Atlassian is warning security teams to “take immediate action” after disclosing a critical-severity improper authorization vulnerability in its popular Confluence Server and Data Center products.
Patches are available for the flaw (CVE-2023-22518), which impacts all versions of Confluence Data Center and Server. Further details for the vulnerability were not specified, but the bug is rated 9.1 out of 10 on the CVSS v3 scale, and Atlassian is underscoring its potential impact for customers.
“As part of our continuous security assessment processes, we have discovered that Confluence Data Center and Server customers are vulnerable to significant data loss if exploited by an unauthenticated attacker,” according to Bala Sathiamurthy, CISO with Atlassian, in a Tuesday advisory.
Notably, while Atlassian stressed the potential for data loss due to this flaw, it said there is no impact to confidentiality as “an attacker cannot exfiltrate any instance data.”
Atlassian on Monday released fixed versions addressing the flaw (versions 7.19.16 or later, 8.3.4 or later, 8.4.4 or later, 8.5.3 or later and 8.6.1 or later) and urged customers to apply the patches. The company also warned that versions that have reached end of life may also be impacted.
“There are no reports of active exploitation at this time; however, customers must take immediate action to protect their instances,” said Sathiamurthy.
If organizations are unable to patch immediately, they should back up their instances, and instances that are accessible via the internet should be restricted from external network access until they can apply the fixes.
The company last month also patched a critical-severity privilege escalation bug (CVE-2023-22515) in several versions of its Confluence product. U.S. government agencies warned that they expected to see “widespread, continued exploitation” for that bug and urged network administrators to apply the patch for the flaw immediately.