Search criteria
147 vulnerabilities found for confluence_server by atlassian
CVE-2025-22166 (GCVE-0-2025-22166)
Vulnerability from nvd – Published: 2025-10-21 16:00 – Updated: 2025-10-21 16:21
VLAI?
Summary
This High severity DoS (Denial of Service) vulnerability was introduced in version 2.0 of Confluence Data Center.
This DoS (Denial of Service) vulnerability, with a CVSS Score of 8.3, allows an attacker to cause a resource to be unavailable for its intended users by temporarily or indefinitely disrupting services of a host connected to a network.
Atlassian recommends that Confluence Data Center customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:
Confluence Data Center and Server 8.5: Upgrade to a release greater than or equal to 8.5.25
Confluence Data Center and Server 9.2: Upgrade to a release greater than or equal to 9.2.7
Confluence Data Center and Server 10.0: Upgrade to a release greater than or equal to 10.0.2
See the release notes ([https://confluence.atlassian.com/doc/confluence-release-notes-327.html]). You can download the latest version of Confluence Data Center from the download center ([https://www.atlassian.com/software/confluence/download-archives]).
This vulnerability was reported via our Atlassian (Internal) program.
Severity ?
CWE
- DoS (Denial of Service)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Atlassian | Confluence Data Center |
Affected:
9.5.1 to 9.5.4
Affected: 9.4.0 to 9.4.1 Affected: 9.3.1 to 9.3.2 Affected: 9.2.0 to 9.2.6 Affected: 9.1.0 to 9.1.1 Affected: 9.0.1 to 9.0.3 Affected: 8.9.0 to 8.9.8 Affected: 8.8.0 to 8.8.1 Affected: 8.7.1 to 8.7.2 Affected: 8.6.1 to 8.6.2 Affected: 8.5.3 to 8.5.24 Affected: 7.19.16 to 7.19.30 Unaffected: 10.0.2 to 10.0.3 Unaffected: 9.2.7 to 9.2.9 Unaffected: 8.5.25 to 8.5.27 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-22166",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-21T16:21:21.142041Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-405",
"description": "CWE-405 Asymmetric Resource Consumption (Amplification)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T16:21:27.828Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Confluence Data Center",
"vendor": "Atlassian",
"versions": [
{
"status": "affected",
"version": "9.5.1 to 9.5.4"
},
{
"status": "affected",
"version": "9.4.0 to 9.4.1"
},
{
"status": "affected",
"version": "9.3.1 to 9.3.2"
},
{
"status": "affected",
"version": "9.2.0 to 9.2.6"
},
{
"status": "affected",
"version": "9.1.0 to 9.1.1"
},
{
"status": "affected",
"version": "9.0.1 to 9.0.3"
},
{
"status": "affected",
"version": "8.9.0 to 8.9.8"
},
{
"status": "affected",
"version": "8.8.0 to 8.8.1"
},
{
"status": "affected",
"version": "8.7.1 to 8.7.2"
},
{
"status": "affected",
"version": "8.6.1 to 8.6.2"
},
{
"status": "affected",
"version": "8.5.3 to 8.5.24"
},
{
"status": "affected",
"version": "7.19.16 to 7.19.30"
},
{
"status": "unaffected",
"version": "10.0.2 to 10.0.3"
},
{
"status": "unaffected",
"version": "9.2.7 to 9.2.9"
},
{
"status": "unaffected",
"version": "8.5.25 to 8.5.27"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"versionEndIncluding": "9.4.1",
"versionStartIncluding": "9.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:9.4.1:*:*:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"versionEndIncluding": "9.3.2",
"versionStartIncluding": "9.3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"versionEndIncluding": "9.2.6",
"versionStartIncluding": "9.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:9.2.2:*:*:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:9.2.3:*:*:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:9.2.4:*:*:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:9.2.5:*:*:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:9.2.6:*:*:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"versionEndIncluding": "9.1.1",
"versionStartIncluding": "9.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"versionEndIncluding": "9.0.3",
"versionStartIncluding": "9.0.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"versionEndIncluding": "8.9.8",
"versionStartIncluding": "8.9.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"versionEndIncluding": "8.8.1",
"versionStartIncluding": "8.8.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"versionEndIncluding": "8.7.2",
"versionStartIncluding": "8.7.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"versionEndIncluding": "8.6.2",
"versionStartIncluding": "8.6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"versionEndIncluding": "8.5.24",
"versionStartIncluding": "8.5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:8.5.13:*:*:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:8.5.22:*:*:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:8.5.23:*:*:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:8.5.24:*:*:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"versionEndIncluding": "7.19.30",
"versionStartIncluding": "7.19.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:9.2.7:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:9.2.8:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:9.2.9:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:8.5.25:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:8.5.26:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:8.5.27:*:*:*:*:*:*:*",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "This High severity DoS (Denial of Service) vulnerability was introduced in version 2.0 of Confluence Data Center.\r\n\r\nThis DoS (Denial of Service) vulnerability, with a CVSS Score of 8.3, allows an attacker to cause a resource to be unavailable for its intended users by temporarily or indefinitely disrupting services of a host connected to a network.\r\n\r\nAtlassian recommends that Confluence Data Center customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:\r\n Confluence Data Center and Server 8.5: Upgrade to a release greater than or equal to 8.5.25\r\n Confluence Data Center and Server 9.2: Upgrade to a release greater than or equal to 9.2.7\r\n Confluence Data Center and Server 10.0: Upgrade to a release greater than or equal to 10.0.2\r\n\r\nSee the release notes ([https://confluence.atlassian.com/doc/confluence-release-notes-327.html]). You can download the latest version of Confluence Data Center from the download center ([https://www.atlassian.com/software/confluence/download-archives]).\r\n\r\nThis vulnerability was reported via our Atlassian (Internal) program."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 8.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H",
"version": "4.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "DoS (Denial of Service)",
"lang": "en",
"type": "DoS (Denial of Service)"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T16:00:05.978Z",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"url": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1652920034"
},
{
"url": "https://jira.atlassian.com/browse/CONFSERVER-100907"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2025-22166",
"datePublished": "2025-10-21T16:00:05.978Z",
"dateReserved": "2025-01-01T00:01:27.176Z",
"dateUpdated": "2025-10-21T16:21:27.828Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-22512 (GCVE-0-2023-22512)
Vulnerability from nvd – Published: 2025-03-17 22:34 – Updated: 2025-05-12 15:39
VLAI?
Summary
This High severity DoS (Denial of Service) vulnerability was introduced in version 5.6.0 of Confluence Data Center and Server. With a CVSS Score of 7.5, this vulnerability allows an unauthenticated attacker to cause a resource to be unavailable for its intended users by temporarily or indefinitely disrupting services of a vulnerable host (Confluence instance) connected to a network, which has no impact to confidentiality, no impact to integrity, high impact to availability, and requires no user interaction. Atlassian recommends that Confluence Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Confluence Data Center and Server 7.19: Upgrade to a release greater than or equal to 7.19.14 Confluence Data Center and Server 8.5: Upgrade to a release greater than or equal to 8.5.1 Confluence Data Center and Server 8.6 or above: No need to upgrade, you're already on a patched version See the release notes (https://confluence.atlassian.com/doc/confluence-release-notes-327.html ). You can download the latest version of Confluence Data Center and Server from the download center (https://www.atlassian.com/software/confluence/download-archives ]). This vulnerability was reported via our Bug Bounty program.
Severity ?
7.5 (High)
CWE
- DoS (Denial of Service)
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Atlassian | Confluence Data Center |
Unaffected:
< 5.6.0
Affected: >= 5.6.0 Unaffected: >= 7.19.13 Unaffected: >= 7.19.14 Unaffected: >= 8.5.1 Unaffected: >= 8.6.0 |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-22512",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-12T15:38:47.977501Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-12T15:39:27.035Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Confluence Data Center",
"vendor": "Atlassian",
"versions": [
{
"status": "unaffected",
"version": "\u003c 5.6.0"
},
{
"status": "affected",
"version": "\u003e= 5.6.0"
},
{
"status": "unaffected",
"version": "\u003e= 7.19.13"
},
{
"status": "unaffected",
"version": "\u003e= 7.19.14"
},
{
"status": "unaffected",
"version": "\u003e= 8.5.1"
},
{
"status": "unaffected",
"version": "\u003e= 8.6.0"
}
]
},
{
"product": "Confluence Server",
"vendor": "Atlassian",
"versions": [
{
"status": "unaffected",
"version": "\u003c 5.6.0"
},
{
"status": "affected",
"version": "\u003e= 5.6.0"
},
{
"status": "unaffected",
"version": "\u003e= 7.19.13"
},
{
"status": "unaffected",
"version": "\u003e= 7.19.14"
},
{
"status": "unaffected",
"version": "\u003e= 8.5.1"
},
{
"status": "unaffected",
"version": "\u003e= 8.6.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "This High severity DoS (Denial of Service) vulnerability was introduced in version 5.6.0 of Confluence Data Center and Server. With a CVSS Score of 7.5, this vulnerability allows an unauthenticated attacker to cause a resource to be unavailable for its intended users by temporarily or indefinitely disrupting services of a vulnerable host (Confluence instance) connected to a network, which has no impact to confidentiality, no impact to integrity, high impact to availability, and requires no user interaction. Atlassian recommends that Confluence Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Confluence Data Center and Server 7.19: Upgrade to a release greater than or equal to 7.19.14 Confluence Data Center and Server 8.5: Upgrade to a release greater than or equal to 8.5.1 Confluence Data Center and Server 8.6 or above: No need to upgrade, you\u0027re already on a patched version See the release notes (https://confluence.atlassian.com/doc/confluence-release-notes-327.html ). You can download the latest version of Confluence Data Center and Server from the download center (https://www.atlassian.com/software/confluence/download-archives ]). This vulnerability was reported via our Bug Bounty program."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "DoS (Denial of Service)",
"lang": "en",
"type": "DoS (Denial of Service)"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-17T22:34:42.950Z",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"url": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1283691616"
},
{
"url": "https://jira.atlassian.com/browse/CONFSERVER-91258"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2023-22512",
"datePublished": "2025-03-17T22:34:42.950Z",
"dateReserved": "2023-01-01T00:01:22.330Z",
"dateUpdated": "2025-05-12T15:39:27.035Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-21703 (GCVE-0-2024-21703)
Vulnerability from nvd – Published: 2024-11-27 17:00 – Updated: 2024-11-27 17:33
VLAI?
Summary
This Medium severity Security Misconfiguration vulnerability was introduced in version 8.8.1 of Confluence Data Center and Server for Windows installations.
This Security Misconfiguration vulnerability, with a CVSS Score of 6.4 allows an authenticated attacker of the Windows host to read sensitive information about the Confluence Data Center configuration which has high impact to confidentiality, high impact to integrity, high impact to availability, and no user interaction.
Atlassian recommends that Confluence Data Center and Server customers upgrade to the latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:
* Confluence Data Center and Server 7.19: Upgrade to a release greater than or equal to 7.19.18
* Confluence Data Center and Server 8.5: Upgrade to a release greater than or equal to 8.5.5
* Confluence Data Center and Server 8.7: Upgrade to a release greater than or equal to 8.7.2
* Confluence Data Center and Server 8.8: Upgrade to a release greater than or equal to 8.8.0
See the release notes (https://confluence.atlassian.com/conf88/confluence-release-notes-1354501008.html ). You can download the latest version of Confluence Data Center and Server from the download center (https://www.atlassian.com/software/confluence/download-archives ).
This vulnerability was reported via our Atlassian Bug Bounty Program by Chris Elliot.
Severity ?
6.4 (Medium)
CWE
- Security Misconfiguration
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Atlassian | Confluence Data Center |
Affected:
8.7.1
Unaffected: 8.8.0 to 8.8.1 Unaffected: 8.7.2 Unaffected: 8.5.5 to 8.5.17 Unaffected: 7.19.18 to 7.19.29 |
|||||||
|
|||||||||
Credits
Chris Elliot
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "confluence_data_center",
"vendor": "atlassian",
"versions": [
{
"lessThan": "7.1918",
"status": "affected",
"version": "7.19",
"versionType": "custom"
},
{
"lessThan": "8.5.5",
"status": "affected",
"version": "8.5",
"versionType": "custom"
},
{
"lessThan": "8.7.2",
"status": "affected",
"version": "8.7",
"versionType": "custom"
},
{
"lessThan": "8.8.0",
"status": "affected",
"version": "8.8",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "confluence_server",
"vendor": "atlassian",
"versions": [
{
"lessThan": "7.19.18",
"status": "affected",
"version": "7.19",
"versionType": "custom"
},
{
"lessThan": "8.5.5",
"status": "affected",
"version": "8.5",
"versionType": "custom"
},
{
"lessThan": "8.7.2",
"status": "affected",
"version": "8.7",
"versionType": "custom"
},
{
"lessThan": "8.8.0",
"status": "affected",
"version": "8.8",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-21703",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-27T17:24:22.500451Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-732",
"description": "CWE-732 Incorrect Permission Assignment for Critical Resource",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-27T17:33:53.585Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Confluence Data Center",
"vendor": "Atlassian",
"versions": [
{
"status": "affected",
"version": "8.7.1"
},
{
"status": "unaffected",
"version": "8.8.0 to 8.8.1"
},
{
"status": "unaffected",
"version": "8.7.2"
},
{
"status": "unaffected",
"version": "8.5.5 to 8.5.17"
},
{
"status": "unaffected",
"version": "7.19.18 to 7.19.29"
}
]
},
{
"product": "Confluence Server",
"vendor": "Atlassian",
"versions": [
{
"status": "unaffected",
"version": "8.5.5 to 8.5.17"
},
{
"status": "unaffected",
"version": "7.19.18 to 7.19.29"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Chris Elliot"
}
],
"descriptions": [
{
"lang": "en",
"value": "This Medium severity Security Misconfiguration vulnerability was introduced in version 8.8.1 of Confluence Data Center and Server for Windows installations.\n\n\n\nThis Security Misconfiguration vulnerability, with a CVSS Score of 6.4 allows an authenticated attacker of the Windows host to read sensitive information about the Confluence Data Center configuration which has high impact to confidentiality, high impact to integrity, high impact to availability, and no user interaction.\n\n\n\nAtlassian recommends that Confluence Data Center and Server customers upgrade to the latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:\n\n* Confluence Data Center and Server 7.19: Upgrade to a release greater than or equal to 7.19.18 \n* Confluence Data Center and Server 8.5: Upgrade to a release greater than or equal to 8.5.5\n* Confluence Data Center and Server 8.7: Upgrade to a release greater than or equal to 8.7.2\n* Confluence Data Center and Server 8.8: Upgrade to a release greater than or equal to 8.8.0\n\n\n\nSee the release notes (https://confluence.atlassian.com/conf88/confluence-release-notes-1354501008.html ). You can download the latest version of Confluence Data Center and Server from the download center (https://www.atlassian.com/software/confluence/download-archives ). \n\nThis vulnerability was reported via our Atlassian Bug Bounty Program by Chris Elliot."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Security Misconfiguration",
"lang": "en",
"type": "Security Misconfiguration"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-27T17:00:01.507Z",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"url": "https://jira.atlassian.com/browse/CONFSERVER-98413"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2024-21703",
"datePublished": "2024-11-27T17:00:01.507Z",
"dateReserved": "2024-01-01T00:05:33.849Z",
"dateUpdated": "2024-11-27T17:33:53.585Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-21690 (GCVE-0-2024-21690)
Vulnerability from nvd – Published: 2024-08-21 16:05 – Updated: 2024-11-06 18:47
VLAI?
Summary
This High severity Reflected XSS and CSRF (Cross-Site Request Forgery) vulnerability was introduced in versions 7.19.0, 7.20.0, 8.0.0, 8.1.0, 8.2.0, 8.3.0, 8.4.0, 8.5.0, 8.6.0, 8.7.1, 8.8.0, and 8.9.0 of Confluence Data Center and Server.
This Reflected XSS and CSRF (Cross-Site Request Forgery) vulnerability, with a CVSS Score of 7.1, allows an unauthenticated attacker to execute arbitrary HTML or JavaScript code on a victims browser and force a end user to execute unwanted actions on a web application in which they're currently authenticated which has high impact to confidentiality, low impact to integrity, no impact to availability, and requires user interaction.
Atlassian recommends that Confluence Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:
* Confluence Data Center and Server 7.19: Upgrade to a release greater than or equal to 7.19.26
* Confluence Data Center and Server 8.5: Upgrade to a release greater than or equal to 8.5.14
* Confluence Data Center and Server 9.0: Upgrade to a release greater than or equal to 9.0.1
See the release notes (https://confluence.atlassian.com/doc/confluence-release-notes-327.html). You can download the latest version of Confluence Data Center and Server from the download center (https://www.atlassian.com/software/confluence/download-archives).
This vulnerability was reported via our Bug Bounty program.
Severity ?
7.1 (High)
CWE
- Reflected XSS
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Atlassian | Confluence Data Center |
Affected:
8.9.0 to 8.9.5
Affected: 8.8.0 to 8.8.1 Affected: 8.7.1 to 8.7.2 Affected: 8.6.0 to 8.6.2 Affected: 8.5.0 to 8.5.12 Affected: 8.4.0 to 8.4.5 Affected: 8.3.0 to 8.3.4 Affected: 8.2.0 to 8.2.3 Affected: 8.1.0 to 8.1.4 Affected: 8.0.0 to 8.0.4 Affected: 7.20.0 to 7.20.3 Unaffected: 9.0.1 to 9.0.2 Unaffected: 8.5.14 Unaffected: 7.19.26 |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-21690",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-22T13:51:34.740469Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-06T18:47:21.992Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Confluence Data Center",
"vendor": "Atlassian",
"versions": [
{
"status": "affected",
"version": "8.9.0 to 8.9.5"
},
{
"status": "affected",
"version": "8.8.0 to 8.8.1"
},
{
"status": "affected",
"version": "8.7.1 to 8.7.2"
},
{
"status": "affected",
"version": "8.6.0 to 8.6.2"
},
{
"status": "affected",
"version": "8.5.0 to 8.5.12"
},
{
"status": "affected",
"version": "8.4.0 to 8.4.5"
},
{
"status": "affected",
"version": "8.3.0 to 8.3.4"
},
{
"status": "affected",
"version": "8.2.0 to 8.2.3"
},
{
"status": "affected",
"version": "8.1.0 to 8.1.4"
},
{
"status": "affected",
"version": "8.0.0 to 8.0.4"
},
{
"status": "affected",
"version": "7.20.0 to 7.20.3"
},
{
"status": "unaffected",
"version": "9.0.1 to 9.0.2"
},
{
"status": "unaffected",
"version": "8.5.14"
},
{
"status": "unaffected",
"version": "7.19.26"
}
]
},
{
"product": "Confluence Server",
"vendor": "Atlassian",
"versions": [
{
"status": "affected",
"version": "8.5.0 to 8.5.12"
},
{
"status": "affected",
"version": "8.4.0 to 8.4.5"
},
{
"status": "affected",
"version": "8.3.0 to 8.3.4"
},
{
"status": "affected",
"version": "8.2.0 to 8.2.3"
},
{
"status": "affected",
"version": "8.1.0 to 8.1.4"
},
{
"status": "affected",
"version": "8.0.0 to 8.0.4"
},
{
"status": "affected",
"version": "7.20.0 to 7.20.3"
},
{
"status": "unaffected",
"version": "8.5.14"
},
{
"status": "unaffected",
"version": "7.19.26"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "This High severity Reflected XSS and CSRF (Cross-Site Request Forgery) vulnerability was introduced in versions 7.19.0, 7.20.0, 8.0.0, 8.1.0, 8.2.0, 8.3.0, 8.4.0, 8.5.0, 8.6.0, 8.7.1, 8.8.0, and 8.9.0 of Confluence Data Center and Server. \n\t\n\tThis Reflected XSS and CSRF (Cross-Site Request Forgery) vulnerability, with a CVSS Score of 7.1, allows an unauthenticated attacker to execute arbitrary HTML or JavaScript code on a victims browser and force a end user to execute unwanted actions on a web application in which they\u0027re currently authenticated which has high impact to confidentiality, low impact to integrity, no impact to availability, and requires user interaction. \n\t\n\tAtlassian recommends that Confluence Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:\n\t\t\n\t\t* Confluence Data Center and Server 7.19: Upgrade to a release greater than or equal to 7.19.26\n\t\t\n\t\t* Confluence Data Center and Server 8.5: Upgrade to a release greater than or equal to 8.5.14\n\t\t\n\t\t* Confluence Data Center and Server 9.0: Upgrade to a release greater than or equal to 9.0.1\n\t\t\n\t\t\n\t\n\tSee the release notes (https://confluence.atlassian.com/doc/confluence-release-notes-327.html). You can download the latest version of Confluence Data Center and Server from the download center (https://www.atlassian.com/software/confluence/download-archives). \n\t\n\tThis vulnerability was reported via our Bug Bounty program."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Reflected XSS",
"lang": "en",
"type": "Reflected XSS"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-21T17:00:02.995Z",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"url": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1431535667"
},
{
"url": "https://jira.atlassian.com/browse/CONFSERVER-97720"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2024-21690",
"datePublished": "2024-08-21T16:05:00.394Z",
"dateReserved": "2024-01-01T00:05:33.847Z",
"dateUpdated": "2024-11-06T18:47:21.992Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-21686 (GCVE-0-2024-21686)
Vulnerability from nvd – Published: 2024-07-16 20:00 – Updated: 2025-03-19 18:24
VLAI?
Summary
This High severity Stored XSS vulnerability was introduced in versions 7.13 of Confluence Data Center and Server.
This Stored XSS vulnerability, with a CVSS Score of 7.3, allows an authenticated attacker to execute arbitrary HTML or JavaScript code on a victims browser which has high impact to confidentiality, high impact to integrity, no impact to availability, and requires user interaction.
Atlassian recommends that Confluence Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions listed on this CVE
See the release notes (https://confluence.atlassian.com/doc/confluence-release-notes-327.html). You can download the latest version of Confluence Data Center and Server from the download center (https://www.atlassian.com/software/confluence/download-archives).
This vulnerability was reported via our Bug Bounty program.
Severity ?
7.3 (High)
CWE
- Stored XSS
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Atlassian | Confluence Data Center |
Affected:
8.9.0
Affected: 8.8.0 to 8.8.1 Affected: 8.7.1 to 8.7.2 Affected: 8.6.0 to 8.6.2 Affected: 8.5.0 to 8.5.8 Affected: 8.4.0 to 8.4.5 Affected: 8.3.0 to 8.3.4 Affected: 8.2.0 to 8.2.3 Affected: 8.1.0 to 8.1.4 Affected: 8.0.0 to 8.0.4 Affected: 7.20.0 to 7.20.3 Affected: 7.19.0 to 7.19.21 Unaffected: 8.9.1 to 8.9.4 Unaffected: 8.5.9 to 8.5.12 Unaffected: 7.19.22 to 7.19.25 |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:27:36.033Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1417150917"
},
{
"tags": [
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/CONFSERVER-96134"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:atlassian:confluence_data_center:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "confluence_data_center",
"vendor": "atlassian",
"versions": [
{
"status": "affected",
"version": "8.9.0"
},
{
"lessThanOrEqual": "8.8.1",
"status": "affected",
"version": "8.8.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.7.2",
"status": "affected",
"version": "8.7.1",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.6.2",
"status": "affected",
"version": "8.6.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.5.8",
"status": "affected",
"version": "8.5.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.4.5",
"status": "affected",
"version": "8.4.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.3.4",
"status": "affected",
"version": "8.3.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.2.3",
"status": "affected",
"version": "8.2.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.1.4",
"status": "affected",
"version": "8.1.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.0.4",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "7.20.3",
"status": "affected",
"version": "7.20.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "7.19.21",
"status": "affected",
"version": "7.19.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.9.4",
"status": "affected",
"version": "8.9.1",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.5.12",
"status": "affected",
"version": "8.5.9",
"versionType": "custom"
},
{
"lessThanOrEqual": "7.19.25",
"status": "affected",
"version": "7.19.22",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:confluence_server:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "confluence_server",
"vendor": "atlassian",
"versions": [
{
"lessThanOrEqual": "8.5.8",
"status": "affected",
"version": "8.5.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.4.5",
"status": "affected",
"version": "8.4.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.3.4",
"status": "affected",
"version": "8.3.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.2.3",
"status": "affected",
"version": "8.2.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.1.4",
"status": "affected",
"version": "8.1.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.0.4",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "7.20.3",
"status": "affected",
"version": "7.20.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "7.19.21",
"status": "affected",
"version": "7.19.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.5.12",
"status": "affected",
"version": "8.5.9",
"versionType": "custom"
},
{
"lessThanOrEqual": "7.19.25",
"status": "affected",
"version": "7.19.22",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-21686",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-05T15:34:59.884690Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-19T18:24:42.880Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Confluence Data Center",
"vendor": "Atlassian",
"versions": [
{
"status": "affected",
"version": "8.9.0"
},
{
"status": "affected",
"version": "8.8.0 to 8.8.1"
},
{
"status": "affected",
"version": "8.7.1 to 8.7.2"
},
{
"status": "affected",
"version": "8.6.0 to 8.6.2"
},
{
"status": "affected",
"version": "8.5.0 to 8.5.8"
},
{
"status": "affected",
"version": "8.4.0 to 8.4.5"
},
{
"status": "affected",
"version": "8.3.0 to 8.3.4"
},
{
"status": "affected",
"version": "8.2.0 to 8.2.3"
},
{
"status": "affected",
"version": "8.1.0 to 8.1.4"
},
{
"status": "affected",
"version": "8.0.0 to 8.0.4"
},
{
"status": "affected",
"version": "7.20.0 to 7.20.3"
},
{
"status": "affected",
"version": "7.19.0 to 7.19.21"
},
{
"status": "unaffected",
"version": "8.9.1 to 8.9.4"
},
{
"status": "unaffected",
"version": "8.5.9 to 8.5.12"
},
{
"status": "unaffected",
"version": "7.19.22 to 7.19.25"
}
]
},
{
"product": "Confluence Server",
"vendor": "Atlassian",
"versions": [
{
"status": "affected",
"version": "8.5.0 to 8.5.8"
},
{
"status": "affected",
"version": "8.4.0 to 8.4.5"
},
{
"status": "affected",
"version": "8.3.0 to 8.3.4"
},
{
"status": "affected",
"version": "8.2.0 to 8.2.3"
},
{
"status": "affected",
"version": "8.1.0 to 8.1.4"
},
{
"status": "affected",
"version": "8.0.0 to 8.0.4"
},
{
"status": "affected",
"version": "7.20.0 to 7.20.3"
},
{
"status": "affected",
"version": "7.19.0 to 7.19.21"
},
{
"status": "unaffected",
"version": "8.5.9 to 8.5.12"
},
{
"status": "unaffected",
"version": "7.19.22 to 7.19.25"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "This High severity Stored XSS vulnerability was introduced in versions 7.13 of Confluence Data Center and Server.\n\nThis Stored XSS vulnerability, with a CVSS Score of 7.3, allows an authenticated attacker to execute arbitrary HTML or JavaScript code on a victims browser which has high impact to confidentiality, high impact to integrity, no impact to availability, and requires user interaction.\n\nAtlassian recommends that Confluence Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions listed on this CVE\n\nSee the release notes (https://confluence.atlassian.com/doc/confluence-release-notes-327.html). You can download the latest version of Confluence Data Center and Server from the download center (https://www.atlassian.com/software/confluence/download-archives).\n\nThis vulnerability was reported via our Bug Bounty program."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Stored XSS",
"lang": "en",
"type": "Stored XSS"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-16T20:00:02.617Z",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"url": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1417150917"
},
{
"url": "https://jira.atlassian.com/browse/CONFSERVER-96134"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2024-21686",
"datePublished": "2024-07-16T20:00:02.156Z",
"dateReserved": "2024-01-01T00:05:33.847Z",
"dateUpdated": "2025-03-19T18:24:42.880Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-21683 (GCVE-0-2024-21683)
Vulnerability from nvd – Published: 2024-05-21 23:00 – Updated: 2025-05-12 15:22
VLAI?
