Threat Research

CVE-2023-22527: Another OGNL Injection Leads to RCE in Atlassian Confluence

Picussecurity

Atlassian Confluence Data Center and Server are affected by a critical OGNL injection vulnerability, CVE-2023-22527, enabling unauthenticated remote code execution. The article explains how the flaw is exploited via the text-inline.vm template, the affected versions, and practical defenses and patch guidance. #CVE-2023-22527 #Confluence #OGNLInjection #text-inline.vm

Keypoints

  • CVE-2023-22527 is a critical OGNL injection impacting Confluence Data Center and Server with a CVSS score of 10.
  • The vulnerability allows unauthenticated adversaries to execute arbitrary commands remotely in vulnerable Confluence instances.
  • Affected versions include Confluence Data Center and Server 8.0.x, 8.1.x, 8.2.x, 8.3.x, 8.4.x, and 8.5.0–8.5.3.
  • ShadowServer reports that over 11,000 Confluence instances are publicly exposed, with attackers actively scanning for the flaw.
  • The exploit leverages a Velocity template file named “text-inline.vm” and uses a crafted HTTP POST to the path /template/aui/text-inline.vm to trigger code execution.
  • Prior OGNL injection vulnerabilities in Confluence were found in 2021 and 2022, providing historical context for this class of flaw.
  • Mitigation and testing resources are discussed, including security controls and a 14-day free trial of the Picus Platform for threat simulation and mitigation.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – The flaw targets a web-facing Confluence instance to deliver remote code execution. ‘unauthenticated adversaries to execute arbitrary commands remotely in a vulnerable Confluence instance.’
  • [T1059] Command and Scripting Interpreter – The exploit runs commands via a crafted OGNL/templating payload (e.g., ‘whoami’), using the expression ‘#request[‘.KEY_velocity.struts2.context’].internalGet(‘ognl’)’.

Indicators of Compromise

  • [URL] Exploit endpoint – example: POST /template/aui/text-inline.vm HTTP/1.1 (to a vulnerable Confluence instance)
  • [File name] text-inline.vm – the Velocity template file involved in the exploit
  • [String] ognl – payload fragment using OGNL evaluation, e.g., internalGet(‘ognl’) in the attack sequence

Read more: https://www.picussecurity.com/resource/blog/cve-2023-22527-another-ognl-injection-leads-to-rce-in-atlassian-confluence

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint