Atlassian said early Friday that it was aiming to release a fix for a critical vulnerability in its Confluence collaboration software by the end of the day. Later in the day, it confirmed that it released updated versions of Confluence that include the patch for the flaw.
The vulnerability could enable execution of code by an unauthenticated remote user and has seen active exploitation, according to an advisory from Atlassian on Thursday. The flaw, tracked at CVE-2022-26134, affects every version of Confluence Server and Confluence Data Center that is currently supported.
Atlassian said that it has released a number of versions of the Confluence software containing the patch (specifically, versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1). The company recommended upgrading to one of the fixed versions of Confluence, but also provided a temporary workaround in the event that customers can't upgrade right away.
Confluence is a team workspace designed to offer a "secure and reliable way to collaborate on mission-critical projects," Atlassian said on its website. The Confluence software, which competes with alternatives such as Microsoft SharePoint and Google Docs, is used by more than 75,000 customers, according to the site.
The zero-day Confluence vulnerability was discovered by researchers at Volexity, who said in a blog post that they reported the flaw to Atlassian on Tuesday. "When Atlassian provides a fix for this vulnerability, users should immediately patch, as this vulnerability is dangerous and trivially exploited," Volexity researchers said in the post.
"This is 10/10 on the badness scale," tweeted Steven Adair, president at Volexity.
Versions 1.3.0 and up of Confluence Server and Confluence Data Center are impacted, said Atlassian, which is also the maker of Jira and Trello.
The vulnerability follows a weeks-long outage for Atlassian's Jira issue-tracking software in the spring, which the company blamed on a communication error between teams that led to the accidental deletion of hundreds of customer sites.
This story was updated after Atlassian released a patch for the Confluence flaw.