Atlassian, has fixed a privilege escalation vulnerability bug in Confluence Server and Datacenter editions.
The vulnerability, tracked as CVE-2023-22515, attackers have already exploited this flaw in some publicly accessible Confluence instances, enabling them to craft unauthorized Confluence administrator accounts and infiltrate the instances.
Atlassian Cloud sites are safe since these sites remain unaffected if the confluence site accessed through an atlassian.net domain, rest easy your data remains uncompromised.
Atlassian rates the severity level of this vulnerability as critical and affects Confluence Data Center and Server versions 8.0.0 and onward. It is remotely exploitable in low-complexity attacks, meaning that attackers don’t even need user interaction to exploit this flaw.
A privilege escalation vulnerability is a type of security vulnerability that allows an attacker to elevate their privileges on a system. This can be done by exploiting a weakness in the system’s security controls or by exploiting a bug in a software application.
Once an attacker has elevated their privileges, they can gain access to sensitive data, execute malicious code, or even take over the system completely. CVE-2023-22515 is critical because it is remotely exploitable and does not require user interaction. This means that an attacker can exploit this vulnerability without having to trick a user into clicking on a malicious link or opening an attachment.
This vulnerability can be exploited to create unauthorized Confluence administrator accounts. This gives the attacker complete control over the Confluence instance, which they can use to steal data, launch attacks against other systems, or even disrupt operations.
If you’re using a vulnerable version of Confluence Data Center or Server, it’s time to spring into action:
- Upgrade the Confluence instances to the latest versions provided by Atlassian, specifically 8.3.3 or later, 8.4.3 or later, or 8.5.2 or later.
- Consider Removing Internet Access: If immediate patching isn’t feasible, Atlassian recommends unplugging the Confluence Server and Data Center from the Internet. This can be done by shutting them down or by isolating them behind firewalls.
- Limit External Access: An alternative measure is to restrict external network access to your affected instance.
- Block Access to Vulnerable Endpoints: Specific attack vectors can be mitigated by blocking access to the /setup/* endpoints on your Confluence instances. Changes to Confluence’s configuration files or network-level restrictions can achieve this.