CVE-2023-22504

Summary

Affected versions of Atlassian Confluence Server allow remote attackers who have read permissions to a page, but not write permissions, to upload attachments via a Broken Access Control vulnerability in the attachments feature.

Affected Software

VendorProductVersion RangeStatus
AtlassianConfluence Data Center< 1.1.2unaffected
AtlassianConfluence Data Center>= 1.1.2affected
AtlassianConfluence Data Center>= 7.14.0affected
AtlassianConfluence Data Center>= 7.20.0affected
AtlassianConfluence Data Center>= 7.13.7unaffected
AtlassianConfluence Data Center>= 7.19.9unaffected
AtlassianConfluence Data Center>= 8.2.2unaffected
AtlassianConfluence Data Center>= 8.3.0unaffected
AtlassianConfluence Server< 1.1.2unaffected
AtlassianConfluence Server>= 1.1.2affected
AtlassianConfluence Server>= 7.14.0affected
AtlassianConfluence Server>= 7.20.0affected
AtlassianConfluence Server>= 7.13.7unaffected
AtlassianConfluence Server>= 7.19.9unaffected
AtlassianConfluence Server>= 8.2.2unaffected
AtlassianConfluence Server>= 8.3.0unaffected

Weaknesses

  • Improper Authorization

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References