CVE-2023-22522 - RCE Vulnerability In Confluence Data Center and Confluence Server
Atlassian Cloud sites are not affected by this vulnerability. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.
| Summary | CVE-2023-22522 - RCE Vulnerability in Confluence Data Center and Server |
| Advisory Release Date | Tue, Dec 05 2023 21:00 PST |
| Products |
|
| CVE ID | CVE-2023-22522 |
| Related Jira Ticket(s) |
Summary of Vulnerability
This Template Injection vulnerability allows an authenticated attacker, including one with anonymous access, to inject unsafe user input into a Confluence page. Using this approach, an attacker is able to achieve RCE on an affected instance. Confluence Data Center and Server versions as listed below are at risk and require immediate attention. See “What You Need to Do” for detailed instructions.
Severity
Atlassian rates the severity level of this vulnerability as critical (9.0 with the following vector CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H) per our internal assessment.
This is our assessment, and you should evaluate its applicability to your own IT environment.
Affected Versions
This RCE (Remote Code Execution) vulnerability affects all versions including and after 4.0.0 of Confluence Data Center and Server. Atlassian recommends patching to the latest version or a fixed LTS version.
| Product | Affected Versions |
|---|---|
| Confluence Data Center and Server |
|
| Confluence Data Center |
|
What You Need To Do
Immediately patch to a fixed version
Atlassian recommends that you patch each of your affected installations to the latest version or one of the listed fixed versions below.
| Product | Fixed Versions |
|---|---|
| Confluence Data Center and Server |
|
| Confluence Data Center |
|
Apply temporary mitigations if unable to patch
There is no current mitigation, however we recommend:
- Back up your instance. (Instructions: https://confluence.atlassian.com/doc/production-backup-strategy-38797389.html)
- Remove your instance from the internet until you can patch. Instances accessible to the public internet, including those with user authentication, should be restricted from external network access until you can patch.
Note: Before restoring your instance to the public internet you must apply the latest fix version.
Frequently Asked Questions (FAQ)
More details can be found on the Frequently Asked Questions (FAQ) page.
Support
If you did not receive an email for this advisory, and you wish to receive such emails in the future go to https://my.atlassian.com/email and subscribe to Tech Alerts emails. If you have questions or concerns regarding this advisory, please raise a support request at https://support.atlassian.com/contact/#/.
References
| Security Bug Fix Policy | As per our new policy critical security bug fixes will be back ported. We will release new maintenance releases for the versions covered by the policy instead of binary patches. Binary patches are no longer released. |
| Security Levels for Security Issues | Atlassian security advisories include a severity level and a CVE identifier. This severity level is based on our self-calculated CVSS score for each specific vulnerability. CVSS is an industry standard vulnerability metric. You can also learn more about CVSS at FIRST.org. |
| End of Life Policy | Our end of life policy varies for different products. Please refer to our EOL Policy for details. |