CVE-2023-22503 (GCVE-0-2023-22503)
Vulnerability from cvelistv5 – Published: 2023-05-01 16:00 – Updated: 2024-10-01 15:22
VLAI?
Summary
Affected versions of Atlassian Confluence Server and Data Center allow anonymous remote attackers to view the names of attachments and labels in a private Confluence space. This occurs via an Information Disclosure vulnerability in the macro preview feature.
This vulnerability was reported by Rojan Rijal of the Tinder Security Engineering team.
The affected versions are before version 7.13.15, from version 7.14.0 before 7.19.7, and from version 7.20.0 before 8.2.0.
Severity ?
5.3 (Medium)
CWE
- Information Disclosure
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Atlassian | Confluence Data Center |
Unaffected:
< 7.20.2
Affected: >= 7.20.2 Unaffected: >= 7.13.5 Unaffected: >= 7.19.7 Unaffected: >= 8.20.0 |
|||||||
|
|||||||||
Credits
This vulnerability was reported by Rojan Rijal of the Tinder Security Engineering team.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:13:48.665Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/CONFSERVER-82403"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "confluence_data_center",
"vendor": "atlassian",
"versions": [
{
"lessThan": "7.13.15",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "7.19.7",
"status": "affected",
"version": "7.14.0",
"versionType": "custom"
},
{
"lessThan": "8.2.0",
"status": "affected",
"version": "7.20.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "confluence_server",
"vendor": "atlassian",
"versions": [
{
"lessThan": "7.13.15",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "7.19.7",
"status": "affected",
"version": "7.14.0",
"versionType": "custom"
},
{
"lessThan": "8.2.0",
"status": "affected",
"version": "7.20.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-22503",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-01T15:14:47.693093Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-01T15:22:41.837Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Confluence Data Center",
"vendor": "Atlassian",
"versions": [
{
"status": "unaffected",
"version": "\u003c 7.20.2"
},
{
"status": "affected",
"version": "\u003e= 7.20.2"
},
{
"status": "unaffected",
"version": "\u003e= 7.13.5"
},
{
"status": "unaffected",
"version": "\u003e= 7.19.7"
},
{
"status": "unaffected",
"version": "\u003e= 8.20.0"
}
]
},
{
"product": "Confluence Server",
"vendor": "Atlassian",
"versions": [
{
"status": "unaffected",
"version": "\u003c 7.20.2"
},
{
"status": "affected",
"version": "\u003e= 7.20.2"
},
{
"status": "unaffected",
"version": "\u003e= 7.13.5"
},
{
"status": "unaffected",
"version": "\u003e= 7.19.7"
},
{
"status": "unaffected",
"version": "\u003e= 8.20.0"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This vulnerability was reported by Rojan Rijal of the Tinder Security Engineering team."
}
],
"descriptions": [
{
"lang": "en",
"value": "Affected versions of Atlassian Confluence Server and Data Center allow anonymous remote attackers to view the names of attachments and labels in a private Confluence space. This occurs via an Information Disclosure vulnerability in the macro preview feature.\r\n\r\nThis vulnerability was reported by Rojan Rijal of the Tinder Security Engineering team.\r\n\r\nThe affected versions are before version 7.13.15, from version 7.14.0 before 7.19.7, and from version 7.20.0 before 8.2.0."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information Disclosure",
"lang": "en",
"type": "Information Disclosure"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-01T16:00:32.509Z",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"url": "https://jira.atlassian.com/browse/CONFSERVER-82403"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2023-22503",
"datePublished": "2023-05-01T16:00:32.509Z",
"dateReserved": "2023-01-01T00:01:22.329Z",
"dateUpdated": "2024-10-01T15:22:41.837Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"7.13.15\", \"matchCriteriaId\": \"ACD9E451-29B3-4D59-88E5-9AAB52C64B29\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"7.14.0\", \"versionEndExcluding\": \"7.19.7\", \"matchCriteriaId\": \"D6EA4793-BF98-4C48-9B80-90487A33B8C2\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"7.20.0\", \"versionEndExcluding\": \"8.2.0\", \"matchCriteriaId\": \"7D5FBFE8-F97B-4E6B-B6AB-7EF9955B66BA\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"7.13.15\", \"matchCriteriaId\": \"7A9A23C3-4831-4882-9786-F63F8990206C\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"7.14.0\", \"versionEndExcluding\": \"7.19.7\", \"matchCriteriaId\": \"B9F35096-F530-45EA-827F-56537235CCE3\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"7.20.0\", \"versionEndExcluding\": \"8.2.0\", \"matchCriteriaId\": \"CBBB9EBB-FFFA-4AE8-BA5A-D06D6D9A309E\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"Affected versions of Atlassian Confluence Server and Data Center allow anonymous remote attackers to view the names of attachments and labels in a private Confluence space. This occurs via an Information Disclosure vulnerability in the macro preview feature.\\r\\n\\r\\nThis vulnerability was reported by Rojan Rijal of the Tinder Security Engineering team.\\r\\n\\r\\nThe affected versions are before version 7.13.15, from version 7.14.0 before 7.19.7, and from version 7.20.0 before 8.2.0.\"}]",
"id": "CVE-2023-22503",
"lastModified": "2024-11-21T07:44:56.947",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\", \"baseScore\": 5.3, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 1.4}], \"cvssMetricV30\": [{\"source\": \"security@atlassian.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.0\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\", \"baseScore\": 5.3, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 1.4}]}",
"published": "2023-05-01T17:15:08.993",
