[CONFSERVER-93502] RCE in Confluence Data Center and Server - CVE-2023-22522 - Create and track feature requests for Atlassian products.

Type: Public Security Vulnerability
Resolution: Fixed
Priority: Highest
Fix Version/s: 8.5.4, 7.19.17, 8.6.2, 8.4.5, 8.7.1
Affects Version/s: 7.20.0, 8.0.0, 4.0.0, 8.6.0
Component/s: None
Labels:

Symptom Severity:
Severity 1 - Critical
CVSS Score:
9
CVSS Severity:
Critical
CVE ID:
CVE-2023-22522
CVSSv3 Vector:
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Vulnerability Classes:

RCE (Remote Code Execution)
Affected Product(s):

Confluence Data Center, Confluence Server
Advisory URL:
https://confluence.atlassian.com/pages/viewpage.action?pageId=1319570362

Summary of Vulnerability

This Template Injection vulnerability allows an authenticated attacker, including one with anonymous access, to inject unsafe user input into a Confluence page. Using this approach, an attacker is able to achieve RCE on an affected instance. Confluence Data Center and Server versions as listed below are at risk and require immediate attention. See “What You Need to Do” for detailed instructions.

Atlassian Cloud sites are not affected by this vulnerability. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.

Affected Versions

Product	Affected Versions
Confluence Data Center and Server	4.x.x 5.x.x 6.x.x 7.x.x 8.0.x 8.1.x 8.2.x 8.3.x 8.4.0 8.4.1 8.4.2 8.4.3 8.4.4 8.5.0 8.5.1 8.5.2 8.5.3
Confluence Data Center	8.6.0 8.6.1

Fixed Versions

Product	Fixed Versions
Confluence Data Center and Server	7.19.17 (LTS) 8.4.5 8.5.4 (LTS)
Confluence Data Center	8.6.2 or later (Data Center Only) 8.7.1 or later (Data Center Only)

What You Need To Do

Immediately patch to a fixed version

Atlassian recommends that you patch each of your affected installations to the latest version or one of the listed fixed versions below.

Product	Fixed Versions
Confluence Data Center and Server	7.19.17 (LTS) 8.4.5 8.5.4 (LTS)
Confluence Data Center	8.6.2 or later (Data Center Only) 8.7.1 or later (Data Center Only)

For additional details, please see full advisory.

is action for: PRODSEC-5414 Loading...

mentioned in: Page Failed to load; Page Failed to load; Page Failed to load; Page Failed to load

Channakesa Chindanur added a comment - 06/Dec/2024 10:12 AM

Hello, Last weekend we have upgraded to 8.9.7 ( Data Center ) and fix version will be 8.5.4 LTS onwards, but still why it is showing in my confluence application that affected with security vulnerabilities.

Can any one confirm on this?

Channakesa Chindanur added a comment - 06/Dec/2024 10:12 AM Hello, Last weekend we have upgraded to 8.9.7 ( Data Center ) and fix version will be 8.5.4 LTS onwards, but still why it is showing in my confluence application that affected with security vulnerabilities. Can any one confirm on this?

Tim Eddelbüttel added a comment - 11/Sep/2024 10:39 AM

Any reason why the Published transition was executed again by prodsec-jac-bot yesterday?

Tim Eddelbüttel added a comment - 11/Sep/2024 10:39 AM Any reason why the Published transition was executed again by prodsec-jac-bot yesterday?

prodsec-jac-bot made changes - 10/Sep/2024 8:27 PM

Status

Original: Published [ 12873 ]

New: Published [ 12873 ]

Cathy S made changes - 13/Mar/2024 5:55 PM

Remote Link

New: This issue links to "Page (Confluence)" [ 880203 ]

Renata Bueno made changes - 22/Dec/2023 12:32 PM

Remote Link

New: This issue links to "Page (Confluence)" [ 850249 ]

UB made changes - 07/Dec/2023 11:41 AM

Labels

Original: advisory advisory-released dont-import fixed-versions-published security

New: advisory advisory-released dont-import fixed-versions-published hot-conf-fixed security

IT233 added a comment - 07/Dec/2023 11:20 AM

Is it really too much to ask, to properly populate the "Affects Version/s:"-field?

