CVE-2023-22504 — Unrestricted File Upload in Atlassian Confluence Server

CWE-434 — Unrestricted File Upload3 documents3 sources

Severity

6.5MEDIUMNVD

EPSS

0.2%

top 58.06%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Atlassian Confluence Server Atlassian Confluence Data Center

Timeline

PublishedMay 25

Description

Affected versions of Atlassian Confluence Server allow remote attackers who have read permissions to a page, but not write permissions, to upload attachments via a Broken Access Control vulnerability in the attachments feature.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶NVDatlassian/confluence_server7.14.0 — 7.19.9+2

▶CVEListV5atlassian/confluence_server>= 1.1.2, >= 7.14.0, >= 7.20.0+2

▶CVEListV5atlassian/confluence_data_center>= 1.1.2, >= 7.14.0, >= 7.20.0+2

🔴Vulnerability Details

GHSA

GHSA-hfhf-22gm-76w3: Affected versions of Atlassian Confluence Server allow remote attackers who have read permissions to a page, but not write permissions, to upload atta↗2023-05-25

▶

CVEList

CVE-2023-22504: Affected versions of Atlassian Confluence Server allow remote attackers who have read permissions to a page, but not write permissions, to upload atta↗2023-05-25

▶