CVE-2023-22518

Name of the Vulnerable Software and Affected Versions Atlassian Confluence Data Center and Server versions prior to 7.19.16, 8.3.4, 8.4.4, 8.5.3, and 8.6.1

Description Atlassian Confluence Data Center and Server are affected by an improper authorization vulnerability that allows an unauthenticated attacker to reset Confluence and create a Confluence instance administrator account. An attacker with this access can perform all administrative actions, potentially leading to a full loss of confidentiality, integrity, and availability. The vulnerability is tracked as CVE-2023-22518 and has been assigned a critical severity rating, initially 9.1 and later escalated to 10. Active exploitation of this vulnerability has been observed, with attackers deploying the Cerber ransomware. The attacks leverage the vulnerability to gain access and deploy a Linux variant of the ransomware, creating admin accounts and installing the Effluence web shell plugin. The vulnerability affects all versions of Confluence Data Center and Server and impacts publicly accessible instances. The vulnerability allows attackers to manipulate data, including remotely uploading or deleting files. The attacks exploit the /json/setup-restore.action, /json/setup-restore-local.action, and /json/setup-restore-progress.action endpoints.

Recommendations Upgrade to Confluence Data Center version 7.19.16 or later. Upgrade to Confluence Server version 8.3.4 or later. Upgrade to Confluence Data Center version 8.4.4 or later. Upgrade to Confluence Server version 8.5.3 or later. Upgrade to Confluence Data Center version 8.6.1 or later. If patching is not immediately possible, back up your instance. If patching is not immediately possible, remove your instance from the internet or restrict external network access. If patching is not immediately possible, block access to the /json/setup-restore.action, /json/setup-restore-local.action, and /json/setup-restore-progress.action endpoints.