Skip to the content.

DIVD-2023-00045 - Confluence RCE Vulnerability In Confluence Data Center and Confluence Server

Our reference DIVD-2023-00045
Case lead Wessel Baltus
Researcher(s)
CVE(s)
Products
  • Confluence Data Center
  • Confluence Server
Versions
  • All versions on Confluence Data Center and Server proir to 7.19.17 (LTS), 8.4.5, 8.5.4 (LTS)
  • All versions on Confluence Data Center only prior to 8.6.2, 8.7.1
Recommendation Upgrade to patched versions stated on Atlassian website
Patch status Fully patched
Status Open
Last modified 20 Dec 2023 20:11

Summary

​ An remote code execution vulnerability has been identified inside Atlassian Confluence Data Center and Server. Data Center and Server versions prior to 7.19.17, 8.4.5, 8.5.4 and Data Center only versions prior to 8.6.2, 8.7.1 are vulnerable. The vulnerabilty allows an authenticated user, including one with anonymous access, to use template injection and obtain remote code execution. ​

What you can do

​ Upgrade to patched versions for Data Center and Server: 7.19.17; 8.4.5; 8.5.4. Upgrade to patched versions for Data Center Only : 8.6.2; 8.7.1.

What we are doing

​ DIVD is currently working to identify vulnerable parties and notify these. We do this by scanning for exposed Atlassian Confluence instances and examining these instances to determine whether the vulnerability is present. Owners of vulnerable instances receive a notification with the host information and remediation steps. ​

Timeline

Date Description
05 Dec 2023 Vulnerability reported to Atlasssian Confluence
05 Dec 2023 Advisory released by atlassian
09 Dec 2023 DIVD created a list of vulnerable Confluence instancess
09 Dec 2023 First version of this case file
20 Dec 2023 DIVD identified vulnerable devices
gantt title DIVD-2023-00045 - Confluence RCE Vulnerability In Confluence Data Center and Confluence Server dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2023-00045 - Confluence RCE Vulnerability In Confluence Data Center and Confluence Server (still open) :2023-12-05, 2024-03-04 section Events Vulnerability reported to Atlasssian Confluence : milestone, 2023-12-05, 0d Advisory released by atlassian : milestone, 2023-12-05, 0d DIVD created a list of vulnerable Confluence instancess : milestone, 2023-12-09, 0d First version of this case file : milestone, 2023-12-09, 0d DIVD identified vulnerable devices : milestone, 2023-12-20, 0d

​ ​

More information