Connect with us

Hi, what are you looking for?



Atlassian Warns of Critical RCE Vulnerability in Outdated Confluence Instances

Out-of-date Confluence Data Center and Server instances are haunted by a critical vulnerability leading to remote code execution.

Enterprise software maker Atlassian on Tuesday warned of a critical vulnerability in out-of-date Confluence Data Center and Server versions that could be exploited for remote code execution (RCE), without authentication.

The issue, tracked as CVE-2023-22527 (CVSS score of 10), is described as a template injection flaw that was mitigated in the supported versions of Confluence during regular updates.

“Customers using an affected version must take immediate action. If you are on an out-of-date version, you must immediately patch. Atlassian recommends that you patch each of your affected installations to the latest version available,” Atlassian notes in an advisory.

The security defect impacts all out-of-date Confluence 8 versions released before Dec. 5, 2023, and Confluence version 8.4.5, which no longer receives backported fixes. Confluence 7.19.x Long Term Support (LTS) versions and Atlassian Cloud instances are not affected.

Atlassian notes that there are no workarounds available for this bug and that even Confluence instances that are not directly accessible from the internet might be at risk.

The company urges customers to update to the latest Confluence versions (namely 8.5.5 LTS and 8.7.2), but notes that the patches will also be backported to all LTS versions that have not reached end-of-life.

The latest Confluence versions also contain fixes for five high-severity vulnerabilities, including two unauthenticated and two authenticated RCE bugs, and a denial-of-service (DoS) flaw in a third-party component.

The issues were included in Atlassian’s January 2024 security bulletin, which details 23 other security defects in third-party dependencies in Jira, Crowd, Bitbucket, and Bamboo Data Center and Server instances, some of them more than five years old.

Advertisement. Scroll to continue reading.

“To fix all the vulnerabilities in this bulletin, Atlassian recommends patching your instances to the latest version,” the software maker notes.

Atlassian makes no mention of any of these vulnerabilities being exploited in the wild, but Confluence flaws are often the target of threat actors.

Related: Atlassian Patches Critical Remote Code Execution Vulnerabilities

Related: Atlassian Issues Second Warning on Potential Exploitation of Critical Confluence Flaw

Related: Atlassian Ships Urgent Patch for Exploited Confluence Zero-Day

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn about active threats targeting common cloud deployments and what security teams can do to mitigate them.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.