Atlassian found a critical security vulnerability, CVE-2023-22518, in the Confluence enterprise web wiki that could lead to "significant data loss." However, a recently updated advisory acknowledged that the vulnerability is much more serious and that attackers can completely reset Confluence and create accounts with administrator privileges.
According to The Register, Atlassian initially assessed the threat level at 9.1, but after the new statement, the threat score rose to a maximum of 10.
According to Atlassian, all versions of Confluence Data Center and Server are affected by this vulnerability.
The company currently recommends updating to the following versions: 7.19.16, 8.3.4, 8.4.4, 8.5.3, 8.6.1.
Before updating, Atlassian also recommends creating a backup copy and, if possible, removing your instance from the Internet until you can install a secure version.
If a user is unable to restrict access to an external network or upgrade, the company recommends taking the following temporary measures to mitigate known attack vectors by blocking access to such endpoints in Confluence instances:
- /json/setup-restore.action
- /json/setup-restore-local.action
- /json/setup-restore-progress.action