=====================================================================

                               CERT-Renater

                     Note d'Information No. 2023/VULN348

_____________________________________________________________________

DATE                : 26/09/2023

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Confluence Data Center and Server
                              versions prior to 7.19.14, 8.5.1.

=====================================================================
https://jira.atlassian.com/browse/CONFSERVER-91258
_____________________________________________________________________

DoS (Denial of Service) in Confluence Data Center and Server

Details

     Type:               Public Security Vulnerability
     Resolution:         Fixed                 Priority:           High
     Fix Version/s:      8.6.0, 8.5.1, 7.19.14
     Affects Version/s:  5.6
     Component/s:        None
     Labels: advisory advisory-to-release dont-import
            failed-to-sanitize fixed-versions-not-yet-published security
     CVSS Score:         7.5
     CVSS Severity:      High
     CVE ID:             CVE-2023-22512
     Vulnerability Source: Bug Bounty
     CVSSv3 Vector:        CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
     Vulnerability Classes: DoS (Denial of Service)	
     Affected Product(s):   Confluence Data Center, Confluence Server	


Description

This High severity DoS (Denial of Service) vulnerability was introduced
in version 5.6 of Confluence Data Center and Server. With a CVSS Score 
of 7.5, this vulnerability allows an unauthenticated
attacker to cause a resource to be unavailable for its intended users
by temporarily or indefinitely disrupting services of a vulnerable host
(Confluence instance) connected to a network, which has no impact on
confidentiality, no impact to integrity, high impact to availability,
and requires no user interaction.


Affected versions

All Confluence versions from 5.6 onwards apart from 7.19.14 and 8.5.1

Atlassian recommends that Confluence Data Center and Server customers
upgrade to the latest version, if you are unable to do so, upgrade your
instance to one of the specified supported fixed versions:

     Confluence Data Center and Server 7.19: Upgrade to a release greater
than or equal to 7.19.14
     Confluence Data Center and Server 8.5: Upgrade to a release greater
than or equal to 8.5.1
     Confluence Data Center and Server 8.6 or above: No need to upgrade,
you're already on a patched version

See the release notes
(https://confluence.atlassian.com/doc/confluence-release-notes-327.html).

You can download the latest version of Confluence Data Center and Server
from the download center
(https://www.atlassian.com/software/confluence/download-archives]).

This vulnerability was reported via our Bug Bounty program.


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================