Atlassian is warning users of out-of-date Confluence data centre and server environments that they need to update to a current version to patch a critical-rated vulnerability.
CVE-2023-22527 carries a CVSS score of 10 and is a template injection vulnerability that gives an unauthenticated attacker remote code execution (RCE) capability.
Recent supported versions are not affected, because the vulnerability was “ultimately mitigated during regular updates.”
Affected versions were released before December 5, 2023, and include 8.0.x, 8.1.x, 8.2.x, 8.3.x, 8.4.x, and 8.5.0-8.5.3.
The bug is fixed in Confluence data centre and server version 8.5.5 (LTS); and in Confluence data centre 8.7.2.
The company yesterday also released a security bulletin covering 28 high-rated vulnerabilities.
The fixes patch 14 denial-of-service bugs in the data centre and server versions of Bitbucket and Bamboo; information disclosure vulnerabilities in Crowd and Bamboo; six RCEs in Bamboo and Confluence; request smuggling vulnerabilities in Apache components used in Bitbucket, Bamboo, Crowd and Jira software; a server-side request forgery vulnerability in Jira service management; and an XML external entity injection bug in Jira software.