CVE-2023-22527 — CRITICAL (9.8)

Q: How severe is CVE-2023-22527?

CVE-2023-22527 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2023-22527?

Check the references section above for vendor advisories and patch information. Affected products include: Atlassian Confluence Data Center, Atlassian Confluence Server.

Vulnerability Description

A template injection vulnerability on older versions of Confluence Data Center and Server allows an unauthenticated attacker to achieve RCE on an affected instance. Customers using an affected version must take immediate action. Most recent supported versions of Confluence Data Center and Server are not affected by this vulnerability as it was ultimately mitigated during regular version updates. However, Atlassian recommends that customers take care to install the latest version to protect their instances from non-critical vulnerabilities outlined in Atlassian’s January Security Bulletin.

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Atlassian	Confluence Data Center	>= 8.0.0, < 8.5.4
Atlassian	Confluence Server	>= 8.0.0, < 8.5.4

Related Weaknesses (CWE)

CWE-74

References

http://packetstormsecurity.com/files/176789/Atlassian-Confluence-SSTI-Injection.ExploitThird Party AdvisoryVDB Entry
https://confluence.atlassian.com/pages/viewpage.action?pageId=1333335615Vendor Advisory
https://jira.atlassian.com/browse/CONFSERVER-93833Issue TrackingVendor Advisory
http://packetstormsecurity.com/files/176789/Atlassian-Confluence-SSTI-Injection.ExploitThird Party AdvisoryVDB Entry
https://confluence.atlassian.com/pages/viewpage.action?pageId=1333335615Vendor Advisory
https://jira.atlassian.com/browse/CONFSERVER-93833Issue TrackingVendor Advisory
https://www.vicarius.io/vsociety/posts/pwning-confluence-via-ognl-injection-for-Exploit
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-US Government Resource

FAQ

What is CVE-2023-22527?

CVE-2023-22527 is a vulnerability with a CVSS score of 9.8 (CRITICAL). A template injection vulnerability on older versions of Confluence Data Center and Server allows an unauthenticated attacker to achieve RCE on an affected instance. Customers using an affected version...

How severe is CVE-2023-22527?

CVE-2023-22527 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2023-22527?

Check the references section above for vendor advisories and patch information. Affected products include: Atlassian Confluence Data Center, Atlassian Confluence Server.