Keypoints
- Vulnerability CVE-2023-22527 is an unauthenticated template injection in Atlassian Confluence Server and Data Center with a CVSS score of 10.0.
- Attackers exploit a Velocity template file (text-inline.vm) by sending a crafted POST to /template/aui/text-inline.vm to inject OGNL expressions.
- Injected OGNL can access org.apache.struts2.views.jsp.ui.OgnlTool and call Ognl.findValue to execute Java code and system commands (RCE).
- Successful exploitation bypasses authentication and can run arbitrary commands via exec(), returning results such as uid/gid from the server.
- Public exploit code—including a GitHub PoC and a Metasploit module—has been released and attackers are actively scanning exposed Confluence instances.
- SonicWall released IPS signatures to detect this SSTI and recommends immediate vendor upgrades per Atlassian advisory.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – The attacker sends a crafted request to a Confluence endpoint to bypass authentication and trigger template injection (‘…send a POST request to “/template/aui/text-inline.vm”…’).
- [T1059.003] Command and Scripting Interpreter: Unix Shell – The injected OGNL calls exec() to run system commands on the server (‘…pass arguments to the exec method, bypassing authentication and executing system commands.’).
Indicators of Compromise
- [Endpoint/Path] Exploit target – /template/aui/text-inline.vm (POST requests used to trigger OGNL injection).
- [File name] Vulnerable template – text-inline.vm (deprecated in patched versions; used to craft payloads that call exec()).
- [URL] Public PoC – https://github.com/sanjai-AK47/CVE-2023-22527 (proof-of-concept exploit for RCE).
- [URL] Vendor advisory and details – https://confluence.atlassian.com/security/cve-2023-22527-rce-remote-code-execution-vulnerability-in-confluence-data-center-and-confluence-server-1333990257.html
- [URL] Public exploit reference – http://packetstormsecurity.com/files/176789/Atlassian-Confluence-SSTI-Injection.html (exploit details in the wild).
Atlassian Confluence Server and Data Center contain a critical server-side template injection (SSTI) vulnerability (CVE-2023-22527) rooted in improper input handling of Velocity templates. Unpatched instances expose a Velocity template file named text-inline.vm that accepts unsanitized parameters; by sending a specially crafted POST to /template/aui/text-inline.vm, an attacker can inject OGNL expressions. The exploit leverages an OGNL expression such as request[‘.KEY_velocity.struts2.context’].internalGet(‘ognl’) to obtain the OgnlTool and call Ognl.findValue, enabling the attacker to evaluate arbitrary OGNL and Java expressions within the application context.
Using the #parameters vector in the template, attackers can pass arguments into an exec() call to execute system commands without authentication. Changing the payload parameter allows execution of arbitrary commands remotely; successful responses commonly include process/user information (for example uid, gid and group listings). Public proof-of-concept code and Metasploit modules demonstrate reliable RCE against affected versions, and active scanning for exposed Confluence instances has been observed.
Defensive actions include immediately upgrading Confluence Server/Data Center to vendor-published patched versions, applying web application firewall/IPS rules (for example SonicWall IPS signatures listed in vendor guidance), and blocking or monitoring POST requests to /template/aui/text-inline.vm. Review logs for suspicious POSTs to the template endpoint and any unexpected command-output in responses, and remove or patch deprecated Velocity templates such as text-inline.vm to eliminate the unauthenticated attack surface.