CVE-2023-22527

CVE-2023-22527 is a critical-severity vulnerability in Atlassian Confluence Data Center with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2024-01-24). The underlying weakness is classified as CWE-74.

Key facts

Description

A template injection vulnerability on older versions of Confluence Data Center and Server allows an unauthenticated attacker to achieve RCE on an affected instance. Customers using an affected version must take immediate action. Most recent supported versions of Confluence Data Center and Server are not affected by this vulnerability as it was ultimately mitigated during regular version updates. However, Atlassian recommends that customers take care to install the latest version to protect their instances from non-critical vulnerabilities outlined in Atlassian’s January Security Bulletin.

CVE-2023-22527: Atlassian Confluence Unauthenticated Template Injection Remote Code Execution

AI-generated analysis based on the vulnerability data on this page.

Attribute Value
CVE ID CVE-2023-22527
Vendor Atlassian
Product Confluence Data Center and Server
CWE CWE-74 — Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CVSS 3.1 9.8 Critical
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS 0.99984 (99.982nd percentile)
Known Exploited Yes — CISA KEV added 2024-01-24
Ransomware Associated with ransomware campaigns
Assigner [email protected]

Summary

CVE-2023-22527 is an unauthenticated template injection vulnerability in Atlassian Confluence Data Center and Server that allows remote attackers to execute arbitrary code on the underlying server without credentials. The vulnerability has received a Critical CVSS 3.1 score of 9.8 and is under active exploitation in the wild.

Background

Atlassian Confluence is a widely deployed enterprise collaboration platform. Confluence uses server-side template rendering in some components. In affected versions, user-controlled input can reach the template engine and be evaluated as OGNL (Object-Graph Navigation Language) expressions, leading to unsafe code execution.

Root Cause

The vulnerability is classified as CWE-74 — Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection'). The root cause is the unsafe evaluation of user-controlled input within the server-side template context. Specifically, input vectors that reach the template engine are not properly sanitized before being interpreted as expressions, allowing an attacker to inject and execute arbitrary commands on the host system.

Impact

The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H reflects the severity:

Metric Value Interpretation
Attack Vector Network Exploitable over the internet
Attack Complexity Low No special conditions required
Privileges Required None Unauthenticated
User Interaction None Fully automated
Scope Unchanged Impact remains within the vulnerable component
Confidentiality High Total information disclosure
Integrity High Total data integrity compromise
Availability High Total system availability compromise

An unauthenticated attacker can achieve complete remote code execution, leading to full system compromise, data exfiltration, lateral movement, and deployment of ransomware.

Exploitation Walkthrough

Ethics caveat: This section is provided for defensive awareness and detection engineering only. Do not attempt to exploit systems you do not own or have explicit permission to test.

The attack chain follows a typical server-side template injection pattern:

  1. Reconnaissance — The attacker identifies an exposed Confluence instance running a vulnerable version.
  2. Injection — The attacker submits crafted input containing expression payloads to an endpoint that passes the input into a server-side template.
  3. Expression Evaluation — The template engine evaluates the injected content as executable code rather than literal data.
  4. Code Execution — The attacker gains remote code execution on the Confluence server, enabling subsequent payload delivery, persistence, and lateral movement.

Defensive teams should monitor for anomalous POST requests to Confluence endpoints, unexpected outbound connections from Confluence servers, and suspicious process spawning by the Confluence application user.

Affected and Patched Versions

According to the source data, older versions of Confluence Data Center and Server are affected. Atlassian's advisory notes that the most recent supported versions at the time of publication were not affected because the vulnerability was mitigated during regular version updates. NVD CPE entries list Confluence Data Center and Server broadly; specific upper-bound version ranges were not provided in the retrieved record. Administrators should consult the Atlassian security bulletin for definitive version guidance.

Remediation

  1. Upgrade — Atlassian recommends installing the latest supported version of Confluence Data Center or Server. Refer to the official Atlassian security bulletin for specific patch guidance.
  2. Compensating Controls — If immediate patching is not possible:
    • Restrict network access to Confluence administration and internal endpoints to trusted IP ranges.
    • Deploy a Web Application Firewall (WAF) with rules targeting template injection and expression-language injection patterns.
    • Monitor Confluence logs for suspicious input containing OGNL metacharacters (${, %{, @, etc.).

Detection

  • Network — Monitor for unusual POST requests to Confluence endpoints with payloads containing expression markers.
  • Endpoint — Alert on unexpected child processes spawned by the Confluence Java process.
  • Logs — Review Confluence access logs for repeated requests from single sources with large or encoded payloads.
  • Threat Intelligence — Correlate IP addresses attacking Confluence instances with known threat actor infrastructure linked to CVE-2023-22527 exploitation.

Assessment

With an EPSS score of 0.99984 (99.982nd percentile), this vulnerability is among the most likely to be exploited in the wild. CISA added it to the Known Exploited Vulnerabilities catalog on 2024-01-24, and it is associated with ransomware activity. The combination of unauthenticated network access, low attack complexity, and complete CIA triad impact makes this a patching priority.

Key lessons:

  1. Template engines must never evaluate user-controlled input directly; strict input validation and context-aware output encoding are essential.
  2. Active exploitation data (EPSS + KEV) should elevate patching timelines even when a vendor describes a vulnerability as already mitigated in current versions, because legacy instances often remain exposed.

References

Frequently asked questions

What is CVE-2023-22527?
A template injection vulnerability on older versions of Confluence Data Center and Server allows an unauthenticated attacker to achieve RCE on an affected instance. Customers using an affected version must take immediate action. Most recent supported versions of Confluence Data Center and Server are not affected by this vulnerability as it was ultimately mitigated during regular version updates. However, Atlassian recommends that customers take care to install the latest version to protect their instances from non-critical vulnerabilities outlined in Atlassian’s January Security Bulletin.
How severe is CVE-2023-22527?
CVE-2023-22527 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2023-22527 being actively exploited?
Yes. CVE-2023-22527 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2024-01-24, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2023-22527?
CVE-2023-22527 primarily affects Atlassian Confluence Data Center. In total, 3 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2023-22527?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2023-22527 have an EU (EUVD) identifier?
Yes. CVE-2023-22527 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2023-26667. It is also flagged as exploited in the EUVD (since 2024-01-24).
When was CVE-2023-22527 published?
CVE-2023-22527 was published on 2024-01-16 and last updated on 2026-06-17.

References

Affected products (3)

More vulnerabilities in Atlassian Confluence Data Center

All CVEs affecting Atlassian Confluence Data Center →

Other CWE-74 (Improper Neutralization of Special Elements (Injection)) vulnerabilities

Browse all CWE-74 (Improper Neutralization of Special Elements (Injection)) vulnerabilities →