> About Author
Hi, I'm Sharon, a product manager at Chaitin Tech. We build SafeLine, an open-source Web Application Firewall built for real-world threats. While SafeLine focuses on HTTP-layer protection, our emergency response center monitors and responds to RCE and authentication vulnerabilities across the stack to help developers stay safe.
Atlassian Confluence is a popular collaboration and knowledge management platform used by teams worldwide.
Recently, security researchers at Chaitin Tech discovered a Remote Code Execution (RCE) vulnerability in Confluence and responsibly disclosed it to the authorities. On October 31, Atlassian officially announced and patched the flaw.
This vulnerability poses a severe threat to data integrity and can cause significant data loss. If you’re running Confluence, applying the fix ASAP is highly recommended.
What’s the Vulnerability?
In complex software architectures, package inheritance and namespaces add flexibility — but they can also introduce security risks. When a subpackage inherits from a parent, it also inherits interfaces, but not always the associated security controls.
In this case, Confluence misused the inheritance feature of the Struts2 framework, which allowed attackers to bypass authentication checks in certain interfaces. By chaining multiple backend API calls, an unauthenticated attacker can execute arbitrary code remotely.
Impact
Exploiting this vulnerability enables attackers to bypass authentication partially and take control of the server through chained API calls — all without logging in. Alarmingly, successful exploitation can wipe Confluence data, causing irreversible damage to your application’s integrity.
Affected Versions
- All versions of Confluence Data Center and Server are vulnerable.
Fixed Versions
- For 7.x users: upgrade to 7.19.16 or later
- For 8.3.x users: upgrade to 8.3.4 or later
- For 8.4.x users: upgrade to 8.4.4 or later
- For 8.5.x users: upgrade to 8.5.3 or later
- For 8.6.x users: upgrade to 8.6.1 or later
How to Protect Yourself
Temporary Mitigation
- Back up your Confluence data immediately.
- Avoid exposing Confluence to the public internet if possible.
- Restrict access using network ACLs to only trusted IP addresses or subnets.
Permanent Fix
Atlassian has released patched versions to address this issue. We strongly urge all users to upgrade to the fixed releases as soon as possible.
Reproduction
How to Test for This Vulnerability
Chaitin Tech provides a local scanner tool to detect this RCE:
./atlassian_confluence_rce_cve_2023_22518_scanner_linux_amd64 scan
You can download the tool here:
https://stack.chaitin.com/tool/detail/1249
Product Support and Detection
- Yuntu/Dongjian: Supports fingerprinting and POC detection for this vulnerability by default.
- SafeLine/Quanxi: Released custom rule updates to detect exploitation attempts.
- Muyun: Users with platform version 23.05.001+ can download the emergency vulnerability database (EMERVULN-23.10.031) to detect this issue via the “Emergency Vulnerability” feature. For other versions, contact Muyun support.
Timeline
- October 16: Vulnerability discovered by Chaitin Tech researchers
- October 31: Official patch released by Atlassian
- October 31: Chaitin Tech Emergency Response Center published an advisory
References
- Atlassian Security Advisory: CVE-2023-22518
Join the SafeLine Community
If you continue to experience issues, feel free to contact SafeLine support for further assistance.
Top comments (0)