Checking the security vulnerability API I was rather surprised that CVE-2023-22522 didn't show up. But as the data is missing here... Well, that explains a lot. (For the record: This it the current data set: Affects Version/s: 7.20.0, 8.0.0, 4.0.0, 8.6.0)

I would really appreciate if you could fix this. Would make things a lot easier. Thank you very much.

IT233 added a comment - 07/Dec/2023 11:20 AM Is it really too much to ask, to properly populate the "Affects Version/s:"-field? Checking the security vulnerability API I was rather surprised that CVE-2023-22522 didn't show up. But as the data is missing here... Well, that explains a lot. (For the record: This it the current data set: Affects Version/s: 7.20.0, 8.0.0, 4.0.0, 8.6.0) I would really appreciate if you could fix this. Would make things a lot easier. Thank you very much.

Yuki Kang made changes - 07/Dec/2023 6:01 AM

Comment

[ Why showing Label "fixed-versions-not-yet-published"? ]

rajatglobalsign added a comment - 07/Dec/2023 5:47 AM

seems like Atlassian wants their customers to move to Atlassian Cloud as each advisory says Cloud sites are not affected.

rajatglobalsign added a comment - 07/Dec/2023 5:47 AM seems like Atlassian wants their customers to move to Atlassian Cloud as each advisory says Cloud sites are not affected.

Dabin Daniel Sundaram added a comment - 07/Dec/2023 5:32 AM - edited

We have upgraded to 7.19.16 version to mitigate the previous vulnerability last Saturday. Why does Atlassian want their users to upgrade their version every weekend? Why can't the Atlassian provide some patches for all the LTS versions and sub-versions? I guess if I upgrade to the fixed version this Saturday, another vulnerability would be introduced by Monday, then the Atlassian will ask the users to upgrade to the fixed version and it would repeat. It seems like the infinity loop. It looks like the Atlassian encourage the users not to use their products.

Atlassian team, we need the patch for the LTS versions. We can't just keep on working only on the upgrade, testing.. upgrade, testing.. upgrade, testing.. infinitely.

Dabin Daniel Sundaram added a comment - 07/Dec/2023 5:32 AM - edited We have upgraded to 7.19.16 version to mitigate the previous vulnerability last Saturday. Why does Atlassian want their users to upgrade their version every weekend? Why can't the Atlassian provide some patches for all the LTS versions and sub-versions? I guess if I upgrade to the fixed version this Saturday, another vulnerability would be introduced by Monday, then the Atlassian will ask the users to upgrade to the fixed version and it would repeat. It seems like the infinity loop. It looks like the Atlassian encourage the users not to use their products. Atlassian team, we need the patch for the LTS versions. We can't just keep on working only on the upgrade, testing.. upgrade, testing.. upgrade, testing.. infinitely.

Assignee:: Unassigned

Reporter:: Sharada Moorthy (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 34 Start watching this issue

Created:: 05/Dec/2023 6:46 AM

Updated:: 06/Dec/2024 10:12 AM

Resolved:: 06/Dec/2023 5:25 AM

Details

Description

Summary of Vulnerability

Affected Versions

Fixed Versions

What You Need To Do

Immediately patch to a fixed version

Attachments

Issue Links

Forms

Activity

[CONFSERVER-93502] RCE in Confluence Data Center and Server - CVE-2023-22522

Collapse comment: Channakesa Chindanur added a comment - 06/Dec/2024 10:12 AM

Expand comment: Channakesa Chindanur added a comment - 06/Dec/2024 10:12 AM

Collapse comment: Tim Eddelbüttel added a comment - 11/Sep/2024 10:39 AM

Expand comment: Tim Eddelbüttel added a comment - 11/Sep/2024 10:39 AM

Collapse comment: IT233 added a comment - 07/Dec/2023 11:20 AM

Expand comment: IT233 added a comment - 07/Dec/2023 11:20 AM

Collapse comment: rajatglobalsign added a comment - 07/Dec/2023 5:47 AM

Expand comment: rajatglobalsign added a comment - 07/Dec/2023 5:47 AM

Collapse comment: Dabin Daniel Sundaram added a comment - 07/Dec/2023 5:32 AM, Edited by Dabin Daniel Sundaram - 07/Dec/2023 5:39 AM

Expand comment: Dabin Daniel Sundaram added a comment - 07/Dec/2023 5:32 AM, Edited by Dabin Daniel Sundaram - 07/Dec/2023 5:39 AM

People

Dates