Getting error "Resource name must end with .vm, .vmd, .css or .xml" after Confluence is upgraded

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

After Confluence is upgraded for fixing CVE-2023-22522, when a user tries to access a page or use a feature provided by third party plugins/app, the page is not able to render and redirects the user to a Page not found or System Error page.

Environment

Confluence 7.19.17, 8.4.5, 8.5.4, 8.6.2, 8.7.1

Diagnosis

When accessing some Confluence pages, it shows the Page Not Found error or System Error page: 

(Auto-migrated image: description temporarily unavailable)
(Auto-migrated image: description temporarily unavailable)

In atlassian-confluence.log, you may see the following error stack trace: 

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 2023-12-07 06:20:49,517 ERROR [http-nio-8090-exec-18 url: /display/ABCD, /spaces/viewspace.action, /display/ABCD/Testing, /pages/viewpage.action; user: test] [confluence.util.velocity.VelocityUtils] getRenderedTemplate Error occurred rendering template: theme-press/templates/macros/content-layer.vm -- url: /display/ABCD | traceId: 34bba0ef64919054 | userName: Test | page: 12345 | action: viewpage org.apache.velocity.exception.ResourceNotFoundException: Resource name must end with .vm, .vmd, .css or .xml at com.atlassian.confluence.util.velocity.ConfigurableResourceManager.loadResource(ConfigurableResourceManager.java:331) at com.atlassian.confluence.util.velocity.ConfigurableResourceManager.getResource(ConfigurableResourceManager.java:305) at org.apache.velocity.runtime.RuntimeInstance.getTemplate(RuntimeInstance.java:1400) at org.apache.velocity.runtime.directive.Parse.render(Parse.java:198) at com.atlassian.confluence.setup.velocity.ProfilingParseDirective.render(ProfilingParseDirective.java:21) at org.apache.velocity.runtime.parser.node.ASTDirective.render(ASTDirective.java:175) at org.apache.velocity.runtime.parser.node.SimpleNode.render(SimpleNode.java:336) at org.apache.velocity.Template.merge(Template.java:328) at org.apache.velocity.Template.merge(Template.java:235) at com.atlassian.confluence.util.velocity.VelocityUtils.renderTemplateWithoutSwallowingErrors(VelocityUtils.java:70) at com.atlassian.confluence.util.velocity.VelocityUtils.renderTemplateWithoutSwallowingErrors(VelocityUtils.java:76) at com.atlassian.confluence.util.velocity.VelocityUtils.getRenderedTemplateWithoutSwallowingErrors(VelocityUtils.java:63) at com.atlassian.confluence.util.velocity.VelocityUtils.getRenderedTemplate(VelocityUtils.java:42) at com.atlassian.confluence.util.velocity.VelocityUtils.getRenderedTemplate(VelocityUtils.java:33) ... ...

Cause

With the recent CVE-2023-22522 fix, Confluence is limited to only being able to execute file types with .vm, .vmd, .css, or .xml.

Solution

Atlassian suggests disabling the app/plugins that are throwing the error to avoid impact on daily work. 

We strongly encourage you to contact the plugin/app vendor that provides the feature to update the plugin/app and make it compatible with the affected Confluence version. 

Updated on March 10, 2025
Platform
Data Center only
Product
Confluence Data Center
On this pageSummaryDiagnosisCauseSolution

Still need help?

The Atlassian Community is here for you.
Ask the Community