Enterprise software maker Atlassian on Tuesday warned of a critical vulnerability in out-of-date Confluence Data Center and Server versions that could be exploited for remote code execution (RCE), without authentication.
The issue, tracked as CVE-2023-22527 (CVSS score of 10), is described as a template injection flaw that was mitigated in the supported versions of Confluence during regular updates.
“Customers using an affected version must take immediate action. If you are on an out-of-date version, you must immediately patch. Atlassian recommends that you patch each of your affected installations to the latest version available,” Atlassian notes in an advisory.
The security defect impacts all out-of-date Confluence 8 versions released before Dec. 5, 2023, and Confluence version 8.4.5, which no longer receives backported fixes. Confluence 7.19.x Long Term Support (LTS) versions and Atlassian Cloud instances are not affected.
Atlassian notes that there are no workarounds available for this bug and that even Confluence instances that are not directly accessible from the internet might be at risk.
The company urges customers to update to the latest Confluence versions (namely 8.5.5 LTS and 8.7.2), but notes that the patches will also be backported to all LTS versions that have not reached end-of-life.
The latest Confluence versions also contain fixes for five high-severity vulnerabilities, including two unauthenticated and two authenticated RCE bugs, and a denial-of-service (DoS) flaw in a third-party component.
The issues were included in Atlassian’s January 2024 security bulletin, which details 23 other security defects in third-party dependencies in Jira, Crowd, Bitbucket, and Bamboo Data Center and Server instances, some of them more than five years old.
“To fix all the vulnerabilities in this bulletin, Atlassian recommends patching your instances to the latest version,” the software maker notes.
Atlassian makes no mention of any of these vulnerabilities being exploited in the wild, but Confluence flaws are often the target of threat actors.