Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2025/VULN817 _____________________________________________________________________ DATE : 20/11/2025 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Confluence Data Center and Server versions prior to 8.5.20, 9.4.0, 9.3.1, 9.2.6, 9.5.2, 10.1.0, 10.0.2. ===================================================================== https://jira.atlassian.com/browse/CONFSERVER-101488 https://jira.atlassian.com/browse/CONFSERVER-101479 https://jira.atlassian.com/browse/CONFSERVER-101477 https://jira.atlassian.com/browse/CONFSERVER-101480 https://jira.atlassian.com/browse/CONFSERVER-101485 https://jira.atlassian.com/browse/CONFSERVER-101486 https://jira.atlassian.com/browse/CONFSERVER-101487 _____________________________________________________________________ SSRF (Server-Side Request Forgery) Third-Party Dependency in Confluence Data Center and Server - CVE-2023-42282 Published Type: Icon: Public Security Vulnerability Public Security Vulnerability Resolution: Fixed Priority: Highest Fix Version/s: 9.4.0, 9.3.1, 8.5.20, 9.2.6, 9.5.2, 10.1.0, 10.0.2 Affects Version/s: 7.19.0, 8.5.0, 8.6.0, 8.8.0, 8.7.1, 8.9.0, 9.1.0, 9.0.1, 9.2.5, 9.5.1 Component/s: None Labels: advisory advisory-to-release dont-import security CVSS Score: 9.8 CVSS Severity: Critical CVE ID: CVE-2023-42282 Vulnerability Source: Atlassian (Internal) CVSSv3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Vulnerability Classes: SSRF (Server-Side Request Forgery) Affected Product(s): Confluence Data Center, Confluence Server Advisory URL: https://confluence.atlassian.com/pages/viewpage.action?pageId=1680474186 This Critical severity vulnerability known as CVE-2023-42282 was introduced in 7.19.0, 8.5.0, 8.6.0, 8.8.0, 8.7.1, 8.9.0, 9.1.0, 9.0.1, 9.2.5, 9.5.1 of Confluence Data Center and Server. This vulnerability with a CVSS Score of 9.8 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Atlassian recommends that Confluence Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Confluence Data Center and Server 8.5: Upgrade to a release greater than or equal to 8.5.20 Confluence Data Center and Server 9.4: Upgrade to a release greater than or equal to 9.4.0 Confluence Data Center and Server 9.3: Upgrade to a release greater than or equal to 9.3.1 Confluence Data Center and Server 9.2: Upgrade to a release greater than or equal to 9.2.6 Confluence Data Center and Server 9.5: Upgrade to a release greater than or equal to 9.5.2 Confluence Data Center and Server 10.1: Upgrade to a release greater than or equal to 10.1.0 Confluence Data Center and Server 10.0: Upgrade to a release greater than or equal to 10.0.2 See the release notes. You can download the latest version of Confluence Data Center and Server from the download center. _____________________________________________________________________ Path Traversal Third-Party Dependency in Confluence Data Center and Server - CVE-2023-42282 Published Type: Public Security Vulnerability Resolution: Fixed Priority: High Fix Version/s: 8.5.10, 9.3.1, 9.2.5, 9.5.1, 10.1.0, 10.0.2 Affects Version/s: 7.19.0, 8.5.0, 8.6.0, 8.8.0, 8.7.1, 8.9.0, 9.1.0, 9.0.1, 9.4.0, 9.2.3 Component/s: None Labels: advisory advisory-to-release dont-import security CVSS Score: 8.7 CVSS Severity: High CVE ID: CVE-2025-48387 Vulnerability Source: Atlassian (Internal) CVSSv3 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X Vulnerability Classes: Path Traversal (Arbitrary Read/Write) Affected Product(s): Confluence Data Center, Confluence Server This High severity vulnerability known as CVE-2025-48387 was introduced in 7.19.0, 8.5.0, 8.6.0, 8.8.0, 8.7.1, 8.9.0, 9.1.0, 9.0.1, 9.4.0, 9.2.3 of Confluence Data Center and Server. This vulnerability with a CVSS Score of 8.7 and a CVSS Vector of CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X Atlassian recommends that Confluence Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Confluence Data Center and Server 8.5: Upgrade to a release greater than or equal to 8.5.10 Confluence Data Center and Server 9.3: Upgrade to a release greater than or equal to 9.3.1 Confluence Data Center and Server 9.2: Upgrade to a release greater than or equal to 9.2.5 Confluence Data Center and Server 9.5: Upgrade to a release greater than or equal to 9.5.1 Confluence Data Center and Server 10.1: Upgrade to a release greater than or equal to 10.1.0 Confluence Data Center and Server 10.0: Upgrade to a release greater than or equal to 10.0.2 See the release notes. You can download the latest version of Confluence Data Center and Server from the download center. _____________________________________________________________________ DoS (Denial of Service) Third-Party Dependency in Confluence Data Center and Server - CVE-2024-37890 Published Type: Public Security Vulnerability Resolution: Fixed Priority: High Fix Version/s: 8.5.10, 9.3.1, 9.2.5, 9.5.1, 10.1.0, 10.0.2 Affects Version/s: 3.3.3, 9.4.0, 9.2.3 Component/s: None Labels: advisory advisory-to-release dont-import security CVSS Score: 7.5 CVSS Severity: High CVE ID: CVE-2024-37890 Vulnerability Source: Atlassian (Internal) CVSSv3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Product(s): Confluence Data Center, Confluence Server This High severity vulnerability known as CVE-2024-37890 was introduced in 3.3.3, 9.4.0, 9.2.3 of Confluence Data Center and Server. This vulnerability with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Atlassian recommends that Confluence Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Confluence Data Center and Server 8.5: Upgrade to a release greater than or equal to 8.5.10 Confluence Data Center and Server 9.3: Upgrade to a release greater than or equal to 9.3.1 Confluence Data Center and Server 9.2: Upgrade to a release greater than or equal to 9.2.5 Confluence Data Center and Server 9.5: Upgrade to a release greater than or equal to 9.5.1 Confluence Data Center and Server 10.1: Upgrade to a release greater than or equal to 10.1.0 Confluence Data Center and Server 10.0: Upgrade to a release greater than or equal to 10.0.2 See the release notes. You can download the latest version of Confluence Data Center and Server from the download center. _____________________________________________________________________ DoS (Denial of Service) Third-Party Dependency in Confluence Data Center and Server - CVE-2024-45296 Published Type: Icon: Public Security Vulnerability Public Security Vulnerability Resolution: Fixed Priority: Icon: High High Fix Version/s: 8.5.17, 9.4.0, 9.2.6, 9.5.1, 10.1.0, 10.0.2 Affects Version/s: 7.19.0, 8.5.0, 8.6.0, 8.8.0, 8.7.1, 8.9.0, 9.1.0, 9.0.1, 9.2.0, 9.3.1 Component/s: None Labels: advisory advisory-to-release dont-import security CVSS Score: 7.5 CVSS Severity: High CVE ID: CVE-2024-45296 Vulnerability Source: Atlassian (Internal) CVSSv3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Vulnerability Classes: DoS (Denial of Service) Affected Product(s): Confluence Data Center, Confluence Server This High severity vulnerability known as CVE-2024-45296 was introduced in 7.19.0, 8.5.0, 8.6.0, 8.8.0, 8.7.1, 8.9.0, 9.1.0, 9.0.1, 9.2.0, 9.3.1 of Confluence Data Center and Server. This vulnerability with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Atlassian recommends that Confluence Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Confluence Data Center and Server 8.5: Upgrade to a release greater than or equal to 8.5.17 Confluence Data Center and Server 9.4: Upgrade to a release greater than or equal to 9.4.0 Confluence Data Center and Server 9.2: Upgrade to a release greater than or equal to 9.2.6 Confluence Data Center and Server 9.5: Upgrade to a release greater than or equal to 9.5.1 Confluence Data Center and Server 10.1: Upgrade to a release greater than or equal to 10.1.0 Confluence Data Center and Server 10.0: Upgrade to a release greater than or equal to 10.0.2 See the release notes. You can download the latest version of Confluence Data Center and Server from the download center. _____________________________________________________________________ Improper Authorization Third-Party Dependency in Confluence Data Center and Server - CVE-2025-41248 Published Type:Public Security Vulnerability Resolution: Fixed Priority: High Fix Version/s: 10.1.1 Affects Version/s: 10.1.0 Component/s: None Labels: advisory advisory-to-release dont-import security CVSS Score: 7.5 CVSS Severity: High CVE ID: CVE-2025-41248 Vulnerability Source: Atlassian (Internal) CVSSv3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Vulnerability Classes: