CVE-2023-22522 – This is a template injection vulnerability in C... (How to Fix)

Q: What is the severity of CVE-2023-22522?

CVE-2023-22522 has a CVSS score of 8.8 (HIGH). This is a template injection vulnerability in Confluence Data Center and Server that allows authenticated attackers (including anonymous users) to inject malicious input into pages, leading to remote code execution. Only self-hosted Confluence instances are affected - Atlassian Cloud sites are not vulnerable. Attackers can gain full control of affected systems.

📋 TL;DR

This is a template injection vulnerability in Confluence Data Center and Server that allows authenticated attackers (including anonymous users) to inject malicious input into pages, leading to remote code execution. Only self-hosted Confluence instances are affected - Atlassian Cloud sites are not vulnerable. Attackers can gain full control of affected systems.

💻 Affected Systems

Products:

Confluence Data Center
Confluence Server

Versions: Multiple versions - check Atlassian advisory for specific affected versions

Operating Systems: All operating systems running Confluence

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects self-hosted Confluence instances. Atlassian Cloud (atlassian.net domains) is NOT affected.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining root/admin privileges, data exfiltration, lateral movement, and persistent backdoor installation.

🟠

Likely Case

Remote code execution leading to data theft, privilege escalation, and deployment of ransomware or cryptominers.

🟢

If Mitigated

Limited impact with proper network segmentation, but still potential for data breach within the Confluence application.

🌐 Internet-Facing: HIGH - Internet-facing Confluence instances are directly exploitable by any authenticated user including anonymous access.

🏢 Internal Only: HIGH - Internal attackers or compromised accounts can exploit this to gain full system control.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authentication but anonymous access is sufficient. Multiple public exploits exist.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Atlassian advisory for specific fixed versions

Vendor Advisory: https://confluence.atlassian.com/pages/viewpage.action?pageId=1319570362

Restart Required: Yes

Instructions:

1. Check your Confluence version. 2. Download and apply the latest security patch from Atlassian. 3. Restart Confluence service. 4. Verify the patch is applied.

🔧 Temporary Workarounds

Disable anonymous access

all

Remove anonymous user permissions to reduce attack surface

Navigate to Confluence Admin > User Management > Anonymous Access > Disable

Network segmentation

all

Restrict access to Confluence instances to trusted networks only

Configure firewall rules to limit Confluence access to internal IP ranges

🧯 If You Can't Patch

Immediately disable anonymous access to Confluence
Implement strict network access controls and isolate Confluence servers

🔍 How to Verify

Check if Vulnerable:

Check Confluence version against Atlassian's affected versions list in the advisory

Check Version:

Check Confluence admin panel or view confluence/WEB-INF/classes/build.properties

Verify Fix Applied:

Verify Confluence version is updated to a patched version and test template injection attempts are blocked

📡 Detection & Monitoring

Log Indicators:

Unusual template syntax in page edits
Suspicious Java class loading
Unexpected process execution from Confluence user

Network Indicators:

Outbound connections from Confluence server to unknown destinations
Unusual traffic patterns from Confluence

SIEM Query:

source="confluence.log" AND ("template" OR "velocity" OR "freemarker") AND ("inject" OR "eval" OR "execute")

📊 Metadata

CVE ID: CVE-2023-22522

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-74

Published: December 6, 2023

Last Updated: February 25, 2026

🔗 References

https://confluence.atlassian.com/pages/viewpage.action?pageId=1319570362 Vendor Advisory
https://jira.atlassian.com/browse/CONFSERVER-93502 Vendor Advisory
https://confluence.atlassian.com/pages/viewpage.action?pageId=1319570362 Vendor Advisory
https://jira.atlassian.com/browse/CONFSERVER-93502 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-22522, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Confluence Data Center by Atlassian

Confluence Data Center by Atlassian

Confluence Data Center by Atlassian

Confluence Data Center by Atlassian

Confluence Data Center by Atlassian

Confluence Server by Atlassian

Confluence Server by Atlassian

Confluence Server by Atlassian

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable anonymous access

Network segmentation

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities