Enterprise software maker Atlassian on Monday urged all Confluence Data Center and Server customers to patch their instances against a critical-severity vulnerability that can be exploited without authentication.
The security defect, tracked as CVE-2023-22518 (CVSS score of 9.1), is described as an improper authorization bug that impacts all Confluence versions.
While it did not share technical details on the flaw in its advisory, Atlassian instead drew attention to the high impact successful exploitation would have.
“As part of our continuous security assessment processes, we have discovered that Confluence Data Center and Server customers are vulnerable to significant data loss if exploited by an unauthenticated attacker,” Atlassian CISO Bala Sathiamurthy notes.
“There are no reports of active exploitation at this time; however, customers must take immediate action to protect their instances,” Sathiamurthy continues.
According to Atlassian, the vulnerability has no impact on confidentiality, as no data exfiltration can occur from exploiting it.
The issue has been addressed with the release of Confluence Data Center and Server versions 7.19.16, 8.3.4, 8.4.4, 8.5.3, and 8.6.1.
Customers that are unable to apply the patches are advised to back up their instances and block internet access to them until they can be patched.
“Instances accessible to the public internet, including those with user authentication, should be restricted from external network access until you can patch,” Atlassian notes.
The company also notes that, as per its policy regarding critical vulnerabilities, the patches will be back ported, and that new maintenance releases for all versions covered by the policy will become available.
“Atlassian Cloud sites are not affected by this vulnerability. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue,” the software maker notes.