Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-95832

RCE (Remote Code Execution) in Confluence Data Center and Server

XMLWordPrintable

    • Icon: Public Security Vulnerability Public Security Vulnerability
    • Resolution: Fixed
    • Icon: High High
    • 8.9.1, 8.5.9, 7.19.22
    • 5.2, 7.19.0, 7.20.0, 8.0.0, 8.1.0, 8.2.0, 8.3.0, 8.4.0, 8.5.0, 8.6.0, 8.8.0, 8.7.1, 8.9.0
    • None
    • 7.2
    • High
    • CVE-2024-21683
    • Atlassian (Internal)
    • CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
    • RCE (Remote Code Execution)
    • Confluence Data Center

      This High severity RCE (Remote Code Execution) vulnerability was introduced in version 5.2 of Confluence Data Center and Server.

      This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 7.2, allows an admin-authenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction.

       

      Data Center

      Atlassian recommends that Confluence Data Center customers upgrade to the latest version. If you are unable to do so, upgrade your instance to one of the specified supported fixed versions:

      Affected versions Fixed versions
      8.9.0 8.9.1
      from 8.8.0 to 8.8.1 8.9.1
      from 8.7.0 to 8.7.2 8.9.1
      from 8.6.0 to 8.6.2 8.9.1
      from 8.5.0 to 8.5.8 LTS 8.9.1 or 8.5.9 LTS recommended
      from 8.4.0 to 8.4.5 8.9.1 or 8.5.9 LTS recommended
      from 8.3.0 to 8.3.4 8.9.1 or 8.5.9 LTS recommended
      from 8.2.0 to 8.2.3 8.9.1 or 8.5.9 LTS recommended
      from 8.1.0 to 8.1.4 8.9.1 or 8.5.9 LTS recommended
      from 8.0.0 to 8.0.4 8.9.1 or 8.5.9 LTS recommended
      from 7.20.0 to 7.20.3 8.9.1 or 8.5.9 LTS recommended
      from 7.19.0 to 7.19.21 LTS 8.9.1 or 8.5.9 LTS recommended or 7.19.22 LTS
      from 7.18.0 to 7.18.3 8.9.1 or 8.5.9 LTS recommended or 7.19.22 LTS
      from 7.17.0 to 7.17.5 8.9.1 or 8.5.9 LTS recommended or 7.19.22 LTS
      Any earlier versions 8.9.1 or 8.5.9 LTS recommended or 7.19.22 LTS

       

      Server

      Atlassian recommends that Confluence Server customers upgrade to the latest version. If you are unable to do so, upgrade your instance to one of the specified supported fixed versions:

      Affected versions Fixed versions
      from 8.5.0 to 8.5.8 LTS 8.5.9 LTS recommended
      from 8.4.0 to 8.4.5 8.5.9 LTS recommended
      from 8.3.0 to 8.3.4 8.5.9 LTS recommended
      from 8.2.0 to 8.2.3 8.5.9 LTS recommended
      from 8.1.0 to 8.1.4 8.5.9 LTS recommended
      from 8.0.0 to 8.0.4 8.5.9 LTS recommended
      from 7.20.0 to 7.20.3 8.5.9 LTS recommended
      from 7.19.0 to 7.19.21 LTS 8.5.9 LTS recommended or 7.19.22 LTS
      from 7.18.0 to 7.18.3 8.5.9 LTS recommended or 7.19.22 LTS
      from 7.17.0 to 7.17.5 8.5.9 LTS recommended or 7.19.22 LTS
      Any earlier versions 8.5.9 LTS recommended or 7.19.22 LTS

       

      See the release notes (https://confluence.atlassian.com/doc/confluence-release-notes-327.html). You can download the latest version of Confluence Data Center from the download center (https://www.atlassian.com/software/confluence/download-archives).

      This vulnerability was found internally.

            [CONFSERVER-95832] RCE (Remote Code Execution) in Confluence Data Center and Server

            Brian Leysath made changes -
            Remote Link New: This issue links to "Page (Confluence)" [ 921172 ]
            Mandeep Jadon made changes -
            CVSSv3 Vector Original: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H New: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
            Lee Berg made changes -
            CVSSv3 Vector New: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
            Ganesh Gautam made changes -
            Description Original: This High severity RCE (Remote Code Execution) vulnerability was introduced in version 5.2 of Confluence Data Center and Server.

            This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 7.2, allows an authenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction.

             
            h2. Data Center

            Atlassian recommends that Confluence Data Center customers upgrade to the latest version. If you are unable to do so, upgrade your instance to one of the specified supported fixed versions:
            ||*Affected versions*||*Fixed versions*||
            |8.9.0|8.9.1|
            |from 8.8.0 to 8.8.1|8.9.1|
            |from 8.7.0 to 8.7.2|8.9.1|
            |from 8.6.0 to 8.6.2|8.9.1|
            |from 8.5.0 to 8.5.8 LTS|8.9.1 or 8.5.9 LTS recommended|
            |from 8.4.0 to 8.4.5|8.9.1 or 8.5.9 LTS recommended|
            |from 8.3.0 to 8.3.4|8.9.1 or 8.5.9 LTS recommended|
            |from 8.2.0 to 8.2.3|8.9.1 or 8.5.9 LTS recommended|
            |from 8.1.0 to 8.1.4|8.9.1 or 8.5.9 LTS recommended|
            |from 8.0.0 to 8.0.4|8.9.1 or 8.5.9 LTS recommended|
            |from 7.20.0 to 7.20.3|8.9.1 or 8.5.9 LTS recommended|
            |from 7.19.0 to 7.19.21 LTS|8.9.1 or 8.5.9 LTS recommended or 7.19.22 LTS|
            |from 7.18.0 to 7.18.3|8.9.1 or 8.5.9 LTS recommended or 7.19.22 LTS|
            |from 7.17.0 to 7.17.5|8.9.1 or 8.5.9 LTS recommended or 7.19.22 LTS|
            |Any earlier versions|8.9.1 or 8.5.9 LTS recommended or 7.19.22 LTS|

             
            h2. Server

            Atlassian recommends that Confluence Server customers upgrade to the latest version. If you are unable to do so, upgrade your instance to one of the specified supported fixed versions:
            ||*Affected versions*||*Fixed versions*||
            |from 8.5.0 to 8.5.8 LTS|8.5.9 LTS recommended|
            |from 8.4.0 to 8.4.5|8.5.9 LTS recommended|
            |from 8.3.0 to 8.3.4|8.5.9 LTS recommended|
            |from 8.2.0 to 8.2.3|8.5.9 LTS recommended|
            |from 8.1.0 to 8.1.4|8.5.9 LTS recommended|
            |from 8.0.0 to 8.0.4|8.5.9 LTS recommended|
            |from 7.20.0 to 7.20.3|8.5.9 LTS recommended|
            |from 7.19.0 to 7.19.21 LTS|8.5.9 LTS recommended or 7.19.22 LTS|
            |from 7.18.0 to 7.18.3|8.5.9 LTS recommended or 7.19.22 LTS|
            |from 7.17.0 to 7.17.5|8.5.9 LTS recommended or 7.19.22 LTS|
            |Any earlier versions|8.5.9 LTS recommended or 7.19.22 LTS|
            h2.  

            See the release notes ([https://confluence.atlassian.com/doc/confluence-release-notes-327.html]). You can download the latest version of Confluence Data Center from the download center ([https://www.atlassian.com/software/confluence/download-archives]).

            This vulnerability was found internally.             		New: This High severity RCE (Remote Code Execution) vulnerability was introduced in version 5.2 of Confluence Data Center and Server.

            This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 7.2, allows an admin-authenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction.

