PT-2023-7517 · Atlassian · Confluence

Sharada Moorthy

Published

2023-01-01

Updated

2024-01-02

CVE-2023-22522

CVSS v3.1

9.0

Critical

Vector

AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Atlassian Confluence Server versions 4.x.x through 8.5.3 Atlassian Confluence Data Center versions 4.x.x through 8.6.1

Description This issue allows an authenticated attacker, including one with anonymous access, to inject unsafe user input into a Confluence page, achieving Remote Code Execution (RCE) on an affected instance. Atlassian Cloud sites are not affected by this issue. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.

Recommendations Immediately patch to a fixed version. For Confluence Data Center and Server, update to version 7.19.17 (LTS), 8.4.5, or 8.5.4 (LTS). For Confluence Data Center, update to version 8.6.2 or later, or 8.7.1 or later.

Fix

RCE

Special Elements Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-74CWE-159CWE-138

Related Identifiers

BDU:2023-08564

CVE-2023-22522

Affected Products

Confluence

PT-2023-7517 · Atlassian · Confluence

CVE-2023-22522

Weakness Enumeration

Related Identifiers

Affected Products

References · 26