All versions of Confluence Data Center and Server are affected by this unexploited vulnerability. This Improper Authorization vulnerability allows an unauthenticated malicious user to reset Confluence and create a Confluence instance administrator account. Using this account, an attacker can then perform all administrative actions that are available to Confluence instance administrator leading to - but not limited to - full loss of confidentiality, integrity and availability. Atlassian Cloud sites are not affected by this vulnerability. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
atlassian confluence data center |
||
atlassian confluence data center 8.6.0 |
||
atlassian confluence server |
||
atlassian confluence server 8.6.0 |
Topics Security Off-Prem On-Prem Software Offbeat Special Features Vendor Voice Vendor Voice Resources Risk of ‘significant data loss’ for on-prem customers
Atlassian has told customers they “must take immediate action” to address a newly discovered flaw in its Confluence collaboration tool. An advisory issued on October 31st warns of CVE-2023-22518, described as an “improper authorization vulnerability in Confluence Data Center and Server”, the on-prem versions of Atlassian’s products. All versions of Confluence are susceptible to the bug, which Atlassian rates at 9.1/10 severity on the ten-point Common Vulnerability Scoring System. The A...
Topics Security Off-Prem On-Prem Software Offbeat Special Features Vendor Voice Vendor Voice Resources Attackers secure admin rights after vendor said they could only steal data
Atlassian reassessed the severity rating of the recent improper authorization vulnerability in Confluence Data Center and Server, raising the CVSS score from 9.1 to a maximum of 10. The company overhauled its security advisory for CVE-2023-22518 after it realized there had been a "change in the scope of the attack" on Monday. In its original advisory, the Aussie-headquartered vendor said exploitation of the vulnerability by an unauthenticated user could lead to "significant data loss." In the re...
Topics Security Off-Prem On-Prem Software Offbeat Special Features Vendor Voice Vendor Voice Resources Bitbucket, Confluence and Jira all in danger, again. Sigh
Atlassian has emailed its customers to warn of four critical vulnerabilities, but the message had flaws of its own – the links it contained weren't live for all readers at the time of despatch. The email, seen by The Register, warns of flaws rated 9.0 or higher on the Common Vulnerability Scoring System (CVSS) scale and offers a link to an advisory. But that link was to a page that did not describe the relevant flaws, instead detailing CVE-2023-22518, the 9.1-rated stinker revealed in late Oct...
Topics Security Off-Prem On-Prem Software Offbeat Special Features Vendor Voice Vendor Voice Resources Crew may well be working under contract for Beijing
Chinese spies exploited a couple of critical-severity bugs in F5 and ConnectWise equipment earlier this year to sell access to compromised US defense organizations, UK government agencies, and hundreds of other entities, according to Mandiant. The Google-owned threat hunters said they assess, "with moderate confidence," that a crew they track as UNC5174 was behind the exploitation of CVE-2023-46747, a 9.8-out-of-10-CVSS-rated remote code execution bug in the F5 BIG-IP Traffic Management User Int...