CVE-2023-22527

Warnung

Exploit

EPSS 94.36%
Veröffentlicht 16.01.2024 05:15:08
Zuletzt bearbeitet 24.10.2025 13:38:56
Quelle security@atlassian.com
CVE-Watchlists
Login
Unerledigt
Login

A template injection vulnerability on older versions of Confluence Data Center and Server allows an unauthenticated attacker to achieve RCE on an affected instance. Customers using an affected version must take immediate action.

Most recent supported versions of Confluence Data Center and Server are not affected by this vulnerability as it was ultimately mitigated during regular version updates. However, Atlassian recommends that customers take care to install the latest version to protect their instances from non-critical vulnerabilities outlined in Atlassian’s January Security Bulletin.

Betroffene Produkte Warnungen 1 Metriken 3 CWE 1 Referenzen 8

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Atlassian ≫ Confluence Data Center Version >= 8.0.0 < 8.5.4

Atlassian ≫ Confluence Data Center Version8.7.0

Atlassian ≫ Confluence Server Version >= 8.0.0 < 8.5.4

24.01.2024: CISA Known Exploited Vulnerabilities (KEV) Catalog

Atlassian Confluence Data Center and Server Template Injection Vulnerability

Schwachstelle

Atlassian Confluence Data Center and Server contain an unauthenticated OGNL template injection vulnerability that can lead to remote code execution.

Beschreibung

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Erforderliche Maßnahmen

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	94.36%	1

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
security@atlassian.com	10	3.9	6	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

https://confluence.atlassian.com/pages/viewpage.action?pageId=1333335615

Vendor Advisory

http://packetstormsecurity.com/files/176789/Atlassian-Confluence-SSTI-Injection.html

Third Party Advisory

Exploit

VDB Entry

https://jira.atlassian.com/browse/CONFSERVER-93833

Vendor Advisory

Issue Tracking

https://www.vicarius.io/vsociety/posts/pwning-confluence-via-ognl-injection-for-fun-and-learning-cve-2023-22527

Exploit

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-22527

US Government Resource

https://nvd.nist.gov/vuln/detail/CVE-2023-22527

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-22527

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-22527

EUVD