Confluence Server and Data Center Critical CVSS 10 vulnerability CVE-2023-22527 - RCE
Atlassian Confluence Data Center and Server have a critical remote code execution (RCE) vulnerability affecting versions published before December 5, 2023, including those no longer supported.
This vulnerability, identified as CVE-2023-22527 and rated as critical (CVSS v3: 10.0), is a template injection issue that allows unauthorized attackers to execute code remotely on affected Confluence endpoints.
Atlassian's security bulletin states, "Most recent supported versions of Confluence Data Center and Server are not affected by this vulnerability as it was addressed in regular updates."
However, Atlassian advises customers to update to the latest version to secure their systems against other, less severe vulnerabilities mentioned in Atlassian's January Security Bulletin."
The RCE vulnerability affects Confluence Data Center and Server versions 8.0.x, 8.1.x, 8.2.x, 8.3.x, 8.4.x, and 8.5.0 to 8.5.3.
Atlassian resolved the issue in Confluence Data Center and Server versions 8.5.4 (LTS), 8.6.0 (Data Center only), and 8.7.1 (Data Center only), released in December. It's not clear whether the fix was applied quietly last month or if it happened as part of routine software updates.
These patched versions are not the most recent, so administrators who have upgraded to newer versions are not at risk from the CVE-2023-22527 exploit.