CyberWatch

Patch! Critical Confluence Data Center and Server vulnerability

By

By

Access Point Consulting

Summary

A critical severity flaw exists in all versions of Atlassian’s Confluence Data Center and Server. It is classified as CVE-2023-22518 with a CVSS score of 9.1 and is defined as an Improper Authorization Vulnerability by Atlassian. There is no evidence of active exploitation, but the CISO of Atlassian, Bala Sathiamurthy, has stated that customers should refer to the security advisory and take immediate action to protect their instances of Confluence Data Center and Server.

Impact Assessment

Atlassian’s Confluence Data Center and Server is a critical piece of infrastructure for any business that utilizes it. If the vulnerability is exploited it can allow an attacker to assume the identity of another user or give themselves access to actions they should not be able to do such as assigning roles, editing code, and managing or editing projects that exist in Confluence. This vulnerability stems from improper access control within the software.

What it means for you

Exploitation of this vulnerability by a bad actor or insider threat can lead to a myriad of problems such as information exposure, denial of service, and arbitrary code execution. If you or your organization utilize Atlassian’s Confluence Data Center and Server it is in your best interest to patch your instance of this software to the latest version as per vendor instructions.

Remediation

The vendor recommends upgrading the instance of this software to a fixed version:

Products

  • Confluence Data Center
  • Confluence Server

Fixed Versions

  • 7.19.16 or later
  • 8.3.4 or later
  • 8.4.4 or later
  • 8.5.3 or later
  • 8.6.1 or later

The vendor has also supplied mitigations, they recommend to back up your instance as well as removing the instance from access to the public internet until your organization is able to patch this software.

Business Implications

Exploitation of this vulnerability could cause extreme damage to daily workflows. This software can be essential for business-as-usual activities such as ticketing, programming, projects, etc. This can cause information exposure, denial of service, and arbitrary code execution which will result in costs for the business for triage and incident response, costs due to lack of productivity.

Access Point Technology Recommends

Patch — Access Point Technology recommends patching this software if it is used as soon as possible as recommended by the vendor.

Apply Mitigations — The vendor has supplied recommendations for mitigations which include making a backup of your current instance as well as removing the instance of confluence from access to the external internet until it is patched.

Associated Bulletins

https://cwe.mitre.org/data/definitions/285.html

https://confluence.atlassian.com/security/cve-2023-22518-improper-authorization-vulnerability-in-confluence-data-center-and-server-1311473907.html

https://jira.atlassian.com/browse/CONFSERVER-93142

https://www.cve.org/CVERecord?id=CVE-2023-22518

Resources

CyberWatch

April 2, 2025

Scott "Monty" Montgomery (Island) | Navigating CMMC compliance for organizations of every size

Scott Montgomery, known as Monty, joined the CyberWatch Expert Series podcast to discuss his extensive background in cybersecurity, particularly in building and designing network security tools for high-assurance environments like the Department of Defense (DoD) and the intelligence community. His experience includes significant tenure at McAfee (now Trellix), which led him to his current role at Island, where he focuses on innovative approaches to cybersecurity compliance.

Find out more
March 19, 2025

Michael Sviben (DomainGuard) | Defending against phishing and building proactive security awareness

Cybersecurity threats evolve rapidly, and one tactic consistently rises above the rest: phishing. In this episode of CyberWatch, Michael Sviben, co-founder of DomainGuard, discusses why phishing remains so effective, how businesses and individuals become targets, and what you can do to stay vigilant.

Find out more
March 5, 2025

David Habib (Brightspot) | Building a culture of cybersecurity awareness

Cybersecurity awareness is often reduced to check-the-box training, but David Habib, CIO at Brightspot, argues that real security awareness isn’t about formal programs—it’s about making security part of a company’s culture. In this episode, he shares practical insights on how organizations can move beyond stale training sessions to create an engaged and security-conscious workforce.

Find out more