CVE-2023-22527 – This is a critical template injection vulnerabi... (How to Fix)

Q: What is the severity of CVE-2023-22527?

CVE-2023-22527 has a CVSS score of 9.8 (CRITICAL). This is a critical template injection vulnerability (CWE-74) in older Confluence Data Center and Server versions that allows unauthenticated attackers to execute arbitrary code remotely. Affected organizations using vulnerable versions face immediate risk of complete system compromise. Only older versions are affected, with current supported versions already patched.

📋 TL;DR

This is a critical template injection vulnerability (CWE-74) in older Confluence Data Center and Server versions that allows unauthenticated attackers to execute arbitrary code remotely. Affected organizations using vulnerable versions face immediate risk of complete system compromise. Only older versions are affected, with current supported versions already patched.

💻 Affected Systems

Products:

Confluence Data Center
Confluence Server

Versions: Older versions (specific versions not provided in description, but pre-mitigation releases)

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: Only older versions are affected. Most recent supported versions are not vulnerable as the issue was mitigated during regular updates.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system takeover with attacker gaining full control of the Confluence server, data exfiltration, lateral movement, and persistent backdoor installation.

🟠

Likely Case

Remote code execution leading to data theft, service disruption, and potential ransomware deployment.

🟢

If Mitigated

No impact if running patched versions or proper network segmentation prevents exploitation.

🌐 Internet-Facing: HIGH - Unauthenticated exploit makes internet-facing instances extremely vulnerable to automated attacks.

🏢 Internal Only: HIGH - Internal instances remain vulnerable to insider threats or compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit code exists on Packet Storm Security, making this easily weaponizable by attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Latest supported versions (specific version numbers should be checked in Atlassian advisory)

Vendor Advisory: https://confluence.atlassian.com/pages/viewpage.action?pageId=1333335615

Restart Required: Yes

Instructions:

1. Check current Confluence version. 2. Backup data and configuration. 3. Upgrade to latest supported version following Atlassian upgrade guide. 4. Restart Confluence service. 5. Verify upgrade success.

🔧 Temporary Workarounds

Network Isolation

all

Restrict network access to Confluence instances to only trusted IP addresses

Use firewall rules to block external access: iptables -A INPUT -p tcp --dport 8090 -s !TRUSTED_IP -j DROP

Web Application Firewall

all

Deploy WAF with template injection protection rules

🧯 If You Can't Patch

Immediately isolate affected systems from internet and restrict internal network access
Implement strict monitoring for suspicious template-related activity and command execution attempts

🔍 How to Verify

Check if Vulnerable:

Check Confluence version against Atlassian's security advisory. If running older version (pre-mitigation), assume vulnerable.

Check Version:

Check Confluence administration console or view confluence/WEB-INF/classes/build.properties

Verify Fix Applied:

Confirm Confluence version is updated to latest supported release and no longer matches vulnerable version range.

📡 Detection & Monitoring

Log Indicators:

Unusual template rendering errors
Suspicious HTTP requests with template syntax
Unexpected process execution in system logs

Network Indicators:

HTTP requests containing template injection payloads
Outbound connections from Confluence to unknown destinations

SIEM Query:

source="confluence.log" AND ("template" OR "velocity" OR "freemarker") AND (error OR exception)

📊 Metadata

CVE ID: CVE-2023-22527

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-74

Published: January 16, 2024

Last Updated: October 24, 2025

🔗 References

http://packetstormsecurity.com/files/176789/Atlassian-Confluence-SSTI-Injection.html Exploit,Third Party Advisory,VDB Entry
https://confluence.atlassian.com/pages/viewpage.action?pageId=1333335615 Vendor Advisory
https://jira.atlassian.com/browse/CONFSERVER-93833 Issue Tracking,Vendor Advisory
http://packetstormsecurity.com/files/176789/Atlassian-Confluence-SSTI-Injection.html Exploit,Third Party Advisory,VDB Entry
https://confluence.atlassian.com/pages/viewpage.action?pageId=1333335615 Vendor Advisory
https://jira.atlassian.com/browse/CONFSERVER-93833 Issue Tracking,Vendor Advisory
https://www.vicarius.io/vsociety/posts/pwning-confluence-via-ognl-injection-for-fun-and-learning-cve-2023-22527 Exploit
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-22527 US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-22527, you might also want to check these: