Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-95832

RCE (Remote Code Execution) in Confluence Data Center and Server

    • Icon: Public Security Vulnerability Public Security Vulnerability
    • Resolution: Fixed
    • Icon: High High
    • 8.9.1, 8.5.9, 7.19.22
    • 5.2, 7.19.0, 7.20.0, 8.0.0, 8.1.0, 8.2.0, 8.3.0, 8.4.0, 8.5.0, 8.6.0, 8.8.0, 8.7.1, 8.9.0
    • None
    • 7.2
    • High
    • CVE-2024-21683
    • Atlassian (Internal)
    • CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
    • RCE (Remote Code Execution)
    • Confluence Data Center

      This High severity RCE (Remote Code Execution) vulnerability was introduced in version 5.2 of Confluence Data Center and Server.

      This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 7.2, allows an admin-authenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction.

       

      Data Center

      Atlassian recommends that Confluence Data Center customers upgrade to the latest version. If you are unable to do so, upgrade your instance to one of the specified supported fixed versions:

      Affected versions Fixed versions
      8.9.0 8.9.1
      from 8.8.0 to 8.8.1 8.9.1
      from 8.7.0 to 8.7.2 8.9.1
      from 8.6.0 to 8.6.2 8.9.1
      from 8.5.0 to 8.5.8 LTS 8.9.1 or 8.5.9 LTS recommended
      from 8.4.0 to 8.4.5 8.9.1 or 8.5.9 LTS recommended
      from 8.3.0 to 8.3.4 8.9.1 or 8.5.9 LTS recommended
      from 8.2.0 to 8.2.3 8.9.1 or 8.5.9 LTS recommended
      from 8.1.0 to 8.1.4 8.9.1 or 8.5.9 LTS recommended
      from 8.0.0 to 8.0.4 8.9.1 or 8.5.9 LTS recommended
      from 7.20.0 to 7.20.3 8.9.1 or 8.5.9 LTS recommended
      from 7.19.0 to 7.19.21 LTS 8.9.1 or 8.5.9 LTS recommended or 7.19.22 LTS
      from 7.18.0 to 7.18.3 8.9.1 or 8.5.9 LTS recommended or 7.19.22 LTS
      from 7.17.0 to 7.17.5 8.9.1 or 8.5.9 LTS recommended or 7.19.22 LTS
      Any earlier versions 8.9.1 or 8.5.9 LTS recommended or 7.19.22 LTS

       

      Server

      Atlassian recommends that Confluence Server customers upgrade to the latest version. If you are unable to do so, upgrade your instance to one of the specified supported fixed versions:

      Affected versions Fixed versions
      from 8.5.0 to 8.5.8 LTS 8.5.9 LTS recommended
      from 8.4.0 to 8.4.5 8.5.9 LTS recommended
      from 8.3.0 to 8.3.4 8.5.9 LTS recommended
      from 8.2.0 to 8.2.3 8.5.9 LTS recommended
      from 8.1.0 to 8.1.4 8.5.9 LTS recommended
      from 8.0.0 to 8.0.4 8.5.9 LTS recommended
      from 7.20.0 to 7.20.3 8.5.9 LTS recommended
      from 7.19.0 to 7.19.21 LTS 8.5.9 LTS recommended or 7.19.22 LTS
      from 7.18.0 to 7.18.3 8.5.9 LTS recommended or 7.19.22 LTS
      from 7.17.0 to 7.17.5 8.5.9 LTS recommended or 7.19.22 LTS
      Any earlier versions 8.5.9 LTS recommended or 7.19.22 LTS

       

      See the release notes (https://confluence.atlassian.com/doc/confluence-release-notes-327.html). You can download the latest version of Confluence Data Center from the download center (https://www.atlassian.com/software/confluence/download-archives).

      This vulnerability was found internally.

            [CONFSERVER-95832] RCE (Remote Code Execution) in Confluence Data Center and Server

            Hi ggautam,

            you link here to your own internal calculator which calculates based on CVSS version is 3.0 instead of 3.1? Looking here https://nvd.nist.gov/vuln/detail/CVE-2024-21683 the score is 8.8 and the CVSS version is 3.1.

