.1: 7.5 – High) – Request Smuggling org.apache.tomcat:tomcat-coyote Dependency in Jira Software Data Center and Server
CVE-2020-25649 (CVSS:3.1: 7.5 – High) – XXE (XML External Entity Injection) jackson-databind Dependency in Jira Software Data Center and Server
CVE-2022-44729 (CVSS:3.1: 7.1 – High) – SSRF org.apache.xmlgraphics:batik-bridge Dependency in Jira Service Management Data Center and Server
CVE-2021-40690 (CVSS:3.1: 7.5 – High) – Info Disclosure org.apache.santuario:xmlsec Dependency in Crowd Data Center and Server
CVE-2023-46589 (CVSS:3.1: 7.5 – High) – Request Smuggling org.apache.tomcat:tomcat-catalina Dependency in Crowd Data Center and Server
CVE-2023-3635 (CVSS:3.1: 7.5 – High) – DoS (Denial of Service) com.squareup.okio:okio-jvm Dependency in Confluence Data Center and Server
CVE-2023-22526 (CVSS:3.1: 7.2 – High) – RCE (Remote Code Execution) in Confluence Data Center and Server
CVE-2024-21672 (CVSS:3.1: 8.3 – High) – RCE (Remote Code Execution) in Confluence Data Center and Server
CVE-2024-21673 (CVSS:3.1: 8.0 – High) – RCE (Remote Code Execution) in Confluence Data Center and Server
CVE-2024-21674 (CVSS:3.1: 8.6 – High) – RCE (Remote Code Execution) in Confluence Data Center and Server
CVE-2023-43642 (CVSS:3.1: 7.5 – High) – DoS (Denial of Service) org.xerial.snappy:snappy-java Dependency in Bitbucket Data Center and Server
CVE-2023-6481 (CVSS:3.1: 7.5 – High) – DoS (Denial of Service) ch.qos.logback:logback-core Dependency in Bitbucket Data Center and Server
CVE-2023-6378 (CVSS:3.1: 7.5 – High) – DoS (Denial of Service) ch.qos.logback:logback-core Dependency in Bitbucket Data Center and Server
CVE-2023-46589 (CVSS:3.1: 7.5 – High) – Request Smuggling org.apache.tomcat.embed:tomcat-embed-core Dependency in Bitbucket Data Center and Server
CVE-2023-34455 (CVSS:3.1: 7.5 – High) – DoS (Denial of Service) org.xerial.snappy:snappy-java Dependency in Bitbucket Data Center and Server
CVE-2023-34454 (CVSS:3.1: 7.5 – High) – DoS (Denial of Service) org.xerial.snappy:snappy-java Dependency in Bitbucket Data Center and Server
CVE-2023-34453 (CVSS:3.1: 7.5 – High) – DoS (Denial of Service) org.xerial.snappy:snappy-java Dependency in Bitbucket Data Center and Server
CVE-2023-36478 (CVSS:3.1: 7.5 – High) – DoS (Denial of Service) org.eclipse.jetty:jetty-http Dependency in Bitbucket Data Center and Server
CVE-2023-5072 (CVSS:3.1: 7.5 – High) – DoS (Denial of Service) org.json:json Dependency in Bitbucket Data Center and Server
CVE-2023-36478 (CVSS:3.1: 7.5 – High) – DoS (Denial of Service) org.eclipse.jetty:jetty-http Dependency in Bamboo Data Center and Server
CVE-2023-39410 (CVSS:3.1: 7.5 – High) – DoS (Denial of Service) org.apache.avro:avro Dependency in Bamboo Data Center and Server
CVE-2020-26217 (CVSS:3.1: 8.8 – High) – RCE (Remote Code Execution) org.jvnet.hudson:xstream Dependency in Bamboo Data Center and Server
CVE-2017-7957 (CVSS:3.1: 7.5 – High) – DoS (Denial of Service) org.jvnet.hudson:xstream Dependency in Bamboo Data Center and Server
CVE-2022-4244 (CVSS:3.1: 7.5 – High) – Info Disclosure org.codehaus.plexus:plexus-utils Dependency in Bamboo Data Center and Server
CVE-2018-10054 (CVSS:3.1: 8.8 – High) – RCE (Remote Code Execution) com.h2database:h2 Dependency in Bamboo Data Center and Server
CVE-2023-5072 (CVSS:3.1: 7.5 – High) – DoS (Denial of Service) org.json:json Dependency in Bamboo Data Center and Server
CVE-2023-46589 (CVSS:3.1: 7.5 – High) – Request Smuggling org.apache.tomcat:tomcat-catalina Dependency in Bamboo Data Center and Server
CVE-2022-40152 (CVSS:3.1: 7.5 – High) – DoS (Denial of Service) com.fasterxml.woodstox:woodstox-core Dependency in Bamboo Data Center and Server