"references": "[{\"url\": \"https://jira.atlassian.com/browse/CONFSERVER-82403\", \"source\": \"security@atlassian.com\", \"tags\": [\"Issue Tracking\", \"Vendor Advisory\"]}, {\"url\": \"https://jira.atlassian.com/browse/CONFSERVER-82403\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Issue Tracking\", \"Vendor Advisory\"]}]",
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"NVD-CWE-noinfo\"}]}, {\"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-200\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2023-22503\",\"sourceIdentifier\":\"security@atlassian.com\",\"published\":\"2023-05-01T17:15:08.993\",\"lastModified\":\"2024-11-21T07:44:56.947\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Affected versions of Atlassian Confluence Server and Data Center allow anonymous remote attackers to view the names of attachments and labels in a private Confluence space. This occurs via an Information Disclosure vulnerability in the macro preview feature.\\r\\n\\r\\nThis vulnerability was reported by Rojan Rijal of the Tinder Security Engineering team.\\r\\n\\r\\nThe affected versions are before version 7.13.15, from version 7.14.0 before 7.19.7, and from version 7.20.0 before 8.2.0.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}],\"cvssMetricV30\":[{\"source\":\"security@atlassian.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-200\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"7.13.15\",\"matchCriteriaId\":\"ACD9E451-29B3-4D59-88E5-9AAB52C64B29\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"7.14.0\",\"versionEndExcluding\":\"7.19.7\",\"matchCriteriaId\":\"D6EA4793-BF98-4C48-9B80-90487A33B8C2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"7.20.0\",\"versionEndExcluding\":\"8.2.0\",\"matchCriteriaId\":\"7D5FBFE8-F97B-4E6B-B6AB-7EF9955B66BA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"7.13.15\",\"matchCriteriaId\":\"7A9A23C3-4831-4882-9786-F63F8990206C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"7.14.0\",\"versionEndExcluding\":\"7.19.7\",\"matchCriteriaId\":\"B9F35096-F530-45EA-827F-56537235CCE3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"7.20.0\",\"versionEndExcluding\":\"8.2.0\",\"matchCriteriaId\":\"CBBB9EBB-FFFA-4AE8-BA5A-D06D6D9A309E\"}]}]}],\"references\":[{\"url\":\"https://jira.atlassian.com/browse/CONFSERVER-82403\",\"source\":\"security@atlassian.com\",\"tags\":[\"Issue Tracking\",\"Vendor Advisory\"]},{\"url\":\"https://jira.atlassian.com/browse/CONFSERVER-82403\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://jira.atlassian.com/browse/CONFSERVER-82403\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T10:13:48.665Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-22503\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-10-01T15:14:47.693093Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*\"], \"vendor\": \"atlassian\", \"product\": \"confluence_data_center\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"7.13.15\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"7.14.0\", \"lessThan\": \"7.19.7\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"7.20.0\", \"lessThan\": \"8.2.0\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}, {\"cpes\": [\"cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*\"], \"vendor\": \"atlassian\", \"product\": \"confluence_server\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"7.13.15\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"7.14.0\", \"lessThan\": \"7.19.7\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"7.20.0\", \"lessThan\": \"8.2.0\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-200\", \"description\": \"CWE-200 Exposure of Sensitive Information to an Unauthorized Actor\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-10-01T15:21:53.399Z\"}}], \"cna\": {\"credits\": [{\"lang\": \"en\", \"value\": \"This vulnerability was reported by Rojan Rijal of the Tinder Security Engineering team.\"}], \"metrics\": [{\"cvssV3_0\": {\"version\": \"3.0\", \"baseScore\": 5.3, \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\"}}], \"affected\": [{\"vendor\": \"Atlassian\", \"product\": \"Confluence Data Center\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"\u003c 7.20.2\"}, {\"status\": \"affected\", \"version\": \"\u003e= 7.20.2\"}, {\"status\": \"unaffected\", \"version\": \"\u003e= 7.13.5\"}, {\"status\": \"unaffected\", \"version\": \"\u003e= 7.19.7\"}, {\"status\": \"unaffected\", \"version\": \"\u003e= 8.20.0\"}]}, {\"vendor\": \"Atlassian\", \"product\": \"Confluence Server\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"\u003c 7.20.2\"}, {\"status\": \"affected\", \"version\": \"\u003e= 7.20.2\"}, {\"status\": \"unaffected\", \"version\": \"\u003e= 7.13.5\"}, {\"status\": \"unaffected\", \"version\": \"\u003e= 7.19.7\"}, {\"status\": \"unaffected\", \"version\": \"\u003e= 8.20.0\"}]}], \"references\": [{\"url\": \"https://jira.atlassian.com/browse/CONFSERVER-82403\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Affected versions of Atlassian Confluence Server and Data Center allow anonymous remote attackers to view the names of attachments and labels in a private Confluence space. This occurs via an Information Disclosure vulnerability in the macro preview feature.\\r\\n\\r\\nThis vulnerability was reported by Rojan Rijal of the Tinder Security Engineering team.\\r\\n\\r\\nThe affected versions are before version 7.13.15, from version 7.14.0 before 7.19.7, and from version 7.20.0 before 8.2.0.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"Information Disclosure\", \"description\": \"Information Disclosure\"}]}], \"providerMetadata\": {\"orgId\": \"f08a6ab8-ed46-4c22-8884-d911ccfe3c66\", \"shortName\": \"atlassian\", \"dateUpdated\": \"2023-05-01T16:00:32.509Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2023-22503\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-10-01T15:22:41.837Z\", \"dateReserved\": \"2023-01-01T00:01:22.329Z\", \"assignerOrgId\": \"f08a6ab8-ed46-4c22-8884-d911ccfe3c66\", \"datePublished\": \"2023-05-01T16:00:32.509Z\", \"assignerShortName\": \"atlassian\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…