CVE-2023-22503

Name of the Vulnerable Software and Affected Versions Atlassian Confluence Server versions prior to 7.13.15 Atlassian Confluence Server versions 7.14.0 through 7.19.7 Atlassian Confluence Server versions 7.20.0 through 8.2.0 Atlassian Confluence Data Center versions prior to 7.13.15 Atlassian Confluence Data Center versions 7.14.0 through 7.19.7 Atlassian Confluence Data Center versions 7.20.0 through 8.2.0

Description The issue is related to insufficient protection of service data in the macro preview feature of Atlassian Confluence Server and Data Center. This allows anonymous remote attackers to view the names of attachments and labels in a private Confluence space via an Information Disclosure vulnerability. The vulnerability was reported by Rojan Rijal of the Tinder Security Engineering team.

Recommendations For versions prior to 7.13.15, update to version 7.13.15 or later. For versions 7.14.0 through 7.19.7, update to version 7.19.7 or later. For versions 7.20.0 through 8.2.0, update to version 8.2.0 or later. As a temporary workaround, consider restricting access to the macro preview feature until a patch is available.