S4E

CVE-2023-22527 Scanner

CVE-2023-22527 Scanner - Remote Code Execution (RCE) vulnerability in Atlassian Confluence

Short Info


Level

Critical

Single Scan

Single Scan

Can be used by

Asset Owner

Estimated Time

10 seconds

Time Interval

1 week 5 hours

Scan only one

Domain, IPv4

Toolbox

-

Atlassian Confluence is a popular collaboration software tool used by organizations to create, share, and organize content for team projects. Confluence is widely deployed in both Data Center and Server environments, particularly in sectors requiring robust documentation and information sharing across teams. The software is commonly utilized by project managers, software engineers, and administrators to streamline workflows and enhance productivity within an organization. Organizations often rely on Confluence to manage various aspects of project development, communication, and data organization. The application’s extensive feature set allows for customized use cases suited to specific business requirements. Confluence is a valuable resource for collaborative content management and seamless information dissemination in various professional settings.

This vulnerability, a Remote Code Execution (RCE), arises due to a Server-Side Template Injection (SSTI) flaw in older versions of Confluence Data Center and Server. Exploitation of this vulnerability enables an unauthenticated attacker to inject arbitrary code through crafted requests, bypassing regular access restrictions. SSTI vulnerabilities like this allow threat actors to execute unauthorized commands by exploiting input fields that process templates unsafely. This vulnerability can lead to significant security risks in affected systems, as it bypasses standard security protocols. Attackers leveraging this RCE flaw may execute arbitrary system commands, compromise data integrity, and potentially control the system remotely. Immediate patching or mitigation is advised to prevent exploitation.

In this SSTI-based Remote Code Execution vulnerability, an attacker sends specially crafted requests that target an unprotected endpoint within Confluence, specifically the "template/aui/text-inline.vm" endpoint. Through this request, attackers can manipulate OGNL expressions within the Confluence environment, exploiting an internal Freemarker template to run arbitrary commands. The vulnerability stems from inadequate input sanitization in Confluence’s template rendering process, allowing injection payloads. Attackers use this endpoint to perform arbitrary operations by invoking objects in the backend code, which would not be possible with standard access controls.

When exploited, this vulnerability enables attackers to gain unauthorized access to the affected system, execute arbitrary system commands, and potentially achieve persistent access. This can lead to critical security risks, such as data exfiltration, malware deployment, or further infiltration into the organization's internal systems. Additionally, the vulnerability could allow attackers to leverage Confluence as a launch point for broader attacks against connected systems.

REFERENCES

Get started to protecting your Free Full Security Scan