5 min read

Security Insights: Tracking Confluence CVE-2023-22527

Analysis of the Atlassian Confluence template injection RCE vulnerability and comprehensive detection coverage for your environment.

cve confluence ssti rce exploitation detection splunk

Originally published on the Splunk Security Blog
Read the full article: Tracking Confluence CVE-2023-22527

The Vulnerability

CVE-2023-22527 is a template injection vulnerability in Atlassian Confluence Data Center and Server allowing unauthenticated remote code execution.

CVSS Score: 10.0 (Critical)

Affected Versions

  • Confluence Data Center and Server versions 8.0.x to 8.5.3

Attack Vector

The vulnerability exists in the template rendering engine. Attackers inject OGNL expressions:

POST /template/aui/text-inline.vm HTTP/1.1

label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027)

Why It’s Critical

  • No authentication required
  • Confluence often internet-facing
  • Contains sensitive documentation
  • Active exploitation within hours of disclosure

Detection Strategies

Web Log Analysis

index=web sourcetype=confluence 
  (uri_path="*text-inline.vm*" OR uri_path="*template/aui*")
  http_method=POST
| table _time, src_ip, uri_path, status, bytes_out

OGNL Injection Patterns

index=web sourcetype=confluence 
  (form_data="*ognl*" OR form_data="*Runtime*" OR form_data="*getRuntime*")
| table _time, src_ip, uri_path, form_data

Post-Exploitation

index=sysmon EventCode=1 
  ParentImage="*java*" User="confluence"
| where Image!="*java*"
| table _time, Computer, Image, CommandLine

Indicators of Compromise

  • POST requests to /template/aui/text-inline.vm
  • OGNL expressions in request body
  • Confluence process spawning shells
  • Unusual outbound connections from Confluence server

Mitigation

  • Update immediately to patched version
  • If update not possible, restrict access
  • Monitor for exploitation attempts
  • Block known malicious IPs

Read the full analysis: Tracking Confluence CVE-2023-22527

Related Modules

Active

Atomics on a Friday

Weekly YouTube show exploring atomic tests, detection engineering, and security research. Live demonstrations and deep dives into attack techniques.

youtube atomic-red-team detection education +1
View Module → GitHub
Active

Bootloaders.io

A curated list of known malicious bootloaders for various operating systems. Track and catalog bootloader threats with detection rules and hash prevention.

bootloader bootkit detection defense +1
View Module → GitHub