CVE-2023-22522: Critical RCE Vulnerability in Confluence Data Center and Server

CVE-2023-22522

A critical Remote Code Execution (RCE) vulnerability, tracked as CVE-2023-22522, has been discovered in the Confluence Data Center and Server, posing a critical threat to the integrity of these systems.

At the core of this peril is a Template Injection vulnerability. This nefarious weakness allows an attacker, even one with anonymous access, to inject hazardous user input into a Confluence page. Such a breach empowers the attacker to achieve Remote Code Execution (RCE) on any affected instance. The breadth of this threat extends to all versions of Confluence Data Center and Server starting from 4.0.0.

The severity of this vulnerability is profound. Atlassian, the guardian of Confluence, has rated this flaw as critical, scoring a staggering 9.0 on the CVSS (Common Vulnerability Scoring System) scale. This score is determined by a matrix of factors including attack vector, complexity, and the potential impact on confidentiality, integrity, and availability of the targeted system.

Atlassian strongly recommends that all affected Confluence instances be patched to the latest version or one of the listed fixed versions below.

Fixed Versions

  • Confluence Data Center and Server 7.19.17 (LTS)
  • Confluence Data Center and Server 8.4.5
  • Confluence Data Center and Server 8.5.4 (LTS)
  • Confluence Data Center 8.6.2 or later (Data Center Only)
  • Confluence Data Center 8.7.1 or later (Data Center Only)

For those unable to immediately patch, temporary mitigations are suggested. Backing up your instance is crucial. Furthermore, it is advised to remove your instance from the internet or restrict it from external network access until you can apply the necessary patches.

The CVE-2023-22522 vulnerability poses a significant security risk and should be addressed immediately. In the security advisories published today, Atlassian patched two other critical flaws: