Security News > 2023 > November > Atlassian cranks up the threat meter to max for Confluence authorization flaw

Atlassian reassessed the severity rating of the recent improper authorization vulnerability in Confluence Data Center and Server, raising the CVSS score from 9.1 to a maximum of 10.

In its original advisory, the Aussie-headquartered vendor said exploitation of the vulnerability by an unauthenticated user could lead to "Significant data loss." In the recently updated advisory, it conceded an attacker could reset Confluence and create an administrator account.

In addition to reiterating that all versions of Confluence are affected by the vulnerability and should be upgraded as a matter of emergency, Atlassian has now confirmed that active exploitation of the vulnerability has begun, echoing the recent reports from others in the cybersecurity industry.

Security company Rapid7 reported a possible mass exploitation event was unfolding as of November 5 after its telemetry picked up on attacks in "Various customer environments."

"The process execution chain, for the most part, is consistent across multiple environments, indicating possible mass exploitation of vulnerable internet-facing Atlassian Confluence servers," it said in a blog post.

The increased severity rating for CVE-2023-22518 now means it matches the severity of the other major Confluence vulnerability, a zero-day disclosed earlier in October.

News URL

https://go.theregister.com/feed/www.theregister.com/2023/11/08/atlassian_confluence_flaw_upgraded/