Security News > 2024 > January > Atlassian reveals critical Confluence RCE flaw, urges “immediate action” (CVE-2023-22527)
![Atlassian reveals critical Confluence RCE flaw, urges “immediate action” (CVE-2023-22527)](/static/build/img/news/atlassian-reveals-critical-confluence-rce-flaw-urges-immediate-action-cve-2023-22527-medium.jpg)
Atlassian has patched a critical vulnerability in Confluence Data Center and Confluence Server that could lead to remote code execution.
Atlassian hasn't mentioned whether the vulnerability is being actively exploited, but has said that customers "Must take immediate action to protect their Confluence instances."
CVE-2023-22527 is a template injection vulnerability that allows an unauthenticated attacker to achieve RCE on an affected version of Confluence Data Center and Confluence Server: 8.0.x, 8.1.x, 8.2.x, 8.3.x, 8.4.x, and 8.5.0-8.5.3.
Atlassian Cloud instances are not affected by this vulnerability, and neither is Confluence version 7.19.x. Additional advice for customers.
Vulnerable Confluence instances have been preferred targets of various threat actors over the years.
"If the Confluence instance cannot be accessed from the internet the risk of exploitation is reduced, but not completely mitigated," the company added, and again "Strongly recommended" upgrading to the latest version available.
News URL
https://www.helpnetsecurity.com/2024/01/16/cve-2023-22527/
Related news
- High-risk Atlassian Confluence RCE fixed, PoC available (CVE-2024-21683) (source)
- Week in review: Atlassian Confluence RCE PoC, new Kali Linux, Patch Tuesday forecast (source)
- Over 50,000 Tinyproxy servers vulnerable to critical RCE flaw (source)
- Critical Git vulnerability allows RCE when cloning repositories with submodules (CVE-2024-32002) (source)
- TP-Link fixes critical RCE bug in popular C5400X gaming router (source)
- PHP fixes critical RCE flaw impacting all versions for Windows (source)
- Critical RCE flaws in vCenter Server fixed (CVE-2024-37079, CVE-2024-37080) (source)
- VMware fixes critical vCenter RCE vulnerability, patch now (source)
- Week in review: CDK Global cyberattack, critical vCenter Server RCE fixed (source)
- Critical RCE Vulnerability Discovered in Ollama AI Infrastructure Tool (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2024-01-16 | CVE-2023-22527 | Injection vulnerability in Atlassian Confluence Data Center and Confluence Server A template injection vulnerability on older versions of Confluence Data Center and Server allows an unauthenticated attacker to achieve RCE on an affected instance. | 9.8 |