             
            h2. Data Center

            Atlassian recommends that Confluence Data Center customers upgrade to the latest version. If you are unable to do so, upgrade your instance to one of the specified supported fixed versions:
            ||*Affected versions*||*Fixed versions*||
            |8.9.0|8.9.1|
            |from 8.8.0 to 8.8.1|8.9.1|
            |from 8.7.0 to 8.7.2|8.9.1|
            |from 8.6.0 to 8.6.2|8.9.1|
            |from 8.5.0 to 8.5.8 LTS|8.9.1 or 8.5.9 LTS recommended|
            |from 8.4.0 to 8.4.5|8.9.1 or 8.5.9 LTS recommended|
            |from 8.3.0 to 8.3.4|8.9.1 or 8.5.9 LTS recommended|
            |from 8.2.0 to 8.2.3|8.9.1 or 8.5.9 LTS recommended|
            |from 8.1.0 to 8.1.4|8.9.1 or 8.5.9 LTS recommended|
            |from 8.0.0 to 8.0.4|8.9.1 or 8.5.9 LTS recommended|
            |from 7.20.0 to 7.20.3|8.9.1 or 8.5.9 LTS recommended|
            |from 7.19.0 to 7.19.21 LTS|8.9.1 or 8.5.9 LTS recommended or 7.19.22 LTS|
            |from 7.18.0 to 7.18.3|8.9.1 or 8.5.9 LTS recommended or 7.19.22 LTS|
            |from 7.17.0 to 7.17.5|8.9.1 or 8.5.9 LTS recommended or 7.19.22 LTS|
            |Any earlier versions|8.9.1 or 8.5.9 LTS recommended or 7.19.22 LTS|

             
            h2. Server

            Atlassian recommends that Confluence Server customers upgrade to the latest version. If you are unable to do so, upgrade your instance to one of the specified supported fixed versions:
            ||*Affected versions*||*Fixed versions*||
            |from 8.5.0 to 8.5.8 LTS|8.5.9 LTS recommended|
            |from 8.4.0 to 8.4.5|8.5.9 LTS recommended|
            |from 8.3.0 to 8.3.4|8.5.9 LTS recommended|
            |from 8.2.0 to 8.2.3|8.5.9 LTS recommended|
            |from 8.1.0 to 8.1.4|8.5.9 LTS recommended|
            |from 8.0.0 to 8.0.4|8.5.9 LTS recommended|
            |from 7.20.0 to 7.20.3|8.5.9 LTS recommended|
            |from 7.19.0 to 7.19.21 LTS|8.5.9 LTS recommended or 7.19.22 LTS|
            |from 7.18.0 to 7.18.3|8.5.9 LTS recommended or 7.19.22 LTS|
            |from 7.17.0 to 7.17.5|8.5.9 LTS recommended or 7.19.22 LTS|
            |Any earlier versions|8.5.9 LTS recommended or 7.19.22 LTS|
            h2.  

            See the release notes ([https://confluence.atlassian.com/doc/confluence-release-notes-327.html]). You can download the latest version of Confluence Data Center from the download center ([https://www.atlassian.com/software/confluence/download-archives]).

            This vulnerability was found internally.
            prodsec-jac-bot made changes -
            Status Original: Published [ 12873 ] New: Published [ 12873 ]
            prodsec-jac-bot made changes -
            Status Original: Published [ 12873 ] New: Published [ 12873 ]

            Tim Eddelbüttel added a comment -

            Hi ggautam,

            you link here to your own internal calculator which calculates based on CVSS version is 3.0 instead of 3.1? Looking here https://nvd.nist.gov/vuln/detail/CVE-2024-21683 the score is 8.8 and the CVSS version is 3.1.

            Link: https://www.oracle.com/security-alerts/cvssscoringsystem.html
            A CVSS version 3.0 score that has an Attack Complexity of High purely because a specific configuration is required for an attack to succeed will have an Attack Complexity of Low when scored with version 3.1. This results in a higher Base Score when scored with version 3.1 than for version 3.0.

            It would be also great if someone could finally:

            Kind Regards,
            Tim

            Tim Eddelbüttel added a comment - Hi ggautam , you link here to your own internal calculator which calculates based on CVSS version is 3.0 instead of 3.1? Looking here https://nvd.nist.gov/vuln/detail/CVE-2024-21683 the score is 8.8 and the CVSS version is 3.1. Link: https://www.oracle.com/security-alerts/cvssscoringsystem.html A CVSS version 3.0 score that has an Attack Complexity of High purely because a specific configuration is required for an attack to succeed will have an Attack Complexity of Low when scored with version 3.1. This results in a higher Base Score when scored with version 3.1 than for version 3.0. It would be also great if someone could finally: publish the CVE Vector on this issue and also on the Vulnerability API: https://api.atlassian.com/vuln-transparency/v1/cves?cve_ids=CVE-2024-21683&products=Confluence+Data+Center Reply to potential mitigations Kind Regards, Tim

            Ganesh Gautam added a comment -

            Hi 8e15921dad9b,

            This issue requires high privilege authenticated user for the attack to work, and as per the CVSS calculator, it should have been a 7.2. There was a mistake in calculating the CVSS, which we have corrected now. Please let us know if you have any other questions. We apologize for the inconvenience caused.

            Thanks

            Ganesh Gautam added a comment - Hi 8e15921dad9b , This issue requires high privilege authenticated user for the attack to work, and as per the CVSS calculator , it should have been a 7.2. There was a mistake in calculating the CVSS, which we have corrected now. Please let us know if you have any other questions. We apologize for the inconvenience caused. Thanks

            Andreas Berge added a comment - - edited

            @ Kamil Kolonko kkolonko

            Why was the CVSS Score reduced from 8.3 to 7.2? The CVE-2024-21683 entry still has 8.3.

            Andreas Berge added a comment - - edited @ Kamil Kolonko kkolonko Why was the CVSS Score reduced from 8.3 to 7.2? The CVE-2024-21683 entry still has 8.3.
            Kamil Kolonko made changes -
            Description Original: This High severity RCE (Remote Code Execution) vulnerability was introduced in version 5.2 of Confluence Data Center and Server.

            This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 8.3, allows an authenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction.

             
            h2. Data Center

            Atlassian recommends that Confluence Data Center customers upgrade to the latest version. If you are unable to do so, upgrade your instance to one of the specified supported fixed versions:


            ||*Affected versions*||*Fixed versions*||
            |8.9.0|8.9.1|
            |from 8.8.0 to 8.8.1|8.9.1|
            |from 8.7.0 to 8.7.2|8.9.1|
            |from 8.6.0 to 8.6.2|8.9.1|
            |from 8.5.0 to 8.5.8 LTS|8.9.1 or 8.5.9 LTS recommended|
            |from 8.4.0 to 8.4.5|8.9.1 or 8.5.9 LTS recommended|
            |from 8.3.0 to 8.3.4|8.9.1 or 8.5.9 LTS recommended|
            |from 8.2.0 to 8.2.3|8.9.1 or 8.5.9 LTS recommended|
            |from 8.1.0 to 8.1.4|8.9.1 or 8.5.9 LTS recommended|
            |from 8.0.0 to 8.0.4|8.9.1 or 8.5.9 LTS recommended|
            |from 7.20.0 to 7.20.3|8.9.1 or 8.5.9 LTS recommended|
            |from 7.19.0 to 7.19.21 LTS|8.9.1 or 8.5.9 LTS recommended or 7.19.22 LTS|
            |from 7.18.0 to 7.18.3|8.9.1 or 8.5.9 LTS recommended or 7.19.22 LTS|
            |from 7.17.0 to 7.17.5|8.9.1 or 8.5.9 LTS recommended or 7.19.22 LTS|
            |Any earlier versions|8.9.1 or 8.5.9 LTS recommended or 7.19.22 LTS|

             
            h2. Server

            Atlassian recommends that Confluence Server customers upgrade to the latest version. If you are unable to do so, upgrade your instance to one of the specified supported fixed versions:


            ||*Affected versions*||*Fixed versions*||
            |from 8.5.0 to 8.5.8 LTS|8.5.9 LTS recommended|
            |from 8.4.0 to 8.4.5|8.5.9 LTS recommended|
            |from 8.3.0 to 8.3.4|8.5.9 LTS recommended|
            |from 8.2.0 to 8.2.3|8.5.9 LTS recommended|
            |from 8.1.0 to 8.1.4|8.5.9 LTS recommended|
            |from 8.0.0 to 8.0.4|8.5.9 LTS recommended|
            |from 7.20.0 to 7.20.3|8.5.9 LTS recommended|
            |from 7.19.0 to 7.19.21 LTS|8.5.9 LTS recommended or 7.19.22 LTS|
            |from 7.18.0 to 7.18.3|8.5.9 LTS recommended or 7.19.22 LTS|
            |from 7.17.0 to 7.17.5|8.5.9 LTS recommended or 7.19.22 LTS|
            |Any earlier versions|8.5.9 LTS recommended or 7.19.22 LTS|
            h2.  

