Atlassian is a warning of a critical security flaw, tracked as CVE-2023-22518 with a CVSS score 9.1, which affects all versions of Confluence Data Center and Server.
The identified vulnerability is an improper authorization issue that can lead to significant data loss if exploited by an unauthenticated attacker.
As a part of our continuous security assessment processes, we have discovered that Confluence Data Center and Server customers are vulnerable to significant data loss if exploited by an unauthenticated attacker.”
Atlassian are not aware of attacks in the wild, exploiting this vulnerability. However, the company urges customers to immediately take action to protect their installs.
The issue has been addressed with the release of Confluence Data Center and Server versions 7.19.16, 8.3.4, 8.4.4, 8.5.3, and 8.6.1.
Atlassian states that there is no impact on confidentiality as an attacker cannot exfiltrate any instance data.
Confluence sites that are accessed via an atlassian.net domain are not impacted by this issue because they are hosted by Atlassian.
Customers that are unable to apply the patches are advised to back up their instances and block internet access to them until they can be patched.