Critical vulnerability found in Atlassian Confluence software

Atlassian has issued an out-of-cycle warning that all versions of its Confluence Data Centre and Confluence Server software are vulnerable to an improper authorisation vulnerability.

The company’s advisory for CVE-2023-22518 attributed a message to the company’s CISO, Bala Sathiamurthy, saying the users are “vulnerable to significant data loss” if the vulnerability is exploited.

“There are no reports of active exploitation at this time; however, customers must take immediate action to protect their instances,” Sathiamurthy wrote.

He continued that Atlassian would deliver patches “outside of our monthly advisory schedule”.

The advisory stated that “all versions of Confluence Data Center and Server are affected by this unexploited vulnerability. There is no impact to confidentiality as an attacker cannot exfiltrate any instance data.”

The bug doesn’t affect Atlassian Cloud sites (that is, those accessed through an atlassian.net domain).

The bug rates 9.1 on the Common Vulnerability Scoring System.

While Atlassian’s description of the vulnerability is light on detail, the discussion in the bug’s Jira ticket gives some hints.

Apparently, the bug results in leakage of file descriptors.

One user, Mavenir’s Martin Palecek, commented: “In our case it is not attachments that leak file descriptors. It's user avatars and nothing else than user avatars in our case. 

“The rate of leakage seems somewhat proportional to the rates of the requests the server is handling.”