Summary
This High severity RCE (Remote Code Execution) vulnerability was introduced in version 5.2 of Confluence Data Center and Server.
This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 7.2, allows an authenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction.
Atlassian recommends that Confluence Data Center and Server customers upgrade to latest version. If you are unable to do so, upgrade your instance to one of the specified supported fixed versions. See the release notes https://confluence.atlassian.com/doc/confluence-release-notes-327.html
You can download the latest version of Confluence Data Center and Server from the download center https://www.atlassian.com/software/confluence/download-archives.
This vulnerability was found internally.
Severity ?
7.2 (High)
CWE
- RCE (Remote Code Execution)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Atlassian | Confluence Data Center |
Affected:
8.9.0
Affected: 8.8.0 to 8.8.1 Affected: 8.7.1 to 8.7.2 Affected: 8.6.0 to 8.6.2 Affected: 8.5.0 to 8.5.8 Affected: 8.4.0 to 8.4.5 Affected: 8.3.0 to 8.3.4 Affected: 8.2.0 to 8.2.3 Affected: 8.1.0 to 8.1.4 Affected: 8.0.0 to 8.0.4 Affected: 7.20.0 to 7.20.3 Affected: 7.19.0 to 7.19.21 Unaffected: 8.9.1 to 8.9.2 Unaffected: 8.5.9 to 8.5.10 Unaffected: 7.19.22 to 7.19.23 |
Credits
Atlassian
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"product": "confluence_data_center",
"vendor": "atlassian",
"versions": [
{
"status": "affected",
"version": "8.9.0"
},
{
"lessThanOrEqual": "8.8.1",
"status": "affected",
"version": "8.8.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.7.2",
"status": "affected",
"version": "8.7.1",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.6.2",
"status": "affected",
"version": "8.6.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.5.8",
"status": "affected",
"version": "8.5.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.4.5",
"status": "affected",
"version": "8.4.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.3.4",
"status": "affected",
"version": "8.3.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.2.3",
"status": "affected",
"version": "8.2.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.1.4",
"status": "affected",
"version": "8.1.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.0.4",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "7.20.3",
"status": "affected",
"version": "7.20.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "7.1921",
"status": "affected",
"version": "7.19.0",
"versionType": "custom"
},
{
"status": "affected",
"version": "8.9.1"
},
{
"status": "affected",
"version": "8.5.9"
},
{
"status": "affected",
"version": "7.19.22"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-21683",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-20T03:55:34.077361Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-12T15:22:41.587Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Confluence Data Center",
"vendor": "Atlassian",
"versions": [
{
"status": "affected",
"version": "8.9.0"
},
{
"status": "affected",
"version": "8.8.0 to 8.8.1"
},
{
"status": "affected",
"version": "8.7.1 to 8.7.2"
},
{
"status": "affected",
"version": "8.6.0 to 8.6.2"
},
{
"status": "affected",
"version": "8.5.0 to 8.5.8"
},
{
"status": "affected",
"version": "8.4.0 to 8.4.5"
},
{
"status": "affected",
"version": "8.3.0 to 8.3.4"
},
{
"status": "affected",
"version": "8.2.0 to 8.2.3"
},
{
"status": "affected",
"version": "8.1.0 to 8.1.4"
},
{
"status": "affected",
"version": "8.0.0 to 8.0.4"
},
{
"status": "affected",
"version": "7.20.0 to 7.20.3"
},
{
"status": "affected",
"version": "7.19.0 to 7.19.21"
},
{
"status": "unaffected",
"version": "8.9.1 to 8.9.2"
},
{
"status": "unaffected",
"version": "8.5.9 to 8.5.10"
},
{
"status": "unaffected",
"version": "7.19.22 to 7.19.23"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Atlassian"
}
],
"descriptions": [
{
"lang": "en",
"value": "This High severity RCE (Remote Code Execution) vulnerability was introduced in version 5.2 of Confluence Data Center and Server.\n\nThis RCE (Remote Code Execution) vulnerability, with a CVSS Score of 7.2, allows an authenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction.\u00a0\n\nAtlassian recommends that Confluence Data Center and Server customers upgrade to latest version. If you are unable to do so, upgrade your instance to one of the specified supported fixed versions. See the release notes https://confluence.atlassian.com/doc/confluence-release-notes-327.html\n\nYou can download the latest version of Confluence Data Center and Server from the download center https://www.atlassian.com/software/confluence/download-archives.\n\nThis vulnerability was found internally."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "RCE (Remote Code Execution)",
"lang": "en",
"type": "RCE (Remote Code Execution)"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-14T20:55:38.532Z",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"url": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1409286211"
},
{
"url": "https://jira.atlassian.com/browse/CONFSERVER-95832"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2024-21683",
"datePublished": "2024-05-21T23:00:00.446Z",
"dateReserved": "2024-01-01T00:05:33.846Z",
"dateUpdated": "2025-05-12T15:22:41.587Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-21677 (GCVE-0-2024-21677)
Vulnerability from nvd – Published: 2024-03-19 17:00 – Updated: 2025-03-13 17:39
VLAI?
Summary
This High severity Path Traversal vulnerability was introduced in version 6.13.0 of Confluence Data Center. This Path Traversal vulnerability, with a CVSS Score of 8.3, allows an unauthenticated attacker to exploit an undefinable vulnerability which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires user interaction.
Atlassian recommends that Confluence Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Data Center Atlassian recommends that Confluence Data Center customers upgrade to the latest version and that Confluence Server customers upgrade to the latest 8.5.x LTS version.
If you are unable to do so, upgrade your instance to one of the specified supported fixed versions See the release notes https://confluence.atlassian.com/doc/confluence-release-notes-327.html
You can download the latest version of Confluence Data Center and Server from the download center https://www.atlassian.com/software/confluence/download-archives.
This vulnerability was reported via our Bug Bounty program.
Severity ?
8.3 (High)
CWE
- Other
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Atlassian | Confluence Data Center |
Unaffected:
< 6.13.0
Affected: >= 6.13.0 Affected: >= 7.19.0 Affected: >= 7.20.0 Affected: >= 8.0.0 Affected: >= 8.1.0 Affected: >= 8.2.0 Affected: >= 8.3.0 Affected: >= 8.4.0 Affected: >= 8.5.0 Affected: >= 8.6.0 Affected: >= 8.7.1 Affected: >= 8.8.0 Unaffected: >= 7.19.20 Unaffected: >= 8.5.7 Unaffected: >= 8.8.1 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:atlassian:confluence_data_center:8.8.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "confluence_data_center",
"vendor": "atlassian",
"versions": [
{
"status": "affected",
"version": "8.8.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:confluence_data_center:8.7.0:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_data_center:7.19.0:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_data_center:7.20.0:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_data_center:8.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_data_center:8.1.0:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_data_center:8.2.0:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_data_center:8.3.0:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_data_center:8.4.0:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_data_center:8.5:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_data_center:8.6.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "confluence_data_center",
"vendor": "atlassian",
"versions": [
{
"lessThan": "7.19.19",
"status": "affected",
"version": "7.19.0",
"versionType": "custom"
},
{
"lessThan": "7.20.3",
"status": "affected",
"version": "7.20.0",
"versionType": "custom"
},
{
"lessThan": "8.0.4",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
},
{
"lessThan": "8.1.4",
"status": "affected",
"version": "8.1.0",
"versionType": "custom"
},
{
"lessThan": "8.2.3",
"status": "affected",
"version": "8.2.0",
"versionType": "custom"
},
{
"lessThan": "8.3.4",
"status": "affected",
"version": "8.3.0",
"versionType": "custom"
},
{
"lessThan": "8.4.5",
"status": "affected",
"version": "8.4.0",
"versionType": "custom"
},
{
"lessThan": "8.5.6",
"status": "affected",
"version": "8.5",
"versionType": "custom"
},
{
"lessThan": "8.6.2",
"status": "affected",
"version": "8.6.0",
"versionType": "custom"
},
{
"lessThan": "8.7.2",
"status": "affected",
"version": "8.7.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:confluence_data_center:7.17.0:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_data_center:7.18.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "confluence_data_center",
"vendor": "atlassian",
"versions": [
{
"lessThan": "7.17.5",
"status": "affected",
"version": "7.17.0",
"versionType": "custom"
},
{
"lessThan": "7.18.3",
"status": "affected",
"version": "7.18.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:confluence_data_center:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "confluence_data_center",
"vendor": "atlassian",
"versions": [
{
"lessThan": "7.17.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-21677",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-10T04:00:27.568364Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-13T17:39:21.647Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:27:35.969Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1369444862"
},
{
"tags": [
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/CONFSERVER-94604"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Confluence Data Center",
"vendor": "Atlassian",
"versions": [
{
"status": "unaffected",
"version": "\u003c 6.13.0"
},
{
"status": "affected",
"version": "\u003e= 6.13.0"
},
{
"status": "affected",
"version": "\u003e= 7.19.0"
},
{
"status": "affected",
"version": "\u003e= 7.20.0"
},
{
"status": "affected",
"version": "\u003e= 8.0.0"
},
{
"status": "affected",
"version": "\u003e= 8.1.0"
},
{
"status": "affected",
"version": "\u003e= 8.2.0"
},
{
"status": "affected",
"version": "\u003e= 8.3.0"
},
{
"status": "affected",
"version": "\u003e= 8.4.0"
},
{
"status": "affected",
"version": "\u003e= 8.5.0"
},
{
"status": "affected",
"version": "\u003e= 8.6.0"
},
{
"status": "affected",
"version": "\u003e= 8.7.1"
},
{
"status": "affected",
"version": "\u003e= 8.8.0"
},
{
"status": "unaffected",
"version": "\u003e= 7.19.20"
},
{
"status": "unaffected",
"version": "\u003e= 8.5.7"
},
{
"status": "unaffected",
"version": "\u003e= 8.8.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "This High severity Path Traversal vulnerability was introduced in version 6.13.0 of Confluence Data Center. This Path Traversal vulnerability, with a CVSS Score of 8.3, allows an unauthenticated attacker to exploit an undefinable vulnerability which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires user interaction.\n\nAtlassian recommends that Confluence Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Data Center Atlassian recommends that Confluence Data Center customers upgrade to the latest version and that Confluence Server customers upgrade to the latest 8.5.x LTS version.\n\nIf you are unable to do so, upgrade your instance to one of the specified supported fixed versions See the release notes https://confluence.atlassian.com/doc/confluence-release-notes-327.html\n\nYou can download the latest version of Confluence Data Center and Server from the download center https://www.atlassian.com/software/confluence/download-archives. \n\nThis vulnerability was reported via our Bug Bounty program."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 8.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Other",
"lang": "en",
"type": "Other"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-19T17:30:00.500Z",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"url": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1369444862"
},
{
"url": "https://jira.atlassian.com/browse/CONFSERVER-94604"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2024-21677",
"datePublished": "2024-03-19T17:00:00.486Z",
"dateReserved": "2024-01-01T00:05:33.846Z",
"dateUpdated": "2025-03-13T17:39:21.647Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-21678 (GCVE-0-2024-21678)
Vulnerability from nvd – Published: 2024-02-20 18:00 – Updated: 2024-10-31 15:16
VLAI?
Summary
This High severity Stored XSS vulnerability was introduced in version 2.7.0 of Confluence Data Center.
This Stored XSS vulnerability, with a CVSS Score of 8.5, allows an authenticated attacker to execute arbitrary HTML or JavaScript code on a victims browser which has high impact to confidentiality, low impact to integrity, no impact to availability, and requires no user interaction.
Data Center
Atlassian recommends that Confluence Data Center customers upgrade to the latest version. If you are unable to do so, upgrade your instance to one of the specified supported fixed versions:
||Affected versions||Fixed versions||
|from 8.7.0 to 8.7.1|8.8.0 recommended or 8.7.2|
|from 8.6.0 to 8.6.1|8.8.0 recommended|
|from 8.5.0 to 8.5.4 LTS|8.8.0 recommended or 8.5.5 LTS or 8.5.6 LTS|
|from 8.4.0 to 8.4.5|8.8.0 recommended or 8.5.6 LTS|
|from 8.3.0 to 8.3.4|8.8.0 recommended or 8.5.6 LTS|
|from 8.2.0 to 8.2.3|8.8.0 recommended or 8.5.6 LTS|
|from 8.1.0 to 8.1.4|8.8.0 recommended or 8.5.6 LTS|
|from 8.0.0 to 8.0.4|8.8.0 recommended or 8.5.6 LTS|
|from 7.20.0 to 7.20.3|8.8.0 recommended or 8.5.6 LTS|
|from 7.19.0 to 7.19.17 LTS|8.8.0 recommended or 8.5.6 LTS or 7.19.18 LTS or 7.19.19 LTS|
|from 7.18.0 to 7.18.3|8.8.0 recommended or 8.5.6 LTS or 7.19.19 LTS|
|from 7.17.0 to 7.17.5|8.8.0 recommended or 8.5.6 LTS or 7.19.19 LTS|
|Any earlier versions|8.8.0 recommended or 8.5.6 LTS or 7.19.19 LTS|
Server
Atlassian recommends that Confluence Server customers upgrade to the latest 8.5.x LTS version. If you are unable to do so, upgrade your instance to one of the specified supported fixed versions:
||Affected versions||Fixed versions||
|from 8.5.0 to 8.5.4 LTS|8.5.5 LTS or 8.5.6 LTS recommended |
|from 8.4.0 to 8.4.5|8.5.6 LTS recommended|
|from 8.3.0 to 8.3.4|8.5.6 LTS recommended|
|from 8.2.0 to 8.2.3|8.5.6 LTS recommended|
|from 8.1.0 to 8.1.4|8.5.6 LTS recommended|
|from 8.0.0 to 8.0.4|8.5.6 LTS recommended|
|from 7.20.0 to 7.20.3|8.5.6 LTS recommended|
|from 7.19.0 to 7.19.17 LTS|8.5.6 LTS recommended or 7.19.18 LTS or 7.19.19 LTS|
|from 7.18.0 to 7.18.3|8.5.6 LTS recommended or 7.19.19 LTS|
|from 7.17.0 to 7.17.5|8.5.6 LTS recommended or 7.19.19 LTS|
|Any earlier versions|8.5.6 LTS recommended or 7.19.19 LTS|
See the release notes ([https://confluence.atlassian.com/doc/confluence-release-notes-327.html]). You can download the latest version of Confluence Data Center from the download center ([https://www.atlassian.com/software/confluence/download-archives]).
This vulnerability was reported via our Bug Bounty program.
Severity ?
8.5 (High)
CWE
- Stored XSS
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Atlassian | Confluence Data Center |
Unaffected:
< 2.7.0
Affected: >= 2.7.0 Affected: >= 7.13.0 Affected: >= 7.19.0 Affected: >= 7.20.0 Affected: >= 8.0.0 Affected: >= 8.1.0 Affected: >= 8.2.0 Affected: >= 8.3.0 Affected: >= 8.4.0 Affected: >= 8.5.0 Affected: >= 8.6.0 Affected: >= 8.7.1 Unaffected: >= 7.19.18 Unaffected: >= 8.5.5 Unaffected: >= 8.7.2 Unaffected: >= 8.8.0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-21678",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-21T18:49:48.543984Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-31T15:16:18.788Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:27:35.810Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1354501606"
},
{
"tags": [
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/CONFSERVER-94513"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Confluence Data Center",
"vendor": "Atlassian",
"versions": [
{
"status": "unaffected",
"version": "\u003c 2.7.0"
},
{
"status": "affected",
"version": "\u003e= 2.7.0"
},
{
"status": "affected",
"version": "\u003e= 7.13.0"
},
{
"status": "affected",
"version": "\u003e= 7.19.0"
},
{
"status": "affected",
"version": "\u003e= 7.20.0"
},
{
"status": "affected",
"version": "\u003e= 8.0.0"
},
{
"status": "affected",
"version": "\u003e= 8.1.0"
},
{
"status": "affected",
"version": "\u003e= 8.2.0"
},
{
"status": "affected",
"version": "\u003e= 8.3.0"
},
{
"status": "affected",
"version": "\u003e= 8.4.0"
},
{
"status": "affected",
"version": "\u003e= 8.5.0"
},
{
"status": "affected",
"version": "\u003e= 8.6.0"
},
{
"status": "affected",
"version": "\u003e= 8.7.1"
},
{
"status": "unaffected",
"version": "\u003e= 7.19.18"
},
{
"status": "unaffected",
"version": "\u003e= 8.5.5"
},
{
"status": "unaffected",
"version": "\u003e= 8.7.2"
},
{
"status": "unaffected",
"version": "\u003e= 8.8.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "This High severity Stored XSS vulnerability was introduced in version 2.7.0 of Confluence Data Center.\r\n\r\nThis Stored XSS vulnerability, with a CVSS Score of 8.5, allows an authenticated attacker to execute arbitrary HTML or JavaScript code on a victims browser which has high impact to confidentiality, low impact to integrity, no impact to availability, and requires no user interaction.\r\nData Center\r\n\r\nAtlassian recommends that Confluence Data Center customers upgrade to the latest version. If you are unable to do so, upgrade your instance to one of the specified supported fixed versions:\r\n||Affected versions||Fixed versions||\r\n|from 8.7.0 to 8.7.1|8.8.0 recommended or 8.7.2|\r\n|from 8.6.0 to 8.6.1|8.8.0 recommended|\r\n|from 8.5.0 to 8.5.4 LTS|8.8.0 recommended or 8.5.5 LTS or 8.5.6 LTS|\r\n|from 8.4.0 to 8.4.5|8.8.0 recommended or 8.5.6 LTS|\r\n|from 8.3.0 to 8.3.4|8.8.0 recommended or 8.5.6 LTS|\r\n|from 8.2.0 to 8.2.3|8.8.0 recommended or 8.5.6 LTS|\r\n|from 8.1.0 to 8.1.4|8.8.0 recommended or 8.5.6 LTS|\r\n|from 8.0.0 to 8.0.4|8.8.0 recommended or 8.5.6 LTS|\r\n|from 7.20.0 to 7.20.3|8.8.0 recommended or 8.5.6 LTS|\r\n|from 7.19.0 to 7.19.17 LTS|8.8.0 recommended or 8.5.6 LTS or 7.19.18 LTS or 7.19.19 LTS|\r\n|from 7.18.0 to 7.18.3|8.8.0 recommended or 8.5.6 LTS or 7.19.19 LTS|\r\n|from 7.17.0 to 7.17.5|8.8.0 recommended or 8.5.6 LTS or 7.19.19 LTS|\r\n|Any earlier versions|8.8.0 recommended or 8.5.6 LTS or 7.19.19 LTS|\r\nServer\r\n\r\nAtlassian recommends that Confluence Server customers upgrade to the latest 8.5.x LTS version. If you are unable to do so, upgrade your instance to one of the specified supported fixed versions:\r\n\r\n\u00a0\r\n||Affected versions||Fixed versions||\r\n|from 8.5.0 to 8.5.4 LTS|8.5.5 LTS or 8.5.6 LTS recommended\u00a0|\r\n|from 8.4.0 to 8.4.5|8.5.6 LTS recommended|\r\n|from 8.3.0 to 8.3.4|8.5.6 LTS recommended|\r\n|from 8.2.0 to 8.2.3|8.5.6 LTS recommended|\r\n|from 8.1.0 to 8.1.4|8.5.6 LTS recommended|\r\n|from 8.0.0 to 8.0.4|8.5.6 LTS recommended|\r\n|from 7.20.0 to 7.20.3|8.5.6 LTS recommended|\r\n|from 7.19.0 to 7.19.17 LTS|8.5.6 LTS recommended or 7.19.18 LTS or 7.19.19 LTS|\r\n|from 7.18.0 to 7.18.3|8.5.6 LTS recommended or 7.19.19 LTS|\r\n|from 7.17.0 to 7.17.5|8.5.6 LTS recommended or 7.19.19 LTS|\r\n|Any earlier versions|8.5.6 LTS recommended or 7.19.19 LTS|\r\n\r\nSee the release notes ([https://confluence.atlassian.com/doc/confluence-release-notes-327.html]). You can download the latest version of Confluence Data Center from the download center ([https://www.atlassian.com/software/confluence/download-archives]).\r\n\r\nThis vulnerability was reported via our Bug Bounty program."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 8.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Stored XSS",
"lang": "en",
"type": "Stored XSS"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-20T18:00:00.727Z",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"url": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1354501606"
},
{
"url": "https://jira.atlassian.com/browse/CONFSERVER-94513"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2024-21678",
"datePublished": "2024-02-20T18:00:00.727Z",
"dateReserved": "2024-01-01T00:05:33.846Z",
"dateUpdated": "2024-10-31T15:16:18.788Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
FKIE_CVE-2025-22166
Vulnerability from fkie_nvd - Published: 2025-10-21 16:15 - Updated: 2025-12-05 19:22
Severity ?
Summary
This High severity DoS (Denial of Service) vulnerability was introduced in version 2.0 of Confluence Data Center.
This DoS (Denial of Service) vulnerability, with a CVSS Score of 8.3, allows an attacker to cause a resource to be unavailable for its intended users by temporarily or indefinitely disrupting services of a host connected to a network.
Atlassian recommends that Confluence Data Center customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:
Confluence Data Center and Server 8.5: Upgrade to a release greater than or equal to 8.5.25
Confluence Data Center and Server 9.2: Upgrade to a release greater than or equal to 9.2.7
Confluence Data Center and Server 10.0: Upgrade to a release greater than or equal to 10.0.2
See the release notes ([https://confluence.atlassian.com/doc/confluence-release-notes-327.html]). You can download the latest version of Confluence Data Center from the download center ([https://www.atlassian.com/software/confluence/download-archives]).
This vulnerability was reported via our Atlassian (Internal) program.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | confluence_data_center | * | |
| atlassian | confluence_data_center | * | |
| atlassian | confluence_data_center | * | |
| atlassian | confluence_server | * | |
| atlassian | confluence_server | * | |
| atlassian | confluence_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6D558D1C-94B1-4F03-B25D-5C9572ACD9D2",
"versionEndExcluding": "8.5.25",
"versionStartIncluding": "8.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CEEEF74E-9B32-4CA0-B892-C5559B44F031",
"versionEndExcluding": "9.2.7",
"versionStartIncluding": "9.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "46B5C105-6E80-4CE7-9928-8C0C6321E94E",
"versionEndExcluding": "10.0.2",
"versionStartIncluding": "10.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D8BA896B-97EF-4D11-82F8-BBCADE5DAE45",
"versionEndExcluding": "8.5.25",
"versionStartIncluding": "8.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9CFF1E61-C6D4-4699-AD54-C8C7F4D1282F",
"versionEndExcluding": "9.2.7",
"versionStartIncluding": "9.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "100D4CEB-7E91-4046-82D7-1BBF48EFB7E1",
"versionEndExcluding": "10.0.2",
"versionStartIncluding": "10.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "This High severity DoS (Denial of Service) vulnerability was introduced in version 2.0 of Confluence Data Center.\r\n\r\nThis DoS (Denial of Service) vulnerability, with a CVSS Score of 8.3, allows an attacker to cause a resource to be unavailable for its intended users by temporarily or indefinitely disrupting services of a host connected to a network.\r\n\r\nAtlassian recommends that Confluence Data Center customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:\r\n Confluence Data Center and Server 8.5: Upgrade to a release greater than or equal to 8.5.25\r\n Confluence Data Center and Server 9.2: Upgrade to a release greater than or equal to 9.2.7\r\n Confluence Data Center and Server 10.0: Upgrade to a release greater than or equal to 10.0.2\r\n\r\nSee the release notes ([https://confluence.atlassian.com/doc/confluence-release-notes-327.html]). You can download the latest version of Confluence Data Center from the download center ([https://www.atlassian.com/software/confluence/download-archives]).\r\n\r\nThis vulnerability was reported via our Atlassian (Internal) program."
}
],
"id": "CVE-2025-22166",
"lastModified": "2025-12-05T19:22:44.947",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security@atlassian.com",
"type": "Secondary"
}
]
},
"published": "2025-10-21T16:15:37.370",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Vendor Advisory"
],
"url": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1652920034"
},
{
"source": "security@atlassian.com",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/CONFSERVER-100907"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-405"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
FKIE_CVE-2024-21703
Vulnerability from fkie_nvd - Published: 2024-11-27 17:15 - Updated: 2025-07-30 17:13
Severity ?
Summary
This Medium severity Security Misconfiguration vulnerability was introduced in version 8.8.1 of Confluence Data Center and Server for Windows installations.
This Security Misconfiguration vulnerability, with a CVSS Score of 6.4 allows an authenticated attacker of the Windows host to read sensitive information about the Confluence Data Center configuration which has high impact to confidentiality, high impact to integrity, high impact to availability, and no user interaction.
Atlassian recommends that Confluence Data Center and Server customers upgrade to the latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:
* Confluence Data Center and Server 7.19: Upgrade to a release greater than or equal to 7.19.18
* Confluence Data Center and Server 8.5: Upgrade to a release greater than or equal to 8.5.5
* Confluence Data Center and Server 8.7: Upgrade to a release greater than or equal to 8.7.2
* Confluence Data Center and Server 8.8: Upgrade to a release greater than or equal to 8.8.0
See the release notes (https://confluence.atlassian.com/conf88/confluence-release-notes-1354501008.html ). You can download the latest version of Confluence Data Center and Server from the download center (https://www.atlassian.com/software/confluence/download-archives ).
This vulnerability was reported via our Atlassian Bug Bounty Program by Chris Elliot.
