What is CVE-2023-22527?
Atlassian recently reported an unauthenticated remote command execution vulnerability that impacts certain versions of Confluence Data Center and server. The vulnerability, assigned CVE-2023-22527, can be exploited remotely by an unauthenticated attacker. The root cause of the vulnerability is related to the way that views are rendered in Confluence. Confluence leverages velocity templates (*.vm) in this capacity and these files can be accessed directly like any other script, which effectively bypasses authentication. It was found that at least one of the accessible templates was prone to OGNL injection, which provided a reliable vector for remote command execution.
This is a critical vulnerability. Successful exploitation facilitates remote command execution, which can result in malware deployment or lateral movement within a private network.
How bad is this?
CVE | CVSSv3 Score |
CVE-2023-22527 | 10 |
Severity: Critical
- Credentials are NOT required
- Mass exploitation in the wild
- Low level of complexity
- Publicly available proof-of-concept code
How is it exploited?
Exploitation is carried out by an unauthenticated attacker via a POST request to a *.vm script using a crafted OGNL payload. Exploitation requires a single request and a low level of complexity.
How do I protect myself?
Atlassian recommends that vulnerable installations apply the patch that correlates to their version.
Product | Fixed Versions |
Confluence Data Center and Server | 8.5.4 (LTS) |
Confluence Data Center | 8.6.0 (Data Center Only)
8.7.1 (Data Center Only) |
Who is affected by this?
Current estimates based on Shodan and Censys queries indicate that roughly 5,600 endpoints across the internet are externally accessible.
Product | Affected Versions |
Confluence Data Center and Server |
|
Mitigating Factors?
There are no known workarounds. To remediate this vulnerability, update each affected product installation to the latest version.