Atlassian urges customers to patch a high-risk Confluence bug

Atlassian urges customers to patch a high-risk Confluence bug

Australian software firm Atlassian has released security patches to address a high-risk vulnerability affecting all versions of its Confluence Data Center and Server software.

Tracked as CVE-2023-22518, the flaw is described as an improper authorization issue that can be exploited remotely to bypass the authorization process or perform denial of service (DoS) attacks by sending specially crafted requests to the server.

Atlassian said it is not aware of exploitation attempts, however, the vendor urged customers to update their systems to fixed versions of the software.

“As part of our continuous security assessment processes, we have discovered that Confluence Data Center and Server customers are vulnerable to significant data loss if exploited by an unauthenticated attacker. There are no reports of active exploitation at this time; however, customers must take immediate action to protect their instances,” the company said in a security advisory.

“There is no impact to confidentiality as an attacker cannot exfiltrate any instance data,” Atlassian added.

If the upgrade is not possible at the moment, the company recommends customers to backup their instances and disconnect an instance from the public internet until the patch is applied.

Earlier this month, reports emerged that threat actors are actively exploiting another Atlassian Confluence Data Center and Server bug - CVE-2023-22515. According to Microsoft, a China-linked threat actor it tracks as Storm-0062 (aka DarkShadow and Oro0lxy) has been exploiting the flaw since September 14, 2023.

Back to the list

Latest Posts

Cyber Security Week in Review: June 20, 2025

Cyber Security Week in Review: June 20, 2025

In brief: the Langflow, TP-Link and Zyxel flaws exploited in the wild, Russian hackers use ASPs to infiltrate victims’ email accounts, and more
20 June 2025
Russian-linked hackers exploit Google App passwords in email espionage campaign

Russian-linked hackers exploit Google App passwords in email espionage campaign

Victims were tricked into creating and sharing ASPs under the mistaken belief that they are enabling secure communication with the US Department of State.
19 June 2025
FBI-wanted member of ransomware gang arrested in Ukraine, extradited to the US

FBI-wanted member of ransomware gang arrested in Ukraine, extradited to the US

Using custom-developed malware, including ransomware such as LockerGoga, MegaCortex, HIVE and Dharma, the hackers encrypted data on corporate networks.
18 June 2025