Improper Authorization Affected Product(s): Confluence Data Center, Confluence Server This High severity vulnerability known as CVE-2025-41248 was introduced in 10.1.0 of Confluence Data Center and Server. This vulnerability with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Atlassian recommends that Confluence Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Confluence Data Center and Server 10.1: Upgrade to a release greater than or equal to 10.1.1 See the release notes. You can download the latest version of Confluence Data Center and Server from the download center. _____________________________________________________________________ DoS (Denial of Service) Third-Party Dependency in Confluence Data Center and Server - CVE-2023-42282 Published Export Type: Icon: Public Security Vulnerability Public Security Vulnerability Resolution: Fixed Priority: Icon: High High Fix Version/s: 8.5.18, 9.2.1, 9.3.1, 10.1.0, 10.0.2, 9.5.4 Affects Version/s: 7.19.0, 8.5.0, 8.6.0, 8.8.0, 8.7.1, 8.9.0, 9.1.0, 9.0.1, 9.2.0, 9.4.0, 9.5.1 Component/s: None Labels: advisory advisory-to-release dont-import security CVSS Score: 7.5 CVSS Severity: High CVE ID: CVE-2022-38900 Vulnerability Source: Atlassian (Internal) CVSSv3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Vulnerability Classes: DoS (Denial of Service) Affected Product(s): Confluence Data Center, Confluence Server This High severity vulnerability known as CVE-2022-38900 was introduced in 7.19.0, 8.5.0, 8.6.0, 8.8.0, 8.7.1, 8.9.0, 9.1.0, 9.0.1, 9.2.0, 9.4.0, 9.5.1 of Confluence Data Center and Server. This vulnerability with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Atlassian recommends that Confluence Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Confluence Data Center and Server 8.5: Upgrade to a release greater than or equal to 8.5.18 Confluence Data Center and Server 9.2: Upgrade to a release greater than or equal to 9.2.1 Confluence Data Center and Server 9.3: Upgrade to a release greater than or equal to 9.3.1 Confluence Data Center and Server 10.1: Upgrade to a release greater than or equal to 10.1.0 Confluence Data Center and Server 10.0: Upgrade to a release greater than or equal to 10.0.2 Confluence Data Center and Server 9.5: Upgrade to a release greater than or equal to 9.5.4 See the release notes. You can download the latest version of Confluence Data Center and Server from the download center. _____________________________________________________________________ Prototype Pollution Third-Party Dependency in Confluence Data Center and Server - CVE-2022-46175 Published Type: Public Security Vulnerability Resolution: Fixed Priority: High Fix Version/s: 8.5.17, 9.2.1, 9.4.0, 9.5.1, 10.1.0, 10.0.2 Affects Version/s: 7.19.0, 8.5.0, 8.6.0, 8.8.0, 8.7.1, 8.9.0, 9.1.0, 9.0.1, 9.2.0, 9.3.1 Component/s: None Labels: advisory advisory-to-release dont-import security CVSS Score: 7.1 CVSS Severity: High CVE ID: CVE-2022-46175 Vulnerability Source: Atlassian (Internal) CVSSv3 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H Vulnerability Classes: Prototype Pollution Affected Product(s): Confluence Data Center, Confluence Server This High severity vulnerability known as CVE-2022-46175 was introduced in 7.19.0, 8.5.0, 8.6.0, 8.8.0, 8.7.1, 8.9.0, 9.1.0, 9.0.1, 9.2.0, 9.3.1 of Confluence Data Center and Server. This vulnerability with a CVSS Score of 7.1 and a CVSS Vector of CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H Atlassian recommends that Confluence Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Confluence Data Center and Server 8.5: Upgrade to a release greater than or equal to 8.5.17 Confluence Data Center and Server 9.2: Upgrade to a release greater than or equal to 9.2.1 Confluence Data Center and Server 9.4: Upgrade to a release greater than or equal to 9.4.0 Confluence Data Center and Server 9.5: Upgrade to a release greater than or equal to 9.5.1 Confluence Data Center and Server 10.1: Upgrade to a release greater than or equal to 10.1.0 Confluence Data Center and Server 10.0: Upgrade to a release greater than or equal to 10.0.2 See the release notes. You can download the latest version of Confluence Data Center and Server from the download center. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================