Broken Access Control in Atlassian Confluence Server Affects Remote Users
CVE-2023-22504

4.3MEDIUM

Key Information:

Vendor
Atlassian
Status
Confluence Data Center
Confluence Server
Vendor
CVE Published:
25 May 2023

Summary

A flaw in Atlassian Confluence Server allows remote attackers with read permissions to upload attachments despite lacking write permissions. This Broken Access Control vulnerability poses a risk by enabling unauthorized manipulation of file uploads, potentially leading to further exploitation.

Affected Version(s)

Confluence Data Center >= 1.1.2 < 1.1.2

Confluence Data Center >= 7.14.0 >= 7.14.0

Confluence Data Center >= 7.20.0 >= 7.20.0

References

https://jira.atlassian.com/browse/CONFSERVER-83218

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

This vulnerability was discovered by Rojan Rijal of the Tinder Security Engineering Team.
.