NopSec.com uses cookies to make interactions with the Company’s Websites easy and meaningful. When you visit one of the Company’s Websites, NopSec.com’s servers send a cookie to your computer. Standing alone, cookies do not personally identify you; they merely recognize your Web browser. Unless you choose to identify yourself to NopSec.com, either by responding to a promotional offer, opening an account, or filling out a Web form (such as a “Contact Us” or a “Free Trial” Web form), you remain anonymous to the Company. Please go to our privacy statement for details.

Acknowledge
More Menu Less Menu
Schedule a Demo
NopSec_Resource_JustInTime_Generic_1
Just in Time

Just in Time Bulletin: CVE-2023-22527 Atlassian Confluence RCE

Jan 31, 2024

What is CVE-2023-22527? 

Atlassian recently reported an unauthenticated remote command execution vulnerability that impacts certain versions of Confluence Data Center and server. The vulnerability, assigned CVE-2023-22527, can be exploited remotely by an unauthenticated attacker. The root cause of the vulnerability is related to the way that views are rendered in Confluence. Confluence leverages velocity templates (*.vm) in this capacity and these files can be accessed directly like any other script, which effectively bypasses authentication. It was found that at least one of the accessible templates was prone to OGNL injection, which provided a reliable vector for remote command execution.

This is a critical vulnerability. Successful exploitation facilitates remote command execution, which can result in malware deployment or lateral movement within a private network.

How bad is this?

CVE CVSSv3 Score
CVE-2023-22527 10


Severity: Critical

  • Credentials are NOT required
  • Mass exploitation in the wild
  • Low level of complexity
  • Publicly available proof-of-concept code

How is it exploited? 

Exploitation is carried out by an unauthenticated attacker via a POST request to a *.vm script using a crafted OGNL payload. Exploitation requires a single request and a low level of complexity.

How do I protect myself?

Atlassian recommends that vulnerable installations apply the patch that correlates to their version.

Product Fixed Versions
Confluence Data Center and Server 8.5.4 (LTS)
Confluence Data Center 8.6.0 (Data Center Only)

8.7.1 (Data Center Only)

Who is affected by this? 

Current estimates based on Shodan and Censys queries indicate that roughly 5,600 endpoints across the internet are externally accessible.

Product Affected Versions
Confluence Data Center and Server
  • 8.0.x
  • 8.1.x
  • 8.2.x
  • 8.3.x
  • 8.4.x
  • 8.5.0-8.5.3

 

Mitigating Factors?

There are no known workarounds. To remediate this vulnerability, update each affected product installation to the latest version.

Additional Resources About CVE-2023-22527