Critical Zero-Day Bug in Atlassian Confluence Under Active Exploit

Patch now: The Atlassian security vulnerability appears to be a remotely exploitable privilege-escalation bug that cyberattackers could use to crack collaboration environments wide open.

A bandaid over computer code
Source: Andre Boukreev via Shutterstock

A critical privilege-escalation vulnerability in Atlassian Confluence Server and Confluence Data Center has been disclosed, with evidence of exploitation in the wild as a zero-day bug.

The flaw (CVE-2023-22515) affects on-premises instances of the platforms, in versions 8.0.0 and after.

"Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have exploited a previously unknown vulnerability in publicly accessible Confluence Data Center and Server instances to create unauthorized Confluence administrator accounts and access Confluence instances," according to Atlassian's advisory on CVE-2023-22515, released late on Oct. 4.

Atlassian didn't provide a CVSSv3 score, but according to its internal severity level ratings, the score would be in the range of 9 to 10.

The stakes are high. Many organizations use Confluence for project management and collaboration among teams scattered across on-premises and remote locations. Often Confluence environments can house sensitive data on both internal projects as well as its customers and partners.

An Unusual Critical Rating: Remotely Exploitable Privilege Escalation?

The critical designation is a fairly rare one for privilege escalation issues, Rapid7 researcher Caitlin Condon pointed out in an alert on the Confluence bug.

However, the Atlassian advisory goes on to note that "instances on the public Internet are particularly at risk, as this vulnerability is exploitable anonymously," indicating that it's remotely exploitable, she explained — a rare situation. She noted that the critical rating is "typically more consistent with an authentication bypass or remote code-execution chain than a privilege-escalation issue by itself."

However, Condon added, "It's possible that the vulnerability could allow a regular user account to elevate to admin — notably, Confluence allows for new user sign-ups with no approval, but this feature is disabled by default."

Patch Now: Confluence a Top Target for Cyberattackers

Atlassian has issued a patch; fixed versions are: 8.3.3 or later; 8.4.3 or later; and 8.5.2 (Long Term Support release) or later.

As far as other protection options, Atlassian doesn't specify where the bug resides or any other technical details, though it does note that known attack vectors can be mitigated by blocking access to the /setup/* endpoints on Confluence instances, which is a good indicator of where the problem resides.

Admins should restrict external network access to vulnerable systems until they can be upgraded, and Atlassian recommends checking all affected Confluence instances for the indicators of compromise (IoCs) listed in the advisory.

Patching should be top-of-mind; Atlassian is a known target for cyberattackers, as evidenced by the current zero-day exploitation, but there's also further precedent. In June 2022, Atlassian disclosed another critical zero-day vulnerability affecting Confluence Server and Data Center (CVE-2022-26134), this one a more typical remote code execution vulnerability. Proof-of-concept scripts and mass exploitation quickly followed the disclosure, peaking at 100,000 exploitation attempts daily.

About the Author

Tara Seals, Managing Editor, News, Dark Reading

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights