318 words
2 minutes
(CVE-2023-22527) Atlassian Confluence - Remote Code Execution
2024-01-23
2024_CVE
Code Audit

Vulnerability Overview#

Atlassian Confluence contains a template injection vulnerability. An attacker can craft a malicious request to trigger template injection and achieve remote command execution.

Affected Versions#

All end-of-life versions, plus:

  • 8.4.0 <= Confluence Data Center and Server <= 8.4.4
  • 8.5.0 <= Confluence Data Center and Server <= 8.5.3
  • 8.6.0 <= Confluence Data Center <= 8.6.1

Analysis#

As usual, I diffed the patches and found some changes. One deleted file stood out:

Deleted:

ConfluenceStrutsUtil extends VelocityStrutsUtil:

And VelocityStrutsUtil extends StrutsUtil. At this point it’s reasonable to suspect Velocity template injection.

The pattern is similar to previous cases: Velocity parsing leading to ognl expression evaluation. So I started looking at .vm files.

I made a big mistake here: I stared at the reset-password part for a long time but got nowhere. That variable is read from the action, so it shouldn’t be controllable. When accessing via a .vm template, you can’t set that value directly.

And since I was busy with year-end work, I put it aside for a while.

Later I noticed a GitHub project that contains all the .vm diffs:
https://github.com/Sudistark/patch-diff-CVE-2023-22527

With that, a quick search surfaced the relevant template:

I tried other endpoints without much success. During this I asked “Z3” for help and got this reply:

Eventually, in text-inline.vm, it calls findvalue, which triggers expression evaluation:

Try the classic PoC:

In StrutsUtil you can indeed find the relevant logic (it’s long, so it’s split across screenshots):

After that, the flow follows the template definition and reaches findvalue:

At this point the expression is evaluated:

Then getText is used to fetch the value, and we can see the evaluation has already happened:

So this is a Velocity-driven OGNL expression evaluation vulnerability.

About RCE#

This part was painful. I tried several payloads and couldn’t get reliable command execution (e.g., popping calculator). Until today I saw that “P牛” updated vulhub, which reminded me to use output-based verification instead of blind execution. I’ll just link vulhub here rather than copying it verbatim:

https://github.com/vulhub/vulhub/tree/master/confluence/CVE-2023-22527

(CVE-2023-22527) Atlassian Confluence - Remote Code Execution
https://springkill.github.io/en/posts/cve-2023-22527-atlassian-confluence-remote-code-execution/
Author
SpringKill
Published at
2024-01-23
License
CC BY-NC-SA 4.0
Template Injection in a Report System
CVE-2023-51467 Apache OFBiz: Pre-authentication Remote Code Execution (RCE) vulnerability
© 2026 SpringKill. All Rights Reserved. / RSS / Sitemap
Powered by Astro & Fuwari