Atlassian has discovered yet another critical vulnerability in its Confluence Data Center and Server collaboration and project management platform, and it’s urging customers to patch the problem immediately. The latest advisory by Atlassian describes CVE-2023-22518 as an improper authorization vulnerability that affects all versions of the on-premises versions of Confluence.
It is the second critical vulnerability reported by Atlassian in a month, tied to its widely used Confluence Data Center and Server platform and among numerous security issues from the company during the past year. The previous bulletin (CVE-2023-22515) revealed a vulnerability that could allow an attacker to create unauthorized Confluence administrator accounts, thereby gaining access to instances. That vulnerability had a severity level of 10 and was discovered initially by some customers who reported they may have been breached by it.
To date, Atlassian is not aware of any active exploits of the newest vulnerability, which has a severity level of 9.1., though the company issued a statement encouraging customers to apply the patch. “We have discovered that Confluence Data Center and Server customers are vulnerable to significant data loss if exploited by an unauthenticated attacker,” Atlassian CISO Bala Sathiamurthy warned in a statement. “Customers must take immediate action to protect their instances.”
Only On-Premises Versions Affected
The new vulnerability does not affect confidentiality because an attacker can’t exfiltrate any instance data, according to the advisory. Atlassian emphasized that only those with the on-premises version are affected, not those with the cloud or SaaS versions. Field Effect, a security intelligence provider, echoed Atlassian’s advice that customers make patching the servers a priority.
“Based on the information Atlassian released, it would appear this vulnerability only allows threat actors to delete or otherwise make the data residing on vulnerable servers inaccessible to their rightful users,” according to a blog post by the Field Effect security intelligence team. “Although this vulnerability is still a risk, it would be worse if actors were able to exfiltrate information to then extort the victim into paying the threat actor not to publicly release the data that was obtained.”
Some customers used the advisory’s comments section to ask instance-specific questions, such as whether a Web application firewall would be helpful. Others shared frustration with the latest discovery. “I feel like there’s a vulnerability every month,” according to a comment on the forum by a poster identified as “Oufiniamine.”
“Further information on this exploit and how to harden against it would really be helpful for those not having capacity to do this on a (by now: weekly) basis,” added Michael Scholze, another commenter on the Atlassian support forum. “It also doesn’t really spark confidence in your ‘Cloud Product’ being safe, especially in context of each new ‘LTS’ update on 7.19.x branch seemingly removing more and more functionality.”