CVE-2023-22504: 
Confluence Server vulnerability analysis and mitigation

Affected versions of Atlassian Confluence Server allow remote attackers who have read permissions to a page, but not write permissions, to upload attachments via a Broken Access Control vulnerability in the attachments feature. The vulnerability affects versions before 7.13.17, from version 7.14.0 before 7.19.9, and from version 7.20.0 before 8.2.2. This vulnerability was discovered by Rojan Rijal of the Tinder Security Engineering Team (Vendor Advisory).

The vulnerability is classified as a Broken Access Control vulnerability in the attachments feature of Confluence Server. It has been assigned CVE-2023-22504 with a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N. The vulnerability is associated with CWE-434 (Unrestricted Upload of File with Dangerous Type) (NVD).

The vulnerability allows attackers with read permissions to a page to upload attachments even when they don't have write permissions, potentially leading to unauthorized file uploads and system compromise (NVD).

Atlassian has released fixed versions to address this vulnerability. Users are advised to upgrade to version 7.13.17, 7.19.9, 8.2.2, or 8.3.0, depending on their current version (Vendor Advisory).