Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-88265

RCE (Remote Code Execution) in Confluence Data Center & Server

XMLWordPrintable

    • 8
    • High
    • CVE-2023-22505
    • Bug Bounty
    • a private user
    • CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
    • RCE (Remote Code Execution)
    • Confluence Data Center, Confluence Server

      This High severity RCE (Remote Code Execution) vulnerability known as CVE-2023-22505 was introduced in version 8.0.0 of Confluence Data Center & Server.

      This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 8, allows an authenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and no user interaction.

      Atlassian recommends that you upgrade your instance to latest version. If you're unable to upgrade to latest, upgrade to one of these fixed versions: 8.3.2, 8.4.0. See the release notes (https://confluence.atlassian.com/doc/confluence-release-notes-327.html). You can download the latest version of Confluence Data Center & Server from the download center (https://www.atlassian.com/software/confluence/download-archives).

      This vulnerability was discovered by a private user and reported via our Bug Bounty program.

            [CONFSERVER-88265] RCE (Remote Code Execution) in Confluence Data Center & Server

            David Yu added a comment -

            How should we interpret the severity of this? The priority of the ticket is Low, and the CVSS score is High?

            David Yu added a comment - How should we interpret the severity of this? The priority of the ticket is Low, and the CVSS score is High?

            Britta Hupka added a comment - - edited

            Hi,

            is this issue fixed also in Confluence Server Version 7.13.20 or 7.19.8 ?

            Thanks

            Britta Hupka added a comment - - edited Hi, is this issue fixed also in Confluence Server Version 7.13.20 or 7.19.8 ? Thanks

            Brian Fajardo added a comment -

            Thank you Sue Lund!

            Brian Fajardo added a comment - Thank you Sue Lund!

            Sue Lund added a comment - - edited

            I submitted a separate ticket and asked if cloud was affected.

            From Atlassian (Ana Hinojosa):

            “Thank you for contacting Atlassian. My name is Ana, I'm part of the Cloud Support Team and I'll be assisting you on this request.

            My understanding is that you would like to know if CVE-2023-22505 impacts your cloud site. Please let me know if this is correct or if I'm missing any other details.

            The products under instance https://xxxxxxxxxxxxx.atlassian.net are Cloud and based on the information shared on the following ticket, this only impacts Confluence Server and Data Center (on-premise) instances. 

            CVE-2023-22505: RCE (Remote Code Execution) in Confluence Data Center & Server"

            Sue Lund added a comment - - edited I submitted a separate ticket and asked if cloud was affected. From Atlassian (Ana Hinojosa): “Thank you for contacting Atlassian. My name is Ana, I'm part of the Cloud Support Team and I'll be assisting you on this request. My understanding is that you would like to know if CVE-2023-22505 impacts your cloud site. Please let me know if this is correct or if I'm missing any other details. The products under instance https://xxxxxxxxxxxxx.atlassian.net are Cloud and based on the information shared on the following ticket, this only impacts Confluence Server and Data Center (on-premise) instances.  CVE-2023-22505: RCE (Remote Code Execution) in Confluence Data Center & Server"

            Brian Fajardo added a comment -

            Hi,

            May someone please confirm if Confluence Cloud is/was affected by this or only Confluence Data Center, and Confluence Server?

            Thanks in advance.

            Brian Fajardo added a comment - Hi, May someone please confirm if Confluence Cloud is/was affected by this or only Confluence Data Center, and Confluence Server? Thanks in advance.

            Belinda Baker added a comment -

            Hi team,

            Just requesting you to review the labels attached to this ticket as it seems to imply that 7.13 and 7.19 could be affected "lts-7.19-fix-requested" however I'm assuming these labels are just auto generated for " Public Security Vulnerability " tickets for all LTS versions still within support?

            As per the comment above it seems versions below 8 are not affected.

            Kind Regards,

            Belinda

            Belinda Baker added a comment - Hi team, Just requesting you to review the labels attached to this ticket as it seems to imply that 7.13 and 7.19 could be affected " lts-7.19-fix-requested " however I'm assuming these labels are just auto generated for " Public Security Vulnerability " tickets for all LTS versions still within support? As per the comment above it seems versions below 8 are not affected. Kind Regards, Belinda

            Sue Lund added a comment -

            We are also wondering if Confluence Cloud is/was affected by this.

            Sue Lund added a comment - We are also wondering if Confluence Cloud is/was affected by this.

            Arulmozhi Jayasudhan added a comment -

            Is Confluence cloud(Saas) is affected for this CVE ?

            Arulmozhi Jayasudhan added a comment - Is Confluence cloud(Saas) is affected for this CVE ?

            Rilwan_Ahmed_NC added a comment - - edited

            This is the update I found in https://www.cve.org/CVERecord?id=CVE-2023-22505 regarding the affected versions. Hope Atlassian updates the the affected versions in https://confluence.atlassian.com/security/security-bulletin-july-18-2023-1251417643.html

            Product :Confluence Server
            Default Status: unknown

            • affected at >= 8.0.0
            • unaffected at < 8.0.0
            • unaffected at >= 8.3.2
            • unaffected at >= 8.4.0

             
            Product: Confluence Data Center
            Default Status: unknown

            • affected at >= 8.0.0
            • unaffected at < 8.0.0
            • unaffected at >= 8.3.2
            • unaffected at >= 8.4.0

            Rilwan_Ahmed_NC added a comment - - edited This is the update I found in https://www.cve.org/CVERecord?id=CVE-2023-22505 regarding the affected versions. Hope Atlassian updates the the affected versions in https://confluence.atlassian.com/security/security-bulletin-july-18-2023-1251417643.html Product : C onfluence Server Default Status: unknown affected at >= 8.0.0 unaffected at < 8.0.0 unaffected at >= 8.3.2 unaffected at >= 8.4.0   Product: Confluence Data Center Default Status: unknown affected at >= 8.0.0 unaffected at < 8.0.0 unaffected at >= 8.3.2 unaffected at >= 8.4.0

            Richard Minick added a comment -

            Is there no workaround we can use until we can upgrade?

            Richard Minick added a comment - Is there no workaround we can use until we can upgrade?

              Unassigned Unassigned
              security-metrics-bot Security Metrics Bot
              Votes:
              0 Vote for this issue
              Watchers:
              36 Start watching this issue

                Created:
                Updated:
                Resolved: