CVE-2023-22527
Published: 16 January 2024
Summary
CVE-2023-22527 is a critical-severity Injection (CWE-74) vulnerability in Atlassian Confluence Data Center. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
A template injection vulnerability, tracked as CVE-2023-22527 and assigned CWE-74, affects older versions of Atlassian Confluence Data Center and Server. The flaw permits remote code execution and received a CVSS 3.1 base score of 9.8, reflecting network-accessible attack vectors that require no authentication or user interaction.
An unauthenticated attacker can supply malicious template input over the network to achieve full remote code execution on an unpatched instance, resulting in complete compromise of confidentiality, integrity, and availability.
Atlassian states that the vulnerability was addressed through regular version updates, leaving current supported releases unaffected. The vendor’s January security bulletin directs customers to install the latest Confluence Data Center or Server release to protect against this issue and other non-critical vulnerabilities.
Public exploit code has been posted to PacketStorm, and the EPSS score stands at 0.9435 with a recorded peak of 0.9746, indicating sustained exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-26667
Vulnerability details
A template injection vulnerability on older versions of Confluence Data Center and Server allows an unauthenticated attacker to achieve RCE on an affected instance. Customers using an affected version must take immediate action. Most recent supported versions of Confluence Data…
more
Center and Server are not affected by this vulnerability as it was ultimately mitigated during regular version updates. However, Atlassian recommends that customers take care to install the latest version to protect their instances from non-critical vulnerabilities outlined in Atlassian’s January Security Bulletin.
- CWE(s)
- KEV Date Added
- 24 January 2024
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely application of vendor patches that eliminated the template-injection flaw in current Confluence releases.
Mandates validation and sanitization of all untrusted input before it reaches the templating engine, blocking the injection vector used for unauthenticated RCE.
Enforces access-control decisions so that unauthenticated network requests cannot reach code-execution paths that the vulnerability exposed.