            Link: https://www.oracle.com/security-alerts/cvssscoringsystem.html
            A CVSS version 3.0 score that has an Attack Complexity of High purely because a specific configuration is required for an attack to succeed will have an Attack Complexity of Low when scored with version 3.1. This results in a higher Base Score when scored with version 3.1 than for version 3.0.

            It would be also great if someone could finally:

            Kind Regards,
            Tim

            Tim Eddelbüttel added a comment - Hi ggautam , you link here to your own internal calculator which calculates based on CVSS version is 3.0 instead of 3.1? Looking here https://nvd.nist.gov/vuln/detail/CVE-2024-21683 the score is 8.8 and the CVSS version is 3.1. Link: https://www.oracle.com/security-alerts/cvssscoringsystem.html A CVSS version 3.0 score that has an Attack Complexity of High purely because a specific configuration is required for an attack to succeed will have an Attack Complexity of Low when scored with version 3.1. This results in a higher Base Score when scored with version 3.1 than for version 3.0. It would be also great if someone could finally: publish the CVE Vector on this issue and also on the Vulnerability API: https://api.atlassian.com/vuln-transparency/v1/cves?cve_ids=CVE-2024-21683&products=Confluence+Data+Center Reply to potential mitigations Kind Regards, Tim

            Hi 8e15921dad9b,

            This issue requires high privilege authenticated user for the attack to work, and as per the CVSS calculator, it should have been a 7.2. There was a mistake in calculating the CVSS, which we have corrected now. Please let us know if you have any other questions. We apologize for the inconvenience caused.

            Thanks

            Ganesh Gautam added a comment - Hi 8e15921dad9b , This issue requires high privilege authenticated user for the attack to work, and as per the CVSS calculator , it should have been a 7.2. There was a mistake in calculating the CVSS, which we have corrected now. Please let us know if you have any other questions. We apologize for the inconvenience caused. Thanks

            Andreas Berge added a comment - - edited

            @ Kamil Kolonko kkolonko

            Why was the CVSS Score reduced from 8.3 to 7.2? The CVE-2024-21683 entry still has 8.3.

            Andreas Berge added a comment - - edited @ Kamil Kolonko kkolonko Why was the CVSS Score reduced from 8.3 to 7.2? The CVE-2024-21683 entry still has 8.3.

            Tim Eddelbüttel added a comment - https://blog.sonicwall.com/en-us/2024/05/confluence-data-center-and-server-remote-code-execution-vulnerability/

            Jason Kemp added a comment -

            If that's true that it's an admin endpoint, and given that it's requires an "authenticated attacker", does that imply it requires admin authentication to exploit? That would have been important relevant information that should have been disclosed.

            Jason Kemp added a comment - If that's true that it's an admin endpoint, and given that it's requires an "authenticated attacker", does that imply it requires admin authentication to exploit? That would have been important relevant information that should have been disclosed.

            Searching trough some already public available resource, it looks like there is already a PoC available and the affected endpoint is ../admin/plugins/newcode/addlanguage.action. So related to the Confluence Code Marco -> Code Macro Administration - Add a new language feature.

            Just thinking... The Endpoint comes trough the XWork module "configure-newcode".

            atlassian-plugin.xml from newcode-macro-plugin-17.19.3.jar
            <xwork name="Configure Code Macro" key="configure-newcode">
                    <package name="newcode" extends="default" namespace="/admin/plugins/newcode">
                        <default-interceptor-ref name="validatingStack"/>
                        <action name="configure" class="com.atlassian.confluence.ext.code.config.ConfigureNewcodeAction"
                                method="input">
                            <result name="input" type="velocity">/templates/macros/newcode/config/configure-newcode.vm</result>
                        </action>
                        <action name="save" class="com.atlassian.confluence.ext.code.config.ConfigureNewcodeAction" method="save">
                            <param name="RequireSecurityToken">true</param>
                            <result name="input" type="velocity">/templates/macros/newcode/config/configure-newcode.vm</result>
                            <result name="error" type="velocity">/templates/macros/newcode/config/configure-newcode.vm</result>
                            <result name="success" type="velocity">/templates/macros/newcode/config/configure-newcode.vm</result>
                        </action>
                        <action name="addlanguage" class="com.atlassian.confluence.ext.code.config.ConfigureNewcodeAction"
                                method="addLanguage">
                            <param name="RequireSecurityToken">true</param>
                            <result name="input" type="velocity">/templates/macros/newcode/config/configure-newcode.vm</result>
                            <result name="error" type="velocity">/templates/macros/newcode/config/configure-newcode.vm</result>
                            <result name="success" type="velocity">/templates/macros/newcode/config/configure-newcode.vm</result>
                        </action>
                        <action name="removelanguage" class="com.atlassian.confluence.ext.code.config.ConfigureRpcAction"
                                method="removeLanguage">
                            <param name="RequireSecurityToken">true</param>
                            <result name="success" type="rawText"/>
                            <result name="input" type="rawText"/>
                            <result name="error" type="rawText"/>
                        </action>
                    </package>
                </xwork>
            

            So a potential mitigation would be to disable configure-newcode module in Code Macro Plugin?

            Can someone officially confirm this?

            Tim Eddelbüttel added a comment - Searching trough some already public available resource, it looks like there is already a PoC available and the affected endpoint is ../admin/plugins/newcode/addlanguage.action . So related to the Confluence Code Marco -> Code Macro Administration - Add a new language feature. Just thinking... The Endpoint comes trough the XWork module "configure-newcode". atlassian-plugin.xml from newcode-macro-plugin-17.19.3.jar <xwork name= "Configure Code Macro" key= "configure-newcode" > < package name= "newcode" extends = " default " namespace= "/admin/plugins/newcode" > < default -interceptor-ref name= "validatingStack" /> <action name= "configure" class= "com.atlassian.confluence.ext.code.config.ConfigureNewcodeAction" method= "input" > <result name= "input" type= "velocity" >/templates/macros/newcode/config/configure-newcode.vm</result> </action> <action name= "save" class= "com.atlassian.confluence.ext.code.config.ConfigureNewcodeAction" method= "save" > <param name= "RequireSecurityToken" > true </param> <result name= "input" type= "velocity" >/templates/macros/newcode/config/configure-newcode.vm</result> <result name= "error" type= "velocity" >/templates/macros/newcode/config/configure-newcode.vm</result> <result name= "success" type= "velocity" >/templates/macros/newcode/config/configure-newcode.vm</result> </action> <action name= "addlanguage" class= "com.atlassian.confluence.ext.code.config.ConfigureNewcodeAction" method= "addLanguage" > <param name= "RequireSecurityToken" > true </param> <result name= "input" type= "velocity" >/templates/macros/newcode/config/configure-newcode.vm</result> <result name= "error" type= "velocity" >/templates/macros/newcode/config/configure-newcode.vm</result> <result name= "success" type= "velocity" >/templates/macros/newcode/config/configure-newcode.vm</result> </action> <action name= "removelanguage" class= "com.atlassian.confluence.ext.code.config.ConfigureRpcAction" method= "removeLanguage" > <param name= "RequireSecurityToken" > true </param> <result name= "success" type= "rawText" /> <result name= "input" type= "rawText" /> <result name= "error" type= "rawText" /> </action> </ package > </xwork> So a potential mitigation would be to disable configure-newcode module in Code Macro Plugin ? Can someone officially confirm this?

            Mirco Jung added a comment -

            You published this issue already on 15-May-2024, vulners (https://vulners.com/atlassian/CONFSERVER-95832) already copied this issue on that day.

            After that you hid the issue till now. Do you really think that is the most reliable way to communicate a High Priority Vulnerability? Potential attackers had multiple days to replicate the issue.

            Not every Atlassin-Partner has the capacity like us to have people refreshing your Issue Page all day and take screenshots - because you hide the issue shortly after again!

            Mirco Jung added a comment - You published this issue already on 15-May-2024, vulners ( https://vulners.com/atlassian/CONFSERVER-95832) already copied this issue on that day. After that you hid the issue till now. Do you really think that is the most reliable way to communicate a High Priority Vulnerability? Potential attackers had multiple days to replicate the issue. Not every Atlassin-Partner has the capacity like us to have people refreshing your Issue Page all day and take screenshots - because you hide the issue shortly after again!

            Is there a temporary mitigation for this vulnerability?

            Jason Kemp added a comment - Is there a temporary mitigation for this vulnerability?

              Unassigned Unassigned
              6c6381898ab2 Ankita Sawlani
              Votes:
              0 Vote for this issue
              Watchers:
              17 Start watching this issue

                Created:
                Updated:
                Resolved: