Atlassian has discovered yet another critical vulnerability in its Confluence Data Center and Server collaboration and project management platform, and it’s urging customers to patch the problem immediately. The latest advisory by Atlassian describes CVE-2023–22518 as an improper authorization vulnerability that affects all versions of the on-premises versions of Confluence.
It is the second critical vulnerability reported by Atlassian in a month, tied to its widely used Confluence Data Center and Server platform and among numerous security issues from the company during the past year. The previous bulletin (CVE-2023–22515) revealed a vulnerability that could allow an attacker to create unauthorized Confluence administrator accounts, thereby gaining access to instances. That vulnerability had a severity level of 10 and was discovered initially by some customers who reported they may have been breached by it.
To date, Atlassian is not aware of any active exploits of the newest vulnerability, which has a severity level of 9.1., though the company issued a statement encouraging customers to apply the patch. “We have discovered that Confluence Data Center and Server customers are vulnerable to significant data loss if exploited by an unauthenticated attacker,” Atlassian CISO Bala Sathiamurthy warned in a statement. “Customers must take immediate action to protect their instances.”
Leave a reply