Page 1 of 1

Scans/Exploit Attempts for Atlassian Confluence RCE Vulnerability CVE-2023-22527

Posted: Mon Jan 22, 2024 3:53 pm
by rbc
Last week (January 16th), Atlassian released it's January 2024 Security Bulletin. Included with the bulletin was a patch for CVE-2023-22527, a remote code execution vulnerability in Confluence Data Center and Confluence Server. Atlassian assigned a CVSS score of 10.0 to the vulnerability. Exploitation does not require authentication.

The update fixed a template injection vulnerability. Similar vulnerabilities have been patched in Atlassian products in the past. Confluence, like most (all?) Atlassian products are written in Java. Java, particularly the Struts framework, uses OGNL (Object-Graph Navigation Language) to represent Java objects. An attacker able to inject an arbitrary OGNL object can execute Java code.

Yesterday, more details regarding the vulnerability were released, including proof of concept code [2[. The proof of concept code was created by reversing the patch Atlassian had released. The blog post highlighted how the "/template/aui/text-inline.vm" URL can be used to execute arbitrary code.
[...]
Scans/Exploit Attempts for Atlassian Confluence RCE Vulnerability CVE-2023-22527