Skip to the content.

DIVD-2023-00042 - Confluence improper authorization vulnerability

Our reference DIVD-2023-00042
Case lead Wessel Baltus
Researcher(s)
CVE(s)
Products
  • Confluence Data Center
  • Confluence Server
Versions
  • All versions prior to 7.19.16, 8.3.4, 8.4.4, 8.5.3, 8.6.1
Recommendation Upgrade to patched versions stated on atlassian website
Patch status Fully patched
Status Open
Last modified 21 Dec 2023 09:31

Summary

​ An improper authorization vulnerability has been identified inside Atlassian Confluence versions before (7.19.16; 8.3.4; 8.4.4; 8.5.3; 8.6.1). This allows an unauthorized user to set the Confluence server in setup-up mode, and using this setup mode create administrator accounts which can be used to facilitate remote code execution” ​

What you can do

​ Upgrade to patched versions 7.19.16; 8.3.4; 8.4.4; 8.5.3; 8.6.1: ​

What we are doing

​ DIVD is currently working to identify vulnerable parties and notify these. We do this by scanning for exposed Atlassian Confluence instances and examining these instances to determine whether the vulnerability is present. Owners of vulnerable instances receive a notification with the host information and remediation steps. ​

Timeline

Date Description
31 Oct 2023 Vulnerability reported to Atlasssian Confluence
31 Oct 2023 Advisory released by atlassian
20 Nov 2023 DIVD created a list of vulnerable Confluence instances
22 Nov 2023 First version of this case file
gantt title DIVD-2023-00042 - Confluence improper authorization vulnerability dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2023-00042 - Confluence improper authorization vulnerability (still open) :2023-11-11, 2024-03-04 section Events Vulnerability reported to Atlasssian Confluence : milestone, 2023-10-31, 0d Advisory released by atlassian : milestone, 2023-10-31, 0d DIVD created a list of vulnerable Confluence instances : milestone, 2023-11-20, 0d First version of this case file : milestone, 2023-11-22, 0d

​ ​

More information