References
| URL | Tags | ||
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/CONFSERVER-98413 | Vendor Advisory, Issue Tracking |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | confluence_data_center | * | |
| atlassian | confluence_data_center | * | |
| atlassian | confluence_data_center | * | |
| atlassian | confluence_server | * | |
| atlassian | confluence_server | * | |
| microsoft | windows | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DDC31B88-ABAC-4A73-A9A4-8091F0A645C1",
"versionEndExcluding": "7.19.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D5266B28-B9C7-4195-A97C-03FC81F96F20",
"versionEndExcluding": "8.5.5",
"versionStartIncluding": "8.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8C38A252-CF7F-42A0-AAC0-6974EDF166DD",
"versionEndExcluding": "8.7.2",
"versionStartIncluding": "8.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "70D51CA1-1082-468D-8A79-E853B8F1529C",
"versionEndExcluding": "7.19.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6DD9E1B3-92B8-4A9F-80F2-19AC8D47726E",
"versionEndExcluding": "8.5.5",
"versionStartIncluding": "8.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*",
"matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "This Medium severity Security Misconfiguration vulnerability was introduced in version 8.8.1 of Confluence Data Center and Server for Windows installations.\n\n\n\nThis Security Misconfiguration vulnerability, with a CVSS Score of 6.4 allows an authenticated attacker of the Windows host to read sensitive information about the Confluence Data Center configuration which has high impact to confidentiality, high impact to integrity, high impact to availability, and no user interaction.\n\n\n\nAtlassian recommends that Confluence Data Center and Server customers upgrade to the latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:\n\n* Confluence Data Center and Server 7.19: Upgrade to a release greater than or equal to 7.19.18 \n* Confluence Data Center and Server 8.5: Upgrade to a release greater than or equal to 8.5.5\n* Confluence Data Center and Server 8.7: Upgrade to a release greater than or equal to 8.7.2\n* Confluence Data Center and Server 8.8: Upgrade to a release greater than or equal to 8.8.0\n\n\n\nSee the release notes (https://confluence.atlassian.com/conf88/confluence-release-notes-1354501008.html ). You can download the latest version of Confluence Data Center and Server from the download center (https://www.atlassian.com/software/confluence/download-archives ). \n\nThis vulnerability was reported via our Atlassian Bug Bounty Program by Chris Elliot."
},
{
"lang": "es",
"value": "Esta vulnerabilidad de configuraci\u00f3n incorrecta de seguridad de gravedad media se introdujo en la versi\u00f3n 8.8.1 de Confluence Data Center y Server para instalaciones de Windows. Esta vulnerabilidad de configuraci\u00f3n incorrecta de seguridad, con una puntuaci\u00f3n CVSS de 6,4, permite que un atacante autenticado del host de Windows lea informaci\u00f3n confidencial sobre la configuraci\u00f3n de Confluence Data Center que tiene un alto impacto en la confidencialidad, la integridad y la disponibilidad, y no requiere interacci\u00f3n del usuario. Atlassian recomienda que los clientes de Confluence Data Center and Server actualicen a la \u00faltima versi\u00f3n. Si no puede hacerlo, actualice su instancia a una de las versiones fijas compatibles especificadas: * Confluence Data Center and Server 7.19: actualice a una versi\u00f3n mayor o igual a 7.19.18 * Confluence Data Center and Server 8.5: actualice a una versi\u00f3n mayor o igual a 8.5.5 * Confluence Data Center and Server 8.7: actualice a una versi\u00f3n mayor o igual a 8.7.2 * Confluence Data Center and Server 8.8: actualice a una versi\u00f3n mayor o igual a 8.8.0 Consulte las notas de la versi\u00f3n (https://confluence.atlassian.com/conf88/confluence-release-notes-1354501008.html). Puede descargar la \u00faltima versi\u00f3n de Confluence Data Center and Server desde el centro de descargas (https://www.atlassian.com/software/confluence/download-archives). Chris Elliot inform\u00f3 sobre esta vulnerabilidad a trav\u00e9s de nuestro programa Atlassian Bug Bounty."
}
],
"id": "CVE-2024-21703",
"lastModified": "2025-07-30T17:13:50.407",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 0.5,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-11-27T17:15:10.260",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Vendor Advisory",
"Issue Tracking"
],
"url": "https://jira.atlassian.com/browse/CONFSERVER-98413"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-732"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
FKIE_CVE-2024-21690
Vulnerability from fkie_nvd - Published: 2024-08-21 16:15 - Updated: 2025-07-30 13:59
Severity ?
Summary
This High severity Reflected XSS and CSRF (Cross-Site Request Forgery) vulnerability was introduced in versions 7.19.0, 7.20.0, 8.0.0, 8.1.0, 8.2.0, 8.3.0, 8.4.0, 8.5.0, 8.6.0, 8.7.1, 8.8.0, and 8.9.0 of Confluence Data Center and Server.
This Reflected XSS and CSRF (Cross-Site Request Forgery) vulnerability, with a CVSS Score of 7.1, allows an unauthenticated attacker to execute arbitrary HTML or JavaScript code on a victims browser and force a end user to execute unwanted actions on a web application in which they're currently authenticated which has high impact to confidentiality, low impact to integrity, no impact to availability, and requires user interaction.
Atlassian recommends that Confluence Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:
* Confluence Data Center and Server 7.19: Upgrade to a release greater than or equal to 7.19.26
* Confluence Data Center and Server 8.5: Upgrade to a release greater than or equal to 8.5.14
* Confluence Data Center and Server 9.0: Upgrade to a release greater than or equal to 9.0.1
See the release notes (https://confluence.atlassian.com/doc/confluence-release-notes-327.html). You can download the latest version of Confluence Data Center and Server from the download center (https://www.atlassian.com/software/confluence/download-archives).
This vulnerability was reported via our Bug Bounty program.
References
| URL | Tags | ||
|---|---|---|---|
| security@atlassian.com | https://confluence.atlassian.com/pages/viewpage.action?pageId=1431535667 | Vendor Advisory | |
| security@atlassian.com | https://jira.atlassian.com/browse/CONFSERVER-97720 | Vendor Advisory, Issue Tracking |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5C05D3F7-EE92-4673-BC3D-DD0FDFC7B381",
"versionEndIncluding": "7.19.25",
"versionStartIncluding": "7.19.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CA11366E-1323-4E23-BC48-98E5A278ACBC",
"versionEndIncluding": "7.20.3",
"versionStartIncluding": "7.20.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3E04D444-3EB1-4738-B7E2-5B7AE2E5E362",
"versionEndIncluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1F0C549F-BE94-4E69-AD21-7472364DCDEE",
"versionEndIncluding": "8.1.4",
"versionStartIncluding": "8.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0850948D-AE6D-4DCA-9BA0-9980E6BFC202",
"versionEndIncluding": "8.2.3",
"versionStartIncluding": "8.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "63D5B3B0-7F7E-49B6-8C2D-FF4D824A9315",
"versionEndIncluding": "8.3.4",
"versionStartIncluding": "8.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "57BDBED4-B502-444B-8C8C-EDC8CD0717F1",
"versionEndIncluding": "8.4.5",
"versionStartIncluding": "8.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3262FAE2-5C0C-49AA-989A-FF43E800A306",
"versionEndIncluding": "8.5.12",
"versionStartIncluding": "8.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A28B7617-2765-4C27-AC74-8C583ABF1977",
"versionEndIncluding": "8.6.2",
"versionStartIncluding": "8.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E3582FFA-70EF-42A8-991C-EFDBFDA46324",
"versionEndIncluding": "8.7.2",
"versionStartIncluding": "8.7.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B7609ACF-D93D-4C78-BA4F-61D007A81236",
"versionEndIncluding": "8.8.1",
"versionStartIncluding": "8.8.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B6F39219-D14B-4100-87C2-3C7F26CD4D63",
"versionEndIncluding": "8.9.4",
"versionStartIncluding": "8.9.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9D93A22F-4280-43A3-9A03-D52E9C75DD21",
"versionEndIncluding": "7.19.25",
"versionStartIncluding": "7.19.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "72EB6154-9A86-4A14-A341-D357D9FCB0DF",
"versionEndIncluding": "7.20.3",
"versionStartIncluding": "7.20.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "ACE3F2DE-01CD-4CBC-B8F5-86ACCA6DC62A",
"versionEndIncluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8201C848-0F3F-42B3-9430-A628CFC96B1B",
"versionEndIncluding": "8.1.4",
"versionStartIncluding": "8.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4451E75A-00F4-4AC2-BE18-CCB1471B88BF",
"versionEndIncluding": "8.2.3",
"versionStartIncluding": "8.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D5FF2B9F-070E-458F-BD17-20A4ECBEAD72",
"versionEndIncluding": "8.3.4",
"versionStartIncluding": "8.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "71CE6EAD-724D-49C4-BE5A-C45884C1F237",
"versionEndIncluding": "8.4.5",
"versionStartIncluding": "8.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "20039FE1-7142-451D-9087-BA7BA422F9FC",
"versionEndIncluding": "8.5.12",
"versionStartIncluding": "8.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BA046009-AC63-4DF2-90E0-38873BD4614E",
"versionEndIncluding": "8.6.2",
"versionStartIncluding": "8.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "11CE8DCE-25DD-4C53-B371-2F300B8FCE4E",
"versionEndIncluding": "8.7.2",
"versionStartIncluding": "8.7.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A02AF351-CE42-4E7F-9802-958F6216B980",
"versionEndIncluding": "8.8.1",
"versionStartIncluding": "8.8.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "15145C2D-7136-4816-8625-08948DA41487",
"versionEndIncluding": "8.9.4",
"versionStartIncluding": "8.9.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "This High severity Reflected XSS and CSRF (Cross-Site Request Forgery) vulnerability was introduced in versions 7.19.0, 7.20.0, 8.0.0, 8.1.0, 8.2.0, 8.3.0, 8.4.0, 8.5.0, 8.6.0, 8.7.1, 8.8.0, and 8.9.0 of Confluence Data Center and Server. \n\t\n\tThis Reflected XSS and CSRF (Cross-Site Request Forgery) vulnerability, with a CVSS Score of 7.1, allows an unauthenticated attacker to execute arbitrary HTML or JavaScript code on a victims browser and force a end user to execute unwanted actions on a web application in which they\u0027re currently authenticated which has high impact to confidentiality, low impact to integrity, no impact to availability, and requires user interaction. \n\t\n\tAtlassian recommends that Confluence Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:\n\t\t\n\t\t* Confluence Data Center and Server 7.19: Upgrade to a release greater than or equal to 7.19.26\n\t\t\n\t\t* Confluence Data Center and Server 8.5: Upgrade to a release greater than or equal to 8.5.14\n\t\t\n\t\t* Confluence Data Center and Server 9.0: Upgrade to a release greater than or equal to 9.0.1\n\t\t\n\t\t\n\t\n\tSee the release notes (https://confluence.atlassian.com/doc/confluence-release-notes-327.html). You can download the latest version of Confluence Data Center and Server from the download center (https://www.atlassian.com/software/confluence/download-archives). \n\t\n\tThis vulnerability was reported via our Bug Bounty program."
},
{
"lang": "es",
"value": "Esta vulnerabilidad de alta gravedad XSS reflejado y CSRF (Cross-Site Request Forgery) se introdujo en las versiones 7.19.0, 7.20.0, 8.0.0, 8.1.0, 8.2.0, 8.3.0, 8.4.0, 8.5.0. , 8.6.0, 8.7.1, 8.8.0 y 8.9.0 de Confluence Data Center y Server. Esta vulnerabilidad XSS reflejado y CSRF (Cross-Site Request Forgery), con una puntuaci\u00f3n CVSS de 7,1, permite a un atacante no autenticado ejecutar c\u00f3digo HTML o JavaScript arbitrario en el navegador de una v\u00edctima y obligar a un usuario final a ejecutar acciones no deseadas en una aplicaci\u00f3n web en en el que est\u00e1n actualmente autenticados, lo que tiene un alto impacto en la confidencialidad, un bajo impacto en la integridad, ning\u00fan impacto en la disponibilidad y requiere la interacci\u00f3n del usuario. Atlassian recomienda que los clientes de Confluence Data Center y Server actualicen a la \u00faltima versi\u00f3n; si no puede hacerlo, actualice su instancia a una de las versiones fijas admitidas especificadas: * Confluence Data Center y Server 7.19: actualice a una versi\u00f3n superior o igual a 7.19.26 * Confluence Data Center y Server 8.5: actualice a una versi\u00f3n mayor o igual a 8.5.14 * Confluence Data Center y Server 9.0: actualice a una versi\u00f3n mayor o igual a 9.0.1 Consulte las notas de la versi\u00f3n (https ://confluence.atlassian.com/doc/confluence-release-notes-327.html). Puede descargar la \u00faltima versi\u00f3n de Confluence Data Center and Server desde el centro de descargas (https://www.atlassian.com/software/confluence/download-archives). Esta vulnerabilidad se inform\u00f3 a trav\u00e9s de nuestro programa Bug Bounty."
}
],
"id": "CVE-2024-21690",
"lastModified": "2025-07-30T13:59:54.627",
"metrics": {
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 4.2,
"source": "security@atlassian.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 4.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-08-21T16:15:07.390",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Vendor Advisory"
],
"url": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1431535667"
},
{
"source": "security@atlassian.com",
"tags": [
"Vendor Advisory",
"Issue Tracking"
],
"url": "https://jira.atlassian.com/browse/CONFSERVER-97720"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
FKIE_CVE-2024-21686
Vulnerability from fkie_nvd - Published: 2024-07-16 20:15 - Updated: 2025-03-19 19:15
Severity ?
Summary
This High severity Stored XSS vulnerability was introduced in versions 7.13 of Confluence Data Center and Server.
This Stored XSS vulnerability, with a CVSS Score of 7.3, allows an authenticated attacker to execute arbitrary HTML or JavaScript code on a victims browser which has high impact to confidentiality, high impact to integrity, no impact to availability, and requires user interaction.
Atlassian recommends that Confluence Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions listed on this CVE
See the release notes (https://confluence.atlassian.com/doc/confluence-release-notes-327.html). You can download the latest version of Confluence Data Center and Server from the download center (https://www.atlassian.com/software/confluence/download-archives).
This vulnerability was reported via our Bug Bounty program.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | confluence_data_center | * | |
| atlassian | confluence_data_center | * | |
| atlassian | confluence_data_center | * | |
| atlassian | confluence_server | * | |
| atlassian | confluence_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EF356AF1-3073-4277-9D8D-073EE828B871",
"versionEndExcluding": "7.19.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A0CB3601-761D-43F8-B66C-55054BBAFF3E",
"versionEndExcluding": "8.5.9",
"versionStartIncluding": "7.20.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A3F27384-4809-4FBD-B816-D99F0249C451",
"versionEndExcluding": "8.9.1",
"versionStartIncluding": "8.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "66B02E56-D3EB-4B72-BD50-AB248E6DD7A3",
"versionEndExcluding": "7.19.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "753291B2-629C-4E1C-8026-9189E7A85213",
"versionEndExcluding": "8.5.9",
"versionStartIncluding": "7.20.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "This High severity Stored XSS vulnerability was introduced in versions 7.13 of Confluence Data Center and Server.\n\nThis Stored XSS vulnerability, with a CVSS Score of 7.3, allows an authenticated attacker to execute arbitrary HTML or JavaScript code on a victims browser which has high impact to confidentiality, high impact to integrity, no impact to availability, and requires user interaction.\n\nAtlassian recommends that Confluence Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions listed on this CVE\n\nSee the release notes (https://confluence.atlassian.com/doc/confluence-release-notes-327.html). You can download the latest version of Confluence Data Center and Server from the download center (https://www.atlassian.com/software/confluence/download-archives).\n\nThis vulnerability was reported via our Bug Bounty program."
},
{
"lang": "es",
"value": "Esta vulnerabilidad XSS almacenado de alta gravedad se introdujo en las versiones 7.13 de Confluence Data Center y Server. Esta vulnerabilidad XSS almacenado, con una puntuaci\u00f3n CVSS de 7,3, permite a un atacante autenticado ejecutar c\u00f3digo HTML o JavaScript arbitrario en el navegador de una v\u00edctima, lo que tiene un alto impacto en la confidencialidad, un alto impacto en la integridad, ning\u00fan impacto en la disponibilidad y requiere la interacci\u00f3n del usuario. Atlassian recomienda que los clientes de Confluence Data Center y Server actualicen a la \u00faltima versi\u00f3n; si no puede hacerlo, actualice su instancia a una de las versiones correctoras admitidas especificadas que se enumeran en este CVE. Consulte las notas de la versi\u00f3n (https://confluence.atlassian.es/doc/confluence-release-notes-327.html). Puede descargar la \u00faltima versi\u00f3n de Confluence Data Center and Server desde el centro de descargas (https://www.atlassian.com/software/confluence/download-archives). Esta vulnerabilidad fue reportada a trav\u00e9s de nuestro programa Bug Bounty."
}
],
"id": "CVE-2024-21686",
"lastModified": "2025-03-19T19:15:40.200",
"metrics": {
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.1,
"impactScore": 5.2,
"source": "security@atlassian.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 5.8,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-07-16T20:15:02.900",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Vendor Advisory"
],
"url": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1417150917"
},
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking"
],
"url": "https://jira.atlassian.com/browse/CONFSERVER-96134"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1417150917"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://jira.atlassian.com/browse/CONFSERVER-96134"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
FKIE_CVE-2024-21683
Vulnerability from fkie_nvd - Published: 2024-05-21 23:15 - Updated: 2025-05-12 16:15
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
This High severity RCE (Remote Code Execution) vulnerability was introduced in version 5.2 of Confluence Data Center and Server.
This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 7.2, allows an authenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction.
Atlassian recommends that Confluence Data Center and Server customers upgrade to latest version. If you are unable to do so, upgrade your instance to one of the specified supported fixed versions. See the release notes https://confluence.atlassian.com/doc/confluence-release-notes-327.html
You can download the latest version of Confluence Data Center and Server from the download center https://www.atlassian.com/software/confluence/download-archives.
This vulnerability was found internally.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:lts:*:*:*",
"matchCriteriaId": "D7B3C669-9F09-41DF-BBE7-924A59EDC2DE",
"versionEndExcluding": "7.19.24",
"versionStartIncluding": "7.19.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CA11366E-1323-4E23-BC48-98E5A278ACBC",
"versionEndIncluding": "7.20.3",
"versionStartIncluding": "7.20.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3E04D444-3EB1-4738-B7E2-5B7AE2E5E362",
"versionEndIncluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1F0C549F-BE94-4E69-AD21-7472364DCDEE",
"versionEndIncluding": "8.1.4",
"versionStartIncluding": "8.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0850948D-AE6D-4DCA-9BA0-9980E6BFC202",
"versionEndIncluding": "8.2.3",
"versionStartIncluding": "8.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "63D5B3B0-7F7E-49B6-8C2D-FF4D824A9315",
"versionEndIncluding": "8.3.4",
"versionStartIncluding": "8.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "57BDBED4-B502-444B-8C8C-EDC8CD0717F1",
"versionEndIncluding": "8.4.5",
"versionStartIncluding": "8.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:lts:*:*:*",
"matchCriteriaId": "9551EBA1-2B49-4420-867D-2B20C76C41C4",
"versionEndExcluding": "8.5.11",
"versionStartIncluding": "8.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A28B7617-2765-4C27-AC74-8C583ABF1977",
"versionEndIncluding": "8.6.2",
"versionStartIncluding": "8.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6F595865-0E49-45DC-B30F-F0AFEE524F07",
"versionEndExcluding": "8.9.3",
"versionStartIncluding": "8.9.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:8.7.1:*:*:*:*:*:*:*",
"matchCriteriaId": "D0A3DA1F-C35D-464A-8E01-B2D8F05F85A0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:8.7.2:*:*:*:*:*:*:*",
"matchCriteriaId": "1147BC2D-633D-40BB-8303-53D5FE8CB0FD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:8.8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "3F13F5EE-7BAE-4F46-ACDD-65155EF457F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:8.8.1:*:*:*:*:*:*:*",
"matchCriteriaId": "3AFB1065-37A0-49ED-BA0A-F2F01797F45A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:lts:*:*:*",
"matchCriteriaId": "CD7F7846-0310-483C-8F99-899ABBBB020E",
"versionEndExcluding": "7.19.24",
"versionStartIncluding": "7.19.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "72EB6154-9A86-4A14-A341-D357D9FCB0DF",
"versionEndIncluding": "7.20.3",
"versionStartIncluding": "7.20.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "ACE3F2DE-01CD-4CBC-B8F5-86ACCA6DC62A",
"versionEndIncluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8201C848-0F3F-42B3-9430-A628CFC96B1B",
"versionEndIncluding": "8.1.4",
"versionStartIncluding": "8.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4451E75A-00F4-4AC2-BE18-CCB1471B88BF",
"versionEndIncluding": "8.2.3",
"versionStartIncluding": "8.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D5FF2B9F-070E-458F-BD17-20A4ECBEAD72",
"versionEndIncluding": "8.3.4",
"versionStartIncluding": "8.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "71CE6EAD-724D-49C4-BE5A-C45884C1F237",
"versionEndIncluding": "8.4.5",
"versionStartIncluding": "8.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:lts:*:*:*",
"matchCriteriaId": "4C148D09-E45D-473E-9794-6C9AD0FC0AE6",
"versionEndExcluding": "8.5.11",
"versionStartIncluding": "8.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BA046009-AC63-4DF2-90E0-38873BD4614E",
"versionEndIncluding": "8.6.2",
"versionStartIncluding": "8.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5361DD21-10D1-4FBB-A358-61C0836BEDE1",
"versionEndIncluding": "8.9.2",
"versionStartIncluding": "8.9.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:8.7.1:*:*:*:*:*:*:*",
"matchCriteriaId": "ABB0C806-A61F-4238-BE92-25FD9B771EFA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:8.7.2:*:*:*:*:*:*:*",
"matchCriteriaId": "C1245106-DD17-410F-963D-6877C19ED65D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:8.8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "F4F9DEA9-BBB4-4205-9557-CAD0184DA3F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:8.8.1:*:*:*:*:*:*:*",
"matchCriteriaId": "7228BE60-B856-4C52-B7A5-014D1768CD33",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:fisheye:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5D4B4DC7-D3A9-4A0C-9C9B-68711F2472AA",
"versionEndExcluding": "4.8.15",
"versionStartIncluding": "4.8.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:crucible:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EA6AF694-D9E9-47C3-B8FB-643163511825",
"versionEndExcluding": "4.8.15",
"versionStartIncluding": "4.8.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:lts:*:*:*",
"matchCriteriaId": "78397A02-75F9-487F-927F-FE6AFE5E7093",
"versionEndExcluding": "9.4.21",
"versionStartIncluding": "9.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:lts:*:*:*",
"matchCriteriaId": "F445667E-4ED3-4678-A4CF-967256B1B971",
"versionEndExcluding": "9.12.8",
"versionStartIncluding": "9.12.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:lts:*:*:*",
"matchCriteriaId": "3987D09A-187F-4830-BF59-D1AC122A9A25",
"versionEndExcluding": "9.4.21",
"versionStartIncluding": "9.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:lts:*:*:*",
"matchCriteriaId": "C7030689-7B4A-45C7-830B-6DCA8D621C1A",
"versionEndExcluding": "9.12.8",
"versionStartIncluding": "9.12.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira_service_management:*:*:*:*:data_center:*:*:*",
"matchCriteriaId": "52690604-A588-4FF9-AC7B-AAD650341830",
"versionEndExcluding": "5.4.21",
"versionStartIncluding": "5.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_service_management:*:*:*:*:data_center:*:*:*",
"matchCriteriaId": "85E5EC00-D5EA-4F73-9863-D0E49B876758",
"versionEndExcluding": "5.12.8",
"versionStartIncluding": "5.12.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_service_management:*:*:*:*:data_center:*:*:*",
"matchCriteriaId": "8C9730C4-AC8D-4090-BD5A-9C84FEBF45C5",
"versionEndExcluding": "5.16.0",
"versionStartIncluding": "5.15.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:jira_service_management:*:*:*:*:server:*:*:*",
"matchCriteriaId": "4653B8B5-A878-4652-A33D-F33A1A8FF467",
"versionEndExcluding": "5.4.21",
"versionStartIncluding": "5.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_service_management:*:*:*:*:server:*:*:*",
"matchCriteriaId": "6BD985F0-7250-4ACA-8060-8361F1FB94BE",
"versionEndExcluding": "5.12.8",
"versionStartIncluding": "5.12.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_service_management:5.15.2:*:*:*:server:*:*:*",
"matchCriteriaId": "0EB3116A-C1A0-4CA8-9404-FB705DE5B14A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "This High severity RCE (Remote Code Execution) vulnerability was introduced in version 5.2 of Confluence Data Center and Server.\n\nThis RCE (Remote Code Execution) vulnerability, with a CVSS Score of 7.2, allows an authenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction.\u00a0\n\nAtlassian recommends that Confluence Data Center and Server customers upgrade to latest version. If you are unable to do so, upgrade your instance to one of the specified supported fixed versions. See the release notes https://confluence.atlassian.com/doc/confluence-release-notes-327.html\n\nYou can download the latest version of Confluence Data Center and Server from the download center https://www.atlassian.com/software/confluence/download-archives.\n\nThis vulnerability was found internally."
},
{
"lang": "es",
"value": "Esta vulnerabilidad RCE (ejecuci\u00f3n remota de c\u00f3digo) de alta gravedad se introdujo en la versi\u00f3n 5.2 de Confluence Data Center and Server. Esta vulnerabilidad RCE (ejecuci\u00f3n remota de c\u00f3digo), con una puntuaci\u00f3n CVSS de 8,3, permite a un atacante autenticado ejecutar c\u00f3digo arbitrario que tiene un alto impacto en la confidencialidad, un alto impacto en la integridad, un alto impacto en la disponibilidad y no requiere interacci\u00f3n del usuario. Atlassian recomienda que los clientes de Confluence Data Center y Server actualicen a la \u00faltima versi\u00f3n. Si no puede hacerlo, actualice su instancia a una de las versiones fijas admitidas especificadas. Consulte las notas de la versi\u00f3n https://confluence.atlassian.com/doc/confluence-release-notes-327.html Puede descargar la \u00faltima versi\u00f3n de Confluence Data Center and Server desde el centro de descargas https://www.atlassian.com /software/confluence/descargar-archivos. Esta vulnerabilidad se encontr\u00f3 internamente."
}
],
"id": "CVE-2024-21683",
"lastModified": "2025-05-12T16:15:20.467",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "security@atlassian.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-05-21T23:15:07.923",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Vendor Advisory"
],
"url": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1409286211"
},
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking"
],
"url": "https://jira.atlassian.com/browse/CONFSERVER-95832"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
FKIE_CVE-2024-21677
Vulnerability from fkie_nvd - Published: 2024-03-19 17:15 - Updated: 2025-03-13 18:15
Severity ?
