Atlassian Confluence vulnerability enables remote code execution

An Atlassian Confluence critical vulnerability allows remote code execution (RCE) by unauthenticated users in unpatched versions, the company warned Tuesday.

Atlassian customers using Confluence Data Center and Server version 8 are affected if they have not updated to at least 8.5.4, released Dec. 5. The company recommended all customers to update to the latest Confluence version, 8.5.5, immediately.

An Atlassian spokesperson told SC Media Wednesday that the company does not have evidence of an active exploit of CVE-2023-22527 in the wild.

Latest Atlassian CVE receives maximum CVSS score

The critical Confluence vulnerability, tracked as CVE-2023-22527, was given a maximum CVSS score of 10 by Atlassian due to the ability for attackers to achieve RCE in a low-complexity attack and without authentication.

Confluence customers whose instances are not connected to the internet and do not allow anonymous access may still be at risk due to this vulnerability, according to Atlassian.

“The possibility of multiple entry points, along with chained attacks, makes it difficult to list all possible indicators of compromise,” the company stated in an FAQ for customers.

CVE-2023-22527 is a template injection vulnerability, similar to CVE-2023-22522, which also risked RCE on Confluence Data Center and Server. However, the earlier bug required authentication, while the latest vulnerability can be exploited by unauthenticated attackers.

The bug was discovered and reported by security researcher Petrus Viet on Dec. 13 as part of Atlassian’s bug bounty program. Although the bug had already incidentally been fixed at the time of the report, due to the implementation of OGNL Guard, Atlassian still awarded the bounty due to the need for a public advisory on the critical flaw.

Viet posted a screenshot on their X account showing the use of a crafted HTTP POST request to exploit the vulnerability.