Critical Vulnerability in Atlassian Confluence Data Center and Server

Published on 01 Nov 2023 | Updated on 01 Nov 2023

Atlassian has released security updates to address a critical vulnerability (CVE-2023-22518) in their Confluence Data Center and Server products.

Successful exploitation of the improper authorisation vulnerability by an unauthenticated attacker could lead to significant data loss.

The vulnerability affects all versions of the Atlassian Confluence Data Center and Server products prior to the fixed versions listed below:

7.19.16 or later
8.3.4 or later
8.4.4 or later
8.5.3 or later
8.6.1 or later

Users and administrators of affected product versions are advised to update to the latest versions immediately.

If immediate patching is not possible, users and administrators of affected product versions are advised to apply the following mitigating measures as a temporary solution:

Back up the vulnerable instance (Instructions on backing up are available here: https://confluence.atlassian.com/doc/production-backup-strategy-38797389.html).
Vulnerable instances, including those with user authentication, should be restricted from internet access until patches are applied.

More information is available here:

https://confluence.atlassian.com/security/cve-2023-22518-improper-authorization-vulnerability-in-confluence-data-center-and-confluence-server-1311473907.html

https://nvd.nist.gov/vuln/detail/CVE-2023-22518