Atlassian issues urgent Confluence patch

Atlassian is warning users of out-of-date Confluence data centre and server environments that they need to update to a current version to patch a critical-rated vulnerability.

CVE-2023-22527 carries a CVSS score of 10 and is a template injection vulnerability that gives an unauthenticated attacker remote code execution (RCE) capability.

Recent supported versions are not affected, because the vulnerability was “ultimately mitigated during regular updates.”

Affected versions were released before December 5, 2023, and include 8.0.x, 8.1.x, 8.2.x, 8.3.x, 8.4.x, and 8.5.0-8.5.3.

The bug is fixed in Confluence data centre and server version 8.5.5 (LTS); and in Confluence data centre 8.7.2.

The company yesterday also released a security bulletin covering 28 high-rated vulnerabilities.

The fixes patch 14 denial-of-service bugs in the data centre and server versions of Bitbucket and Bamboo; information disclosure vulnerabilities in Crowd and Bamboo; six RCEs in Bamboo and Confluence; request smuggling vulnerabilities in Apache components used in Bitbucket, Bamboo, Crowd and Jira software; a server-side request forgery vulnerability in Jira service management; and an XML external entity injection bug in Jira software.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts