Software company Atlassian issued an advisory on 2 June concerning a previously unknown critical vulnerability (CVE-2022-26134), a so-called zero-day. The vulnerability concerns all supported versions of Atlassian Confluence Server and Confluence Datacenter. This does not concern Atlassian Cloud according to Atlassian. NCSC-NL published an advisory, rating the vulnerability as High/High. No patch is currently available.
The vulnerability allows an unauthenticated actor to remotely execute code and access sensitive information within the scope of the system. It is likely that all versions are vulnerable, although Atlassian still needs to identify the earliest affected version. Proof-of-concept code is not publicly available.
The vulnerability is easily exploitable according to Volexity, the security company behind the discovery. Limited exploitation has also been confirmed by Volexity.