CVE-2023-22504

Affected versions of Atlassian Confluence Server allow remote attackers who have read permissions to a page, but not write permissions, to upload attachments via a Broken Access Control vulnerability in the attachments feature.
References
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*
cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*
cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*

History

07 Jun 2023, 14:15

Type Values Removed Values Added
Summary Affected versions of Atlassian Confluence Server allow remote attackers who have read permissions to a page, but not write permissions, to upload attachments via a Broken Access Control vulnerability in the attachments feature. The affected versions are before version 7.19.9. This vulnerability was discovered by Rojan Rijal of the Tinder Security Engineering Team. Affected versions of Atlassian Confluence Server allow remote attackers who have read permissions to a page, but not write permissions, to upload attachments via a Broken Access Control vulnerability in the attachments feature.

01 Jun 2023, 16:41

Type Values Removed Values Added
CWE CWE-434
First Time Atlassian confluence Server
Atlassian
CPE cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*
References (MISC) https://jira.atlassian.com/browse/CONFSERVER-83218 - (MISC) https://jira.atlassian.com/browse/CONFSERVER-83218 - Vendor Advisory
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 6.5

25 May 2023, 15:58

Type Values Removed Values Added
New CVE

Information

Published : 2023-05-25 14:15

Updated : 2023-12-10 15:01


NVD link : CVE-2023-22504

Mitre link : CVE-2023-22504

CVE.ORG link : CVE-2023-22504


JSON object : View

Products Affected

atlassian

  • confluence_server
CWE
CWE-434

Unrestricted Upload of File with Dangerous Type