Summary
This High severity Path Traversal vulnerability was introduced in version 6.13.0 of Confluence Data Center. This Path Traversal vulnerability, with a CVSS Score of 8.3, allows an unauthenticated attacker to exploit an undefinable vulnerability which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires user interaction.
Atlassian recommends that Confluence Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Data Center Atlassian recommends that Confluence Data Center customers upgrade to the latest version and that Confluence Server customers upgrade to the latest 8.5.x LTS version.
If you are unable to do so, upgrade your instance to one of the specified supported fixed versions See the release notes https://confluence.atlassian.com/doc/confluence-release-notes-327.html
You can download the latest version of Confluence Data Center and Server from the download center https://www.atlassian.com/software/confluence/download-archives.
This vulnerability was reported via our Bug Bounty program.
References
| URL | Tags | ||
|---|---|---|---|
| security@atlassian.com | https://confluence.atlassian.com/pages/viewpage.action?pageId=1369444862 | Vendor Advisory | |
| security@atlassian.com | https://jira.atlassian.com/browse/CONFSERVER-94604 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://confluence.atlassian.com/pages/viewpage.action?pageId=1369444862 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/CONFSERVER-94604 | Issue Tracking, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | confluence_data_center | * | |
| atlassian | confluence_data_center | * | |
| atlassian | confluence_data_center | * | |
| atlassian | confluence_server | * | |
| atlassian | confluence_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D3610D21-039C-44BC-A7B7-C811A8B63C66",
"versionEndExcluding": "7.19.20",
"versionStartIncluding": "6.13.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9C6BCADE-F919-4383-9590-657B55FC2038",
"versionEndExcluding": "8.5.7",
"versionStartIncluding": "7.20.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "940C0A51-20D3-4A2B-B7CB-D3510BC39BFD",
"versionEndExcluding": "8.8.1",
"versionStartIncluding": "8.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "504EF14C-2CBF-44F7-8E32-C8DB686767CE",
"versionEndExcluding": "7.19.20",
"versionStartIncluding": "6.13.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "95D064BC-D0CA-45E4-96EA-D0A5CE3631CD",
"versionEndExcluding": "8.5.7",
"versionStartIncluding": "7.20.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "This High severity Path Traversal vulnerability was introduced in version 6.13.0 of Confluence Data Center. This Path Traversal vulnerability, with a CVSS Score of 8.3, allows an unauthenticated attacker to exploit an undefinable vulnerability which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires user interaction.\n\nAtlassian recommends that Confluence Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Data Center Atlassian recommends that Confluence Data Center customers upgrade to the latest version and that Confluence Server customers upgrade to the latest 8.5.x LTS version.\n\nIf you are unable to do so, upgrade your instance to one of the specified supported fixed versions See the release notes https://confluence.atlassian.com/doc/confluence-release-notes-327.html\n\nYou can download the latest version of Confluence Data Center and Server from the download center https://www.atlassian.com/software/confluence/download-archives. \n\nThis vulnerability was reported via our Bug Bounty program."
},
{
"lang": "es",
"value": "Esta vulnerabilidad de Path Traversal de alta gravedad se introdujo en la versi\u00f3n 6.13.0 de Confluence Data Center. Esta vulnerabilidad Path Traversal, con una puntuaci\u00f3n CVSS de 8.3, permite a un atacante no autenticado explotar una vulnerabilidad indefinible que tiene un alto impacto en la confidencialidad, un alto impacto en la integridad, un alto impacto en la disponibilidad y requiere la interacci\u00f3n del usuario. Atlassian recomienda que los clientes de Confluence Data Center y Server actualicen a la \u00faltima versi\u00f3n; si no puede hacerlo, actualice su instancia a una de las versiones fijas admitidas especificadas: Data Center Atlassian recomienda que los clientes de Confluence Data Center actualicen a la \u00faltima versi\u00f3n y que Los clientes de Confluence Server actualizan a la \u00faltima versi\u00f3n 8.5.x LTS. Si no puede hacerlo, actualice su instancia a una de las versiones fijas compatibles especificadas. Consulte las notas de la versi\u00f3n https://confluence.atlassian.com/doc/confluence-release-notes-327.html. Puede descargar la \u00faltima versi\u00f3n de Confluence Data Center y Server desde el centro de descargas https://www.atlassian.com/software/confluence/download-archives. Esta vulnerabilidad se inform\u00f3 a trav\u00e9s de nuestro programa Bug Bounty."
}
],
"id": "CVE-2024-21677",
"lastModified": "2025-03-13T18:15:37.700",
"metrics": {
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 1.6,
"impactScore": 6.0,
"source": "security@atlassian.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-03-19T17:15:09.837",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Vendor Advisory"
],
"url": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1369444862"
},
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/CONFSERVER-94604"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1369444862"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/CONFSERVER-94604"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
FKIE_CVE-2024-21678
Vulnerability from fkie_nvd - Published: 2024-02-20 18:15 - Updated: 2025-05-06 14:52
Severity ?
Summary
This High severity Stored XSS vulnerability was introduced in version 2.7.0 of Confluence Data Center.
This Stored XSS vulnerability, with a CVSS Score of 8.5, allows an authenticated attacker to execute arbitrary HTML or JavaScript code on a victims browser which has high impact to confidentiality, low impact to integrity, no impact to availability, and requires no user interaction.
Data Center
Atlassian recommends that Confluence Data Center customers upgrade to the latest version. If you are unable to do so, upgrade your instance to one of the specified supported fixed versions:
||Affected versions||Fixed versions||
|from 8.7.0 to 8.7.1|8.8.0 recommended or 8.7.2|
|from 8.6.0 to 8.6.1|8.8.0 recommended|
|from 8.5.0 to 8.5.4 LTS|8.8.0 recommended or 8.5.5 LTS or 8.5.6 LTS|
|from 8.4.0 to 8.4.5|8.8.0 recommended or 8.5.6 LTS|
|from 8.3.0 to 8.3.4|8.8.0 recommended or 8.5.6 LTS|
|from 8.2.0 to 8.2.3|8.8.0 recommended or 8.5.6 LTS|
|from 8.1.0 to 8.1.4|8.8.0 recommended or 8.5.6 LTS|
|from 8.0.0 to 8.0.4|8.8.0 recommended or 8.5.6 LTS|
|from 7.20.0 to 7.20.3|8.8.0 recommended or 8.5.6 LTS|
|from 7.19.0 to 7.19.17 LTS|8.8.0 recommended or 8.5.6 LTS or 7.19.18 LTS or 7.19.19 LTS|
|from 7.18.0 to 7.18.3|8.8.0 recommended or 8.5.6 LTS or 7.19.19 LTS|
|from 7.17.0 to 7.17.5|8.8.0 recommended or 8.5.6 LTS or 7.19.19 LTS|
|Any earlier versions|8.8.0 recommended or 8.5.6 LTS or 7.19.19 LTS|
Server
Atlassian recommends that Confluence Server customers upgrade to the latest 8.5.x LTS version. If you are unable to do so, upgrade your instance to one of the specified supported fixed versions:
||Affected versions||Fixed versions||
|from 8.5.0 to 8.5.4 LTS|8.5.5 LTS or 8.5.6 LTS recommended |
|from 8.4.0 to 8.4.5|8.5.6 LTS recommended|
|from 8.3.0 to 8.3.4|8.5.6 LTS recommended|
|from 8.2.0 to 8.2.3|8.5.6 LTS recommended|
|from 8.1.0 to 8.1.4|8.5.6 LTS recommended|
|from 8.0.0 to 8.0.4|8.5.6 LTS recommended|
|from 7.20.0 to 7.20.3|8.5.6 LTS recommended|
|from 7.19.0 to 7.19.17 LTS|8.5.6 LTS recommended or 7.19.18 LTS or 7.19.19 LTS|
|from 7.18.0 to 7.18.3|8.5.6 LTS recommended or 7.19.19 LTS|
|from 7.17.0 to 7.17.5|8.5.6 LTS recommended or 7.19.19 LTS|
|Any earlier versions|8.5.6 LTS recommended or 7.19.19 LTS|
See the release notes ([https://confluence.atlassian.com/doc/confluence-release-notes-327.html]). You can download the latest version of Confluence Data Center from the download center ([https://www.atlassian.com/software/confluence/download-archives]).
This vulnerability was reported via our Bug Bounty program.
References
| URL | Tags | ||
|---|---|---|---|
| security@atlassian.com | https://confluence.atlassian.com/pages/viewpage.action?pageId=1354501606 | Vendor Advisory | |
| security@atlassian.com | https://jira.atlassian.com/browse/CONFSERVER-94513 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://confluence.atlassian.com/pages/viewpage.action?pageId=1354501606 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/CONFSERVER-94513 | Issue Tracking, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | confluence_data_center | * | |
| atlassian | confluence_data_center | * | |
| atlassian | confluence_data_center | * | |
| atlassian | confluence_server | * | |
| atlassian | confluence_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "848C3CE0-8968-4772-A57D-EFA33902B1CA",
"versionEndExcluding": "7.19.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "10A7DF3C-D435-4704-A4FA-D28C2F3F0EA8",
"versionEndExcluding": "8.5.5",
"versionStartIncluding": "7.20.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "07E9D88B-CFCF-4309-90FC-C5B5DC07A01B",
"versionEndExcluding": "8.7.2",
"versionStartIncluding": "8.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E92CF035-1E0F-41D9-B5FD-A9259B743F9C",
"versionEndExcluding": "7.19.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C65FB31F-0BB9-416C-BD19-CD75A99AB1B1",
"versionEndExcluding": "8.5.5",
"versionStartIncluding": "7.20.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "This High severity Stored XSS vulnerability was introduced in version 2.7.0 of Confluence Data Center.\r\n\r\nThis Stored XSS vulnerability, with a CVSS Score of 8.5, allows an authenticated attacker to execute arbitrary HTML or JavaScript code on a victims browser which has high impact to confidentiality, low impact to integrity, no impact to availability, and requires no user interaction.\r\nData Center\r\n\r\nAtlassian recommends that Confluence Data Center customers upgrade to the latest version. If you are unable to do so, upgrade your instance to one of the specified supported fixed versions:\r\n||Affected versions||Fixed versions||\r\n|from 8.7.0 to 8.7.1|8.8.0 recommended or 8.7.2|\r\n|from 8.6.0 to 8.6.1|8.8.0 recommended|\r\n|from 8.5.0 to 8.5.4 LTS|8.8.0 recommended or 8.5.5 LTS or 8.5.6 LTS|\r\n|from 8.4.0 to 8.4.5|8.8.0 recommended or 8.5.6 LTS|\r\n|from 8.3.0 to 8.3.4|8.8.0 recommended or 8.5.6 LTS|\r\n|from 8.2.0 to 8.2.3|8.8.0 recommended or 8.5.6 LTS|\r\n|from 8.1.0 to 8.1.4|8.8.0 recommended or 8.5.6 LTS|\r\n|from 8.0.0 to 8.0.4|8.8.0 recommended or 8.5.6 LTS|\r\n|from 7.20.0 to 7.20.3|8.8.0 recommended or 8.5.6 LTS|\r\n|from 7.19.0 to 7.19.17 LTS|8.8.0 recommended or 8.5.6 LTS or 7.19.18 LTS or 7.19.19 LTS|\r\n|from 7.18.0 to 7.18.3|8.8.0 recommended or 8.5.6 LTS or 7.19.19 LTS|\r\n|from 7.17.0 to 7.17.5|8.8.0 recommended or 8.5.6 LTS or 7.19.19 LTS|\r\n|Any earlier versions|8.8.0 recommended or 8.5.6 LTS or 7.19.19 LTS|\r\nServer\r\n\r\nAtlassian recommends that Confluence Server customers upgrade to the latest 8.5.x LTS version. If you are unable to do so, upgrade your instance to one of the specified supported fixed versions:\r\n\r\n\u00a0\r\n||Affected versions||Fixed versions||\r\n|from 8.5.0 to 8.5.4 LTS|8.5.5 LTS or 8.5.6 LTS recommended\u00a0|\r\n|from 8.4.0 to 8.4.5|8.5.6 LTS recommended|\r\n|from 8.3.0 to 8.3.4|8.5.6 LTS recommended|\r\n|from 8.2.0 to 8.2.3|8.5.6 LTS recommended|\r\n|from 8.1.0 to 8.1.4|8.5.6 LTS recommended|\r\n|from 8.0.0 to 8.0.4|8.5.6 LTS recommended|\r\n|from 7.20.0 to 7.20.3|8.5.6 LTS recommended|\r\n|from 7.19.0 to 7.19.17 LTS|8.5.6 LTS recommended or 7.19.18 LTS or 7.19.19 LTS|\r\n|from 7.18.0 to 7.18.3|8.5.6 LTS recommended or 7.19.19 LTS|\r\n|from 7.17.0 to 7.17.5|8.5.6 LTS recommended or 7.19.19 LTS|\r\n|Any earlier versions|8.5.6 LTS recommended or 7.19.19 LTS|\r\n\r\nSee the release notes ([https://confluence.atlassian.com/doc/confluence-release-notes-327.html]). You can download the latest version of Confluence Data Center from the download center ([https://www.atlassian.com/software/confluence/download-archives]).\r\n\r\nThis vulnerability was reported via our Bug Bounty program."