            See the release notes ([https://confluence.atlassian.com/doc/confluence-release-notes-327.html]). You can download the latest version of Confluence Data Center from the download center ([https://www.atlassian.com/software/confluence/download-archives]).

            This vulnerability was found internally.             		New: This High severity RCE (Remote Code Execution) vulnerability was introduced in version 5.2 of Confluence Data Center and Server.

            This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 7.2, allows an authenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction.

             
            h2. Data Center

            Atlassian recommends that Confluence Data Center customers upgrade to the latest version. If you are unable to do so, upgrade your instance to one of the specified supported fixed versions:
            ||*Affected versions*||*Fixed versions*||
            |8.9.0|8.9.1|
            |from 8.8.0 to 8.8.1|8.9.1|
            |from 8.7.0 to 8.7.2|8.9.1|
            |from 8.6.0 to 8.6.2|8.9.1|
            |from 8.5.0 to 8.5.8 LTS|8.9.1 or 8.5.9 LTS recommended|
            |from 8.4.0 to 8.4.5|8.9.1 or 8.5.9 LTS recommended|
            |from 8.3.0 to 8.3.4|8.9.1 or 8.5.9 LTS recommended|
            |from 8.2.0 to 8.2.3|8.9.1 or 8.5.9 LTS recommended|
            |from 8.1.0 to 8.1.4|8.9.1 or 8.5.9 LTS recommended|
            |from 8.0.0 to 8.0.4|8.9.1 or 8.5.9 LTS recommended|
            |from 7.20.0 to 7.20.3|8.9.1 or 8.5.9 LTS recommended|
            |from 7.19.0 to 7.19.21 LTS|8.9.1 or 8.5.9 LTS recommended or 7.19.22 LTS|
            |from 7.18.0 to 7.18.3|8.9.1 or 8.5.9 LTS recommended or 7.19.22 LTS|
            |from 7.17.0 to 7.17.5|8.9.1 or 8.5.9 LTS recommended or 7.19.22 LTS|
            |Any earlier versions|8.9.1 or 8.5.9 LTS recommended or 7.19.22 LTS|

             
            h2. Server

            Atlassian recommends that Confluence Server customers upgrade to the latest version. If you are unable to do so, upgrade your instance to one of the specified supported fixed versions:
            ||*Affected versions*||*Fixed versions*||
            |from 8.5.0 to 8.5.8 LTS|8.5.9 LTS recommended|
            |from 8.4.0 to 8.4.5|8.5.9 LTS recommended|
            |from 8.3.0 to 8.3.4|8.5.9 LTS recommended|
            |from 8.2.0 to 8.2.3|8.5.9 LTS recommended|
            |from 8.1.0 to 8.1.4|8.5.9 LTS recommended|
            |from 8.0.0 to 8.0.4|8.5.9 LTS recommended|
            |from 7.20.0 to 7.20.3|8.5.9 LTS recommended|
            |from 7.19.0 to 7.19.21 LTS|8.5.9 LTS recommended or 7.19.22 LTS|
            |from 7.18.0 to 7.18.3|8.5.9 LTS recommended or 7.19.22 LTS|
            |from 7.17.0 to 7.17.5|8.5.9 LTS recommended or 7.19.22 LTS|
            |Any earlier versions|8.5.9 LTS recommended or 7.19.22 LTS|
            h2.  

            See the release notes ([https://confluence.atlassian.com/doc/confluence-release-notes-327.html]). You can download the latest version of Confluence Data Center from the download center ([https://www.atlassian.com/software/confluence/download-archives]).

            This vulnerability was found internally.

              Unassigned Unassigned
              6c6381898ab2 Ankita Sawlani
              Votes:
              0 Vote for this issue
              Watchers:
              17 Start watching this issue

                Created:
                Updated:
                Resolved: