Atlassian has fixed a Critical severity unauthenticated RCE zero-day vulnerability (CVE-2022-26134) in Confluence Server and Data Center.
An attacker could exploit this vulnerability to take control of impacted systems.
“Atlassian has been made aware of current active exploitation of a critical severity unauthenticated remote code execution vulnerability in Confluence Data Center and Server,” Atlassian stated in the advisory.
The OGNL injection vulnerability CVE-2022-26134 (CVSS score of 10.0) allows an unauthenticated actor to execute arbitrary code on a Confluence Server or Data Center instance.
The flaw is similar to CVE-2021-26084 that Atlassian patched last September, 2021. According to a report released last month by the Cybersecurity Advisory (CSA), that issue was one of the top 15 Common Vulnerabilities and Exposures (CVEs) routinely exploited by malicious cyber actors in 2021.
Atlassian versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, and 7.18.1 each contain a fix for CVE-2022-26134.