Australian software giant Atlassian has warned of a critical security flaw that could lead to “significant data loss” for customers, just weeks after state-backed hackers targeted its products.
In an advisory this week, the company urged customers to patch against the flaw affecting on-premise versions of Atlassian Confluence Data Center and Server, a widely popular collaborative wiki system that enterprises use to organize and share work. This product was recently the target of Chinese state-sponsored hackers, who exploited a separate 10.0 maximum-rated vulnerability to compromise a “handful” of Atlassian customers.
This latest vulnerability, tracked as CVE-2023-22518 and rated 9.1 out of 10 on the vulnerability severity scoring system, has been described as an instance of “improper authorization vulnerability.” Atlassian has warned that it could lead to “significant data loss if exploited by an unauthenticated attacker.”
The company hasn’t detailed how the flaw can facilitate data loss, and Atlassian spokesperson Ana Keltchina didn’t immediately respond to TechCrunch’s questions.
Atlassian noted that there were no reports of active exploitation as of October 31 and said there is “no impact to confidentiality as an attacker cannot exfiltrate any instance data.” Atlassian Cloud sites accessed via an atlassian.net domain are also unaffected by this vulnerability, Atlassian said.
The company’s advisory included a message from Atlassian CISO Bala Sathiamurthy, who said that while the flaw is not yet being actively exploited, customers must take “immediate action” to protect their instances.
The advisory warns that all publicly accessible Confluence Data Center and Server versions “are at critical risk and require immediate attention.” Atlassian urged administrators to upgrade to a fixed version without delay, and says that if that is not possible, temporary mitigations must be applied.
“Instances accessible to the public internet, including those with user authentication, should be restricted from external network access until you can patch,” the company added.
Earlier this month, Atlassian announced its plans to acquire video messaging service Loom for $975 million. The company said it believes that Loom can be a useful collaboration tool for its platform, especially Jira and Confluence.