Enterprise software maker Atlassian on Tuesday warned of a critical vulnerability in out-of-date Confluence Data Center and Server versions that could be exploited for remote code execution, without authentication.
The issue, tracked as CVE-2023-22527, is described as a template injection flaw that was mitigated in the supported versions of Confluence during regular updates.
The security defect impacts all out-of-date Confluence 8 versions released before Dec. 5, 2023, and Confluence version 8.4.5, which no longer receives backported fixes.
Confluence 7.19.x Long Term Support versions and Atlassian Cloud instances are not affected.
Atlassian notes that there are no workarounds available for this bug and that even Confluence instances that are not directly accessible from the internet might be at risk.
The company urges customers to update to the latest Confluence versions, but notes that the patches will also be backported to all LTS versions that have not reached end-of-life.
The latest Confluence versions also contain fixes for five high-severity vulnerabilities, including two unauthenticated and two authenticated RCE bugs, and a denial-of-service flaw in a third-party component.
The issues were included in Atlassian's January 2024 security bulletin, which details 23 other security defects in third-party dependencies in Jira, Crowd, Bitbucket, and Bamboo Data Center and Server instances, some of them more than five years old.
Atlassian makes no mention of any of these vulnerabilities being exploited in the wild, but Confluence flaws are often the target of threat actors.
This Cyber News was published on www.securityweek.com. Publication date: Wed, 17 Jan 2024 16:28:03 +0000