Atlassian, the collaboration software vendor, announced on Wednesday that it had discovered and patched a zero-day vulnerability affecting Confluence Data Center and Server. These are self-managed versions of Atlassian’s popular workspace suite.
The vulnerability, known as CVE-2023-22515, is classified as a critical privilege escalation vulnerability. Atlassian revealed that it had been alerted to attacks exploiting this vulnerability. In a security advisory, the company explained that external attackers may have utilized the unknown vulnerability in publicly accessible Confluence instances to create unauthorized Confluence administrator accounts and gain unauthorized access.
Atlassian confirmed that versions prior to 8.0.0 of Confluence Data Center and Server are not impacted by the vulnerability. However, the company strongly encouraged customers with affected versions to upgrade to fixed versions, such as 8.3.3 or later, 8.4.3 or later, and 8.5.2 (the “Long Term Support release”) or later. The list of affected versions includes 8.0.0 to 8.5.1. Atlassian clarified that its cloud sites are not affected by this vulnerability.
The exact CVSS score for CVE-2023-22515 has not been assigned as of this writing. However, Atlassian has deemed it critical according to its own severity levels. The company highlighted that Confluence instances exposed to the public internet are at an elevated risk since this vulnerability can be exploited anonymously.
For customers unable to upgrade immediately, Atlassian recommended restricting external network access to affected Confluence instances or blocking access to the /setup/* endpoints on those instances to mitigate potential attack vectors. The vendor also provided indicators of compromise for additional guidance.
Although the official advisory lacked technical details, cybersecurity firm Rapid7 published a blog post offering further insights into the vulnerability. Caitlin Condon, Rapid7’s head of vulnerability research, pointed out that it is uncommon for a privilege escalation flaw to be categorized as critical. Condon suggested that the vulnerability may enable a regular user account to elevate to admin status. However, she noted that the feature allowing new user sign-ups without approval is disabled by default.
TechTarget Editorial reached out to Atlassian for clarification on whether CVE-2023-22515 can be remotely executed and for more information. However, the vendor declined to comment, only providing a general statement confirming that they were aware of the issue and that external attackers might have exploited the vulnerability.
It is worth noting that critical vulnerabilities in Confluence have previously attracted threat actors. In June of last year, a remote code execution bug, CVE-2022-26134, was heavily abused by ransomware actors in Confluence Data Center and Server deployments. Additionally, in September 2021, another remote code execution flaw, CVE-2021-26084, came under active exploitation shortly after its public disclosure.
As of now, it is important for organizations using Confluence Data Center and Server to promptly upgrade to the fixed versions recommended by Atlassian to protect against potential attacks exploiting CVE-2023-22515. Vigilance and proactive security measures are crucial to prevent unauthorized access and potential damage to Confluence instances.
In conclusion, Atlassian has addressed a critical privilege escalation vulnerability in Confluence Data Center and Server through a patch. The company has urged customers to upgrade to fixed versions and provided mitigation recommendations to safeguard against potential attacks. Instances hosted on Atlassian Cloud are not affected. Stay updated on security advisories to protect your Confluence deployment from emerging threats.