Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-93502

RCE in Confluence Data Center and Server - CVE-2023-22522

XMLWordPrintable

    • Severity 1 - Critical
    • 9
    • Critical
    • CVE-2023-22522
    • CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
    • RCE (Remote Code Execution)
    • Confluence Data Center, Confluence Server

      Summary of Vulnerability

      This Template Injection vulnerability allows an authenticated attacker, including one with anonymous access, to inject unsafe user input into a Confluence page. Using this approach, an attacker is able to achieve RCE on an affected instance. Confluence Data Center and Server versions as listed below are at risk and require immediate attention. See “What You Need to Do” for detailed instructions.

      Atlassian Cloud sites are not affected by this vulnerability. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.

      Affected Versions

      Product Affected Versions
      Confluence Data Center and Server
      • 4.x.x
      • 5.x.x
      • 6.x.x
      • 7.x.x
      • 8.0.x
      • 8.1.x
      • 8.2.x
      • 8.3.x
      • 8.4.0
      • 8.4.1
      • 8.4.2
      • 8.4.3
      • 8.4.4
      • 8.5.0
      • 8.5.1
      • 8.5.2
      • 8.5.3
      Confluence Data Center
      • 8.6.0
      • 8.6.1

      Fixed Versions

      Product Fixed Versions
      Confluence Data Center and Server
      • 7.19.17 (LTS)
      • 8.4.5
      • 8.5.4 (LTS)
      Confluence Data Center
      • 8.6.2 or later (Data Center Only)
      • 8.7.1 or later (Data Center Only)

      What You Need To Do

      Immediately patch to a fixed version

      Atlassian recommends that you patch each of your affected installations to the latest version or one of the listed fixed versions below.

      Product Fixed Versions
      Confluence Data Center and Server
      • 7.19.17 (LTS)
      • 8.4.5
      • 8.5.4 (LTS)
      Confluence Data Center
      • 8.6.2 or later (Data Center Only)
      • 8.7.1 or later (Data Center Only)

      For additional details, please see full advisory.

            [CONFSERVER-93502] RCE in Confluence Data Center and Server - CVE-2023-22522

            Channakesa Chindanur added a comment -

            Hello, Last weekend we have upgraded to 8.9.7 ( Data Center ) and fix version will be 8.5.4 LTS onwards, but still why it is showing in my confluence application that affected with security vulnerabilities.

            Can any one confirm on this?

            Channakesa Chindanur added a comment - Hello, Last weekend we have upgraded to 8.9.7 ( Data Center ) and fix version will be 8.5.4 LTS onwards, but still why it is showing in my confluence application that affected with security vulnerabilities. Can any one confirm on this?

            Tim Eddelbüttel added a comment -

            Any reason why the Published transition was executed again by prodsec-jac-bot yesterday?

            Tim Eddelbüttel added a comment - Any reason why the Published transition was executed again by prodsec-jac-bot yesterday?

            IT233 added a comment -

            Is it really too much to ask, to properly populate the "Affects Version/s:"-field?

            Checking the security vulnerability API I was rather surprised that CVE-2023-22522 didn't show up. But as the data is missing here... Well, that explains a lot. (For the record: This it the current data set: Affects Version/s: 7.20.0, 8.0.0, 4.0.0, 8.6.0)

            I would really appreciate if you could fix this. Would make things a lot easier. Thank you very much.

            IT233 added a comment - Is it really too much to ask, to properly populate the "Affects Version/s:"-field? Checking the security vulnerability API I was rather surprised that CVE-2023-22522 didn't show up. But as the data is missing here... Well, that explains a lot. (For the record: This it the current data set: Affects Version/s: 7.20.0, 8.0.0, 4.0.0, 8.6.0) I would really appreciate if you could fix this. Would make things a lot easier. Thank you very much.

            rajatglobalsign added a comment -

            seems like Atlassian wants their customers to move to Atlassian Cloud as each advisory says Cloud sites are not affected. 

            rajatglobalsign added a comment - seems like Atlassian wants their customers to move to Atlassian Cloud as each advisory says Cloud sites are not affected. 

            Dabin Daniel Sundaram added a comment - - edited

            We have upgraded to 7.19.16 version to mitigate the previous vulnerability last Saturday. Why does Atlassian want their users to upgrade their version every weekend? Why can't the Atlassian provide some patches for all the LTS versions and sub-versions? I guess if I upgrade to the fixed version this Saturday, another vulnerability would be introduced by Monday, then the Atlassian will ask the users to upgrade to the fixed version and it would repeat. It seems like the infinity loop. It looks like the Atlassian encourage the users not to use their products.

            Atlassian team, we need the patch for the LTS versions. We can't just keep on working only on the upgrade, testing.. upgrade, testing.. upgrade, testing.. infinitely.

            Dabin Daniel Sundaram added a comment - - edited We have upgraded to 7.19.16 version to mitigate the previous vulnerability last Saturday. Why does Atlassian want their users to upgrade their version every weekend? Why can't the Atlassian provide some patches for all the LTS versions and sub-versions? I guess if I upgrade to the fixed version this Saturday, another vulnerability would be introduced by Monday, then the Atlassian will ask the users to upgrade to the fixed version and it would repeat. It seems like the infinity loop. It looks like the Atlassian encourage the users not to use their products. Atlassian team, we need the patch for the LTS versions. We can't just keep on working only on the upgrade, testing.. upgrade, testing.. upgrade, testing.. infinitely.

            rajatglobalsign added a comment -

            Hello, Is confluence Data Center version 7.19.16 also affected?

            rajatglobalsign added a comment - Hello, Is confluence Data Center version 7.19.16 also affected?

            Faisal Shamim added a comment -

            Hi 

            is Confluence Server Version 7.19.16 affected? 

            We recently updated it to this version due to a vulnerability issue 

             

            Thanks

            Faisal

            Faisal Shamim added a comment - Hi  is Confluence Server Version 7.19.16 affected?  We recently updated it to this version due to a vulnerability issue    Thanks Faisal

            Andy Holt added a comment -

            What exactly does 'an authenticated attacker, including one with anonymous access' mean?  That sounds like 'an unauthenticated attacker' to me.

            Andy Holt added a comment - What exactly does 'an authenticated attacker, including one with anonymous access' mean?  That sounds like 'an unauthenticated attacker' to me.

            Gabriel Udvar added a comment -

            Britta, it looks like all v7 versions are affected, including 7.19.16.

            Gabriel Udvar added a comment - Britta, it looks like all v7 versions are affected, including 7.19.16.

            Britta Hupka added a comment -

            Hi,

            is Confuence Server Version 7.19.16 affected?

            Thanks

            Britta Hupka added a comment - Hi, is Confuence Server Version 7.19.16 affected? Thanks

              Unassigned Unassigned
              smoorthy Sharada Moorthy (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              34 Start watching this issue

                Created:
                Updated:
                Resolved: