We have identified and fixed a vulnerability in Confluence which allowed unauthenticated users to commit actions on behalf of any other authorised user. In order to exploit this vulnerability, an attacker requires access to Confluence web interface.

The vulnerability affects all supported versions of Confluence up to and including 5.4.

Versions 5.3.4, 5.4 and 5.4.1 are not vulnerable but require patches for compatibility purposes in order to be able to connect to patched or upgraded versions of JIRA and other Atlassian products. You do not need to patch these versions if you are not using Application Links with Trusted Applications authentication configured. Version 5.4.2 is not vulnerable but contains a bug CONF-32397.

This issue has been fixed in 5.4.3.

For more information, see our security advisory.