This advisory is for organizations that use Confluence Data Center and Confluence Server on premises. If your organization does not use this product, this notification may be discarded.
Atlassian has released a warning regarding a critical vulnerability in “out of date” versions of Confluence Data Center and Confluence Server. Atlassian describes this as a template injection vulnerability which would allow unauthenticated attackers to perform remote code execution (RCE). Atlassian has informed their customers that most latest supported versions of Confluence Data Center and Server are not affected by this vulnerability as it was ultimately mitigated during regular updates. Organizations which have not applied recent patches will need to apply updates to address this vulnerability.
“Atlassian Cloud sites are not affected by this vulnerability. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.”
CVE-2023-22527 – RCE Vulnerability in Confluence Data Center and Confluence Server
Confluence Data Center and Server
8.5.0 – 8.5.3
Users running out of date versions should immediately patch to at least the Fixed Version, and ideally to the Latest Version (to address additionally discovered vulnerabilities.)