Atlassian has fixed a critical zero-day vulnerability in Confluence Data Center and Server that is being exploited in the wild.
“Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have exploited a previously unknown vulnerability in publicly accessible Confluence Data Center and Server instances to create unauthorized Confluence administrator accounts and access Confluence instances,” the company said.
Atlassian describes CVE-2023-22515 as a critical privilege escalation vulnerability, and has confirmed that it affects Confluence Data Center and Server versions 8.0.0 and later.
“Instances on the public internet are particularly at risk, as this vulnerability is exploitable anonymously. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue,” the company stated.
“Atlassian’s advisory implies that the vulnerability is remotely exploitable, which is typically more consistent with an authentication bypass or remote code execution chain than a privilege escalation issue by itself. It’s possible that the vulnerability could allow a regular user account to elevate to admin – notably, Confluence allows for new user sign-ups with no approval, but this feature is disabled by default,” she noted.
Among them is CVE-2021-26084 in Atlassian Confluence Server, which has been patched two years ago but is still being exploited by attackers.