},
{
"lang": "es",
"value": "Esta vulnerabilidad XSS almacenada de alta gravedad se introdujo en la versi\u00f3n 2.7.0 de Confluence Data Center. Esta vulnerabilidad XSS almacenada, con una puntuaci\u00f3n CVSS de 8,5, permite a un atacante autenticado ejecutar c\u00f3digo HTML o JavaScript arbitrario en el navegador de una v\u00edctima, lo que tiene un alto impacto en la confidencialidad, un bajo impacto en la integridad, ning\u00fan impacto en la disponibilidad y no requiere interacci\u00f3n del usuario. Centro de datos Atlassian recomienda que los clientes de Confluence Data Center actualicen a la \u00faltima versi\u00f3n. Si no puede hacerlo, actualice su instancia a una de las versiones fijas admitidas especificadas: ||Versiones afectadas||Versiones fijas|| |de 8.7.0 a 8.7.1|se recomienda 8.8.0 o 8.7.2| |de 8.6.0 a 8.6.1|se recomienda 8.8.0| |de 8.5.0 a 8.5.4 LTS|se recomienda 8.8.0 o 8.5.5 LTS o 8.5.6 LTS| |de 8.4.0 a 8.4.5|se recomienda 8.8.0 o 8.5.6 LTS| |de 8.3.0 a 8.3.4|se recomienda 8.8.0 o 8.5.6 LTS| |de 8.2.0 a 8.2.3|se recomienda 8.8.0 o 8.5.6 LTS| |de 8.1.0 a 8.1.4|se recomienda 8.8.0 o 8.5.6 LTS| |de 8.0.0 a 8.0.4|se recomienda 8.8.0 o 8.5.6 LTS| |de 7.20.0 a 7.20.3|se recomienda 8.8.0 o 8.5.6 LTS| |de 7.19.0 a 7.19.17 LTS|se recomienda 8.8.0 o 8.5.6 LTS o 7.19.18 LTS o 7.19.19 LTS| |de 7.18.0 a 7.18.3|se recomienda 8.8.0 o 8.5.6 LTS o 7.19.19 LTS| |de 7.17.0 a 7.17.5|se recomienda 8.8.0 o 8.5.6 LTS o 7.19.19 LTS| |Cualquier versi\u00f3n anterior|se recomienda 8.8.0 o 8.5.6 LTS o 7.19.19 LTS| Server Atlassian recomienda que los clientes de Confluence Server actualicen a la \u00faltima versi\u00f3n 8.5.x LTS. Si no puede hacerlo, actualice su instancia a una de las versiones fijas admitidas especificadas: ||Versiones afectadas||Versiones fijas|| |de 8.5.0 a 8.5.4 LTS|Se recomienda 8.5.5 LTS o 8.5.6 LTS | |de 8.4.0 a 8.4.5|se recomienda 8.5.6 LTS| |de 8.3.0 a 8.3.4|se recomienda 8.5.6 LTS| |de 8.2.0 a 8.2.3|se recomienda 8.5.6 LTS| |de 8.1.0 a 8.1.4|se recomienda 8.5.6 LTS| |de 8.0.0 a 8.0.4|se recomienda 8.5.6 LTS| |de 7.20.0 a 7.20.3|se recomienda 8.5.6 LTS| |de 7.19.0 a 7.19.17 LTS|Se recomienda 8.5.6 LTS o 7.19.18 LTS o 7.19.19 LTS| |de 7.18.0 a 7.18.3|Se recomienda 8.5.6 LTS o 7.19.19 LTS| |de 7.17.0 a 7.17.5|Se recomienda 8.5.6 LTS o 7.19.19 LTS| |Cualquier versi\u00f3n anterior|se recomienda 8.5.6 LTS o 7.19.19 LTS| Consulte las notas de la versi\u00f3n ([https://confluence.atlassian.com/doc/confluence-release-notes-327.html]). Puede descargar la \u00faltima versi\u00f3n de Confluence Data Center desde el centro de descargas ([https://www.atlassian.com/software/confluence/download-archives]). Esta vulnerabilidad se inform\u00f3 a trav\u00e9s de nuestro programa Bug Bounty."
}
],
"id": "CVE-2024-21678",
"lastModified": "2025-05-06T14:52:00.460",
"metrics": {
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.1,
"impactScore": 4.7,
"source": "security@atlassian.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 4.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-02-20T18:15:50.897",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Vendor Advisory"
],
"url": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1354501606"
},
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/CONFSERVER-94513"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1354501606"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/CONFSERVER-94513"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
FKIE_CVE-2023-22512
Vulnerability from fkie_nvd - Published: 2024-01-16 18:15 - Updated: 2025-05-12 16:15
Severity ?
Summary
This High severity DoS (Denial of Service) vulnerability was introduced in version 5.6.0 of Confluence Data Center and Server. With a CVSS Score of 7.5, this vulnerability allows an unauthenticated attacker to cause a resource to be unavailable for its intended users by temporarily or indefinitely disrupting services of a vulnerable host (Confluence instance) connected to a network, which has no impact to confidentiality, no impact to integrity, high impact to availability, and requires no user interaction. Atlassian recommends that Confluence Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Confluence Data Center and Server 7.19: Upgrade to a release greater than or equal to 7.19.14 Confluence Data Center and Server 8.5: Upgrade to a release greater than or equal to 8.5.1 Confluence Data Center and Server 8.6 or above: No need to upgrade, you're already on a patched version See the release notes (https://confluence.atlassian.com/doc/confluence-release-notes-327.html ). You can download the latest version of Confluence Data Center and Server from the download center (https://www.atlassian.com/software/confluence/download-archives ]). This vulnerability was reported via our Bug Bounty program.
References
| URL | Tags | ||
|---|---|---|---|
| security@atlassian.com | https://confluence.atlassian.com/pages/viewpage.action?pageId=1283691616 | Vendor Advisory | |
| security@atlassian.com | https://jira.atlassian.com/browse/CONFSERVER-91258 | Issue Tracking, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | confluence_data_center | * | |
| atlassian | confluence_data_center | * | |
| atlassian | confluence_server | * | |
| atlassian | confluence_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "902E46F9-334A-41FF-B018-5EF723F3F1A5",
"versionEndExcluding": "7.19.14",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6864ADF8-9209-4E0A-989A-4BEA4ABC3601",
"versionEndExcluding": "8.5.1",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "14D4E84F-17C0-40DF-9234-063D03434DB5",
"versionEndExcluding": "7.19.14",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A2C6F3F1-6E32-4083-A8F6-149C85F31626",
"versionEndExcluding": "8.5.1",
"versionStartIncluding": "8.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "This High severity DoS (Denial of Service) vulnerability was introduced in version 5.6.0 of Confluence Data Center and Server. With a CVSS Score of 7.5, this vulnerability allows an unauthenticated attacker to cause a resource to be unavailable for its intended users by temporarily or indefinitely disrupting services of a vulnerable host (Confluence instance) connected to a network, which has no impact to confidentiality, no impact to integrity, high impact to availability, and requires no user interaction. Atlassian recommends that Confluence Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Confluence Data Center and Server 7.19: Upgrade to a release greater than or equal to 7.19.14 Confluence Data Center and Server 8.5: Upgrade to a release greater than or equal to 8.5.1 Confluence Data Center and Server 8.6 or above: No need to upgrade, you\u0027re already on a patched version See the release notes (https://confluence.atlassian.com/doc/confluence-release-notes-327.html ). You can download the latest version of Confluence Data Center and Server from the download center (https://www.atlassian.com/software/confluence/download-archives ]). This vulnerability was reported via our Bug Bounty program."
},
{
"lang": "es",
"value": "Esta vulnerabilidad de denegaci\u00f3n de servicio (DoS) de alta gravedad se introdujo en la versi\u00f3n 5.6.0 de Confluence Data Center and Server. Con una puntuaci\u00f3n CVSS de 7,5, permite a un atacante no autenticado provocar la indisponibilidad de un recurso para sus usuarios previstos mediante la interrupci\u00f3n temporal o indefinida de los servicios de un host vulnerable (instancia de Confluence) conectado a una red. Esto no afecta a la confidencialidad ni a la integridad, tiene un alto impacto en la disponibilidad y no requiere la interacci\u00f3n del usuario. Atlassian recomienda que los clientes de Confluence Data Center y Server actualicen a la \u00faltima versi\u00f3n. Si no pueden hacerlo, actualicen su instancia a una de las versiones corregidas compatibles especificadas: Confluence Data Center y Server 7.19: actualice a una versi\u00f3n mayor o igual a la 7.19.14 Confluence Data Center y Server 8.5: actualice a una versi\u00f3n mayor o igual a la 8.5.1 Confluence Data Center y Server 8.6 o posterior: no es necesario actualizar, ya tienen una versi\u00f3n parcheada Consulte las notas de la versi\u00f3n (https://confluence.atlassian.com/doc/confluence-release-notes-327.html ). Puede descargar la \u00faltima versi\u00f3n de Confluence Data Center y Server desde el centro de descargas (https://www.atlassian.com/software/confluence/download-archives ]). Esta vulnerabilidad se inform\u00f3 a trav\u00e9s de nuestro programa Bug Bounty."
}
],
"id": "CVE-2023-22512",
"lastModified": "2025-05-12T16:15:18.860",
"metrics": {
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "security@atlassian.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-01-16T18:15:09.130",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Vendor Advisory"
],
"url": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1283691616"
},
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/CONFSERVER-91258"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
FKIE_CVE-2024-21674
Vulnerability from fkie_nvd - Published: 2024-01-16 05:15 - Updated: 2024-11-21 08:54
Severity ?
Summary
This High severity Remote Code Execution (RCE) vulnerability was introduced in version 7.13.0 of Confluence Data Center and Server.
Remote Code Execution (RCE) vulnerability, with a CVSS Score of 8.6 and a CVSS Vector of CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N allows an unauthenticated attacker to expose assets in your environment susceptible to exploitation which has high impact to confidentiality, no impact to integrity, no impact to availability, and does not require user interaction.
Atlassian recommends that Confluence Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:
* Confluence Data Center and Server 7.19: Upgrade to a release 7.19.18, or any higher 7.19.x release
* Confluence Data Center and Server 8.5: Upgrade to a release 8.5.5 or any higher 8.5.x release
* Confluence Data Center and Server 8.7: Upgrade to a release 8.7.2 or any higher release
See the release notes (https://confluence.atlassian.com/doc/confluence-release-notes-327.html ). You can download the latest version of Confluence Data Center and Server from the download center (https://www.atlassian.com/software/confluence/download-archives ).
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | confluence_data_center | * | |
| atlassian | confluence_data_center | * | |
| atlassian | confluence_data_center | * | |
| atlassian | confluence_server | * | |
| atlassian | confluence_server | * | |
| atlassian | confluence_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6315A65C-D63C-4A23-BD87-4CCE7FA41662",
"versionEndExcluding": "7.19.18",
"versionStartIncluding": "7.19.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5910506D-FE53-411D-8684-C5477CE44D48",
"versionEndExcluding": "8.5.5",
"versionStartIncluding": "8.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "30B5862B-E498-44C3-8C73-8474AEA4108D",
"versionEndExcluding": "8.7.2",
"versionStartIncluding": "8.7.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EE863B2C-1277-400C-B9A6-9A7895DEDD8C",
"versionEndExcluding": "7.19.18",
"versionStartIncluding": "7.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A42A7385-4CBB-4EE3-B227-13CD02C50D8A",
"versionEndExcluding": "8.5.5",
"versionStartIncluding": "8.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "50F31DE4-0A6B-4183-8E74-324DA2BF2BD1",
"versionEndIncluding": "8.7.2",
"versionStartIncluding": "8.7.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "This High severity Remote Code Execution (RCE) vulnerability was introduced in version 7.13.0 of Confluence Data Center and Server.\n\nRemote Code Execution (RCE) vulnerability, with a CVSS Score of 8.6 and a CVSS Vector of CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N allows an unauthenticated attacker to expose assets in your environment susceptible to exploitation which has high impact to confidentiality, no impact to integrity, no impact to availability, and does not require user interaction.\n\nAtlassian recommends that Confluence Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:\n\n* Confluence Data Center and Server 7.19: Upgrade to a release 7.19.18, or any higher 7.19.x release\n* Confluence Data Center and Server 8.5: Upgrade to a release 8.5.5 or any higher 8.5.x release\n* Confluence Data Center and Server 8.7: Upgrade to a release 8.7.2 or any higher release\n\nSee the release notes (https://confluence.atlassian.com/doc/confluence-release-notes-327.html ). You can download the latest version of Confluence Data Center and Server from the download center (https://www.atlassian.com/software/confluence/download-archives )."
},
{
"lang": "es",
"value": "Esta vulnerabilidad de ejecuci\u00f3n remota de c\u00f3digo (RCE) de alta gravedad se introdujo en la versi\u00f3n 7.13.0 de Confluence Data Center and Server. Vulnerabilidad de ejecuci\u00f3n remota de c\u00f3digo (RCE), con una puntuaci\u00f3n CVSS de 8,6 y un vector CVSS de CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N /A:N permite que un atacante no autenticado exponga activos en su entorno susceptibles de explotaci\u00f3n, lo que tiene un alto impacto en la confidencialidad, ning\u00fan impacto en la integridad, ning\u00fan impacto en la disponibilidad y no requiere interacci\u00f3n del usuario. Atlassian recomienda que los clientes de Confluence Data Center y Server actualicen a la \u00faltima versi\u00f3n; si no puede hacerlo, actualice su instancia a una de las versiones fijas admitidas especificadas: * Confluence Data Center y