Atlassian is warning of a critical security flaw, tracked as CVE-2023-22518 (CVSS score 9.1), that affects all versions of Confluence Data Center and Server.
The vulnerability is an improper authorization issue that can lead to significant data loss if exploited by an unauthenticated attacker.
“As part of our continuous security assessment processes, we have discovered that Confluence Data Center and Server customers are vulnerable to significant data loss if exploited by an unauthenticated attacker.” reads the advisory.
Atlassian is not aware of attacks in the wild exploiting this vulnerability, however, the company urges customers to immediately take action to protect their installs.
The vulnerability was addressed with the release of the following versions:
Atlassian states that there is no impact on confidentiality as an attacker cannot exfiltrate any instance data.
“Publicly accessible Confluence Data Center and Server versions as listed below are at critical risk and require immediate attention. See ‘What You Need to Do’ for detailed instructions.” continues the advisory.
Confluence sites that are accessed via an atlassian.net domain are not impacted by this issue because are hosted by Atlassian.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Confluence Data Center)