Atlassian Finds Public Exploit for Critical Bug

Software vendor Atlassian has discovered “publicly posted critical information” about a recently published critical vulnerability, increasing the likelihood it will be exploited in the wild.

A brief update by the Australian developer on Thursday said its discovery had come during “ongoing monitoring” of the vulnerability in the popular Confluence workspace tool.

“There are still no reports of an active exploit, though customers must take immediate action to protect their instances,” it urged.

The software flaw (CVE-2023-22518) is listed as an improper authorization vulnerability affecting all versions of Confluence Data Center and Server, although Atlassian Cloud sites accessed via atlassian.net are unaffected.

The bug has a CVSS score of 9.1, which should single it out as a priority to patch for any sysadmin managing the software in their organization.

Although the CVE will not enable an attacker to exfiltrate corporate data, it could allow an attacker to wipe any data they find in affected Confluence environments.

Read more on Atlassian bugs: Atlassian Patches Critical Authentication Flaw in Jira Software.

Atlassian CISO, Bala Sathiamurthy, warned that exploitation by an unauthenticated attacker could lead to “significant data loss.”

If organizations are unable to patch, they are encouraged to:

• Backup their instance
• Remove the instance from the internet until patching is possible, including even instances that require user authentication
• Apply several listed measures to block access on three key endpoints

Atlassian has become an increasingly popular target for attacks in recent years as users flock to its Confluence product for remote collaboration.

In August 2022, threat actors were discovered exploiting CVE-2022-26134 in the product to deploy a novel backdoor against multiple unnamed organizations.

In October, US agencies urged customers to patch a critical broken authentication & session management bug (CVE-2023-22515) in Confluence Data Center and Server. They warned of active exploitation in the wild by Chinese threat group Storm-0062.