VDB
GSD-2023-22527
GSD-2023-22527
PUBLISHED
CVSS 10 CRITICAL
A template injection vulnerability on older versions of Confluence Data Center and Server allows an unauthenticated attacker to achieve RCE on an affected instance. Customers using an affected version must take immediate action. Most recent supported versions of Confluence Data Center and Server are not affected by this vulnerability as it was ultimately mitigated during regular version updates. However, Atlassian recommends that customers take care to install the latest version to protect their instances from non-critical vulnerabilities outlined in Atlassian’s January Security Bulletin.
Risk Scores
CVSS v3.0
10
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Atlassian | Confluence Data Center | *, >= 8.0.0, >= 8.1.0 |
| atlassian | confluence_data_center | 8.0.0 |
| Atlassian | Confluence Server | *, < 8.0.0, >= 8.0.0 |
| atlassian | confluence_server | 8.0.0 |
Timeline
- Jan 16, 2024 PoC Published
- Jan 24, 2024 PoC Published
- Jan 25, 2024 PoC Published
- Feb 8, 2024 PoC Published
- Oct 24, 2024 PoC Published
- Oct 25, 2024 PoC Published
- Oct 26, 2024 PoC Published
- Oct 27, 2024 PoC Published
- Oct 28, 2024 PoC Published
- Oct 29, 2024 PoC Published
- Oct 30, 2024 PoC Published
- Oct 31, 2024 PoC Published
References
- https://confluence.atlassian.com/pages/viewpage.action?pageId=1333335615 url
- https://jira.atlassian.com/browse/CONFSERVER-93833 url
- http://packetstormsecurity.com/files/176789/Atlassian-Confluence-SSTI-Injection.html url
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-22527 url
- https://www.vicarius.io/vsociety/posts/pwning-confluence-via-ognl-injection-for-fun-and-learning-cve-2023-22527 url