Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-94064

RCE (Remote Code Execution) in Confluence Data Center and Server

XMLWordPrintable

    • 8.3
    • High
    • CVE-2024-21672
    • Bug Bounty
    • DDV_UA
    • CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
    • RCE (Remote Code Execution)
    • Confluence Data Center, Confluence Server
    • High

      This High severity Remote Code Execution (RCE) vulnerability was introduced in version 2.1 of Confluence Data Center and Server.

      Remote Code Execution (RCE) vulnerability, with a CVSS Score of 8.3 and a CVSS Vector of CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H allows an unauthenticated attacker to remotely expose assets in your environment susceptible to exploitation which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires user interaction.

      Atlassian recommends that Confluence Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:

      • Confluence Data Center and Server 7.19: Upgrade to a release 7.19.18, or any higher 7.19.x release
      • Confluence Data Center and Server 8.5: Upgrade to a release 8.5.5 or any higher 8.5.x release
      • Confluence Data Center 8.7: Upgrade to a release 8.7.2 or any higher release

      See the release notes (https://confluence.atlassian.com/doc/confluence-release-notes-327.html). You can download the latest version of Confluence Data Center and Server from the download center (https://www.atlassian.com/software/confluence/download-archives).

            [CONFSERVER-94064] RCE (Remote Code Execution) in Confluence Data Center and Server

            ICICI Bank Atlassian Support Team added a comment - - edited

            Does version 7.19.17 will affect? 

            Kindly confirm on priority.

            ICICI Bank Atlassian Support Team added a comment - - edited Does version 7.19.17 will affect?  Kindly confirm on priority.

            Marco De Luca added a comment -

            Will this be fixed in 8.5.6?

            Marco De Luca added a comment - Will this be fixed in 8.5.6?

            Mohit Saraf added a comment -

            Does this impact 8.6.2?

            Mohit Saraf added a comment - Does this impact 8.6.2?

            Claus Koell added a comment -

            As Nathan Neulinger has mentioned, we are also seeing a lot of bugs in 8.5.5 ! Page Tree Broken, Macro browser and so on ...

            Claus Koell added a comment - As Nathan Neulinger has mentioned, we are also seeing a lot of bugs in 8.5.5 ! Page Tree Broken, Macro browser and so on ...

            Nathan Neulinger added a comment -

            To help anyone else that might have this plugin installed, this article has a db query for checking for usage of the legacy calendar plugin down at the bottom. We just chose to uninstall completely based on lack of actual use since 2008 in our case.

            https://confluence.atlassian.com/teamcal/install-team-calendars-241566248.html

            Nathan Neulinger added a comment - To help anyone else that might have this plugin installed, this article has a db query for checking for usage of the legacy calendar plugin down at the bottom. We just chose to uninstall completely based on lack of actual use since 2008 in our case. https://confluence.atlassian.com/teamcal/install-team-calendars-241566248.html

            Nathan Neulinger added a comment -

            Same result there - toggling that Calendar plugin off and then back on again clears symptom. It sounds very much like it's doing something that is plugin load order dependent. 

            Nathan Neulinger added a comment - Same result there - toggling that Calendar plugin off and then back on again clears symptom. It sounds very much like it's doing something that is plugin load order dependent. 

            Tobias Heinemann added a comment - - edited

            @Nathan: We have had the same problem and had to disable 'Calendar Plugin' (confluence.extra.calendar version 2.7.2.1).

             

            Tobias Heinemann added a comment - - edited @Nathan: We have had the same problem and had to disable 'Calendar Plugin' (confluence.extra.calendar version 2.7.2.1).  

            Nathan Neulinger added a comment -

            Strangely, toggling safe mode on and off again appears to have started things working again--- that's very strange.

            Nathan Neulinger added a comment - Strangely, toggling safe mode on and off again appears to have started things working again--- that's very strange.

            Nathan Neulinger added a comment -

            8.5.5 appears to be badly broken - all sorts of problems moving from 8.5.4. Have an open support case PSSRV-102188 but no response yet. 

             

            Breaks page tree, macro browser, numerous links on page tools, etc.

            Nathan Neulinger added a comment - 8.5.5 appears to be badly broken - all sorts of problems moving from 8.5.4. Have an open support case PSSRV-102188 but no response yet.    Breaks page tree, macro browser, numerous links on page tools, etc.

            Alex Kulichkov added a comment -

            is 8.6.2 affected?

            Alex Kulichkov added a comment - is 8.6.2 affected?

              Unassigned Unassigned
              security-metrics-bot Security Metrics Bot
              Votes:
              0 Vote for this issue
              Watchers:
              22 Start watching this issue

                Created:
                Updated:
                Resolved: