The Hacker NewsTHN:20BC1EF927B1F7E728A6D97C64BE251DAtlassian Warns of New Critical Confluence Vulnerability Threatening Data Loss
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 High
AI Score
Confidence
High
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.955 High
EPSS
Percentile
99.2%
Atlassian has warned of a critical security flaw in Confluence Data Center and Server that could result in βsignificant data loss if exploited by an unauthenticated attacker.β
Tracked as CVE-2023-22518, the vulnerability is rated 9.1 out of a maximum of 10 on the CVSS scoring system. It has been described as an instance of βimproper authorization vulnerability.β
All versions of Confluence Data Center and Server are susceptible to the bug, and it has been addressed in the following versions -
- 7.19.16 or later
- 8.3.4 or later
- 8.4.4 or later
- 8.5.3 or later, and
- 8.6.1 or later
That said, the Australian company emphasized that βthere is no impact to confidentiality as an attacker cannot exfiltrate any instance data.β
No other details about the flaw and the exact method by which an adversary can take advantage of it have been made available, likely owing to the fact that doing so could enable threat actors to devise an exploit.
Atlassian is also urging customers to take immediate action to secure their instances, recommending those that are accessible to the public internet be disconnected until a patch can be applied.
Whatβs more, users who are running versions that are outside of the support window are advised to upgrade to a fixed version. Atlassian Cloud sites are not affected by the issue.
While there is no evidence of active exploitation in the wild, previously discovered shortcomings in the software, including the recently publicized CVE-2023-22515, have been weaponized by threat actors.
Update
Atlassian on November 2, 2023, updated its advisory to once again urge customers to apply the patches following the public release of critical information about the vulnerability that it said could lead to a greater likelihood of exploitation.
βThere are still no reports of an active exploit, though customers must take immediate action to protect their instances,β it further added. βIf you already applied the patch, no further action is required.β
Found this article interesting? Follow us on Twitter ο and LinkedIn to read more exclusive content we post.
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 High
AI Score
Confidence
High
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.955 High
EPSS
Percentile
99.2%