CVE-2023-22526

This High severity RCE (Remote Code Execution) vulnerability was introduced in version 7.19.0 of Confluence Data Center. This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 7.2, allows an authenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction. Atlassian recommends that Confluence Data Center customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Confluence Data Center and Server 7.19: Upgrade to a release 7.19.17, or any higher 7.19.x release Confluence Data Center and Server 8.5: Upgrade to a release 8.5.5 or any higher 8.5.x release Confluence Data Center and Server 8.7: Upgrade to a release 8.7.2 or any higher release See the release notes ([https://confluence.atlassian.com/doc/confluence-release-notes-327.html]). You can download the latest version of Confluence Data Center from the download center ([https://www.atlassian.com/software/confluence/download-archives]). This vulnerability was discovered by m1sn0w and reported via our Bug Bounty program

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://confluence.atlassian.com/pages/viewpage.action?pageId=1333335615	Vendor Advisory
https://jira.atlassian.com/browse/CONFSERVER-93516	Permissions Required
https://confluence.atlassian.com/pages/viewpage.action?pageId=1333335615	Vendor Advisory
https://jira.atlassian.com/browse/CONFSERVER-93516	Permissions Required

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:atlassian:confluence_data_center::::::::
	cpe:2.3:a:atlassian:confluence_data_center::::::::
	cpe:2.3:a:atlassian:confluence_data_center::::::::

Configuration 2 (hide)

OR	cpe:2.3:a:atlassian:confluence_server::::::::
	cpe:2.3:a:atlassian:confluence_server::::::::
	cpe:2.3:a:atlassian:confluence_server::::::::

History

21 Nov 2024, 07:44

Type	Values Removed	Values Added
References	~~() https://confluence.atlassian.com/pages/viewpage.action?pageId=1333335615 - Vendor Advisory~~	() https://confluence.atlassian.com/pages/viewpage.action?pageId=1333335615 - Vendor Advisory
References	~~() https://jira.atlassian.com/browse/CONFSERVER-93516 - Permissions Required~~	() https://jira.atlassian.com/browse/CONFSERVER-93516 - Permissions Required

22 Jan 2024, 14:52

Type	Values Removed	Values Added
CWE		CWE-94
CPE		cpe:2.3:a:atlassian:confluence_data_center:::::::: cpe:2.3:a:atlassian:confluence_server::::::::
References	~~() https://jira.atlassian.com/browse/CONFSERVER-93516 -~~	() https://jira.atlassian.com/browse/CONFSERVER-93516 - Permissions Required
References	~~() https://confluence.atlassian.com/pages/viewpage.action?pageId=1333335615 -~~	() https://confluence.atlassian.com/pages/viewpage.action?pageId=1333335615 - Vendor Advisory
First Time		Atlassian confluence Data Center Atlassian Atlassian confluence Server
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 8.8

16 Jan 2024, 05:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-01-16 05:15

Updated : 2025-06-20 17:15

NVD link : CVE-2023-22526

Mitre link : CVE-2023-22526

CVE.ORG link : CVE-2023-22526

JSON object : View

Products Affected

atlassian

confluence_data_center
confluence_server

CWE

CWE-94

Improper Control of Generation of Code ('Code Injection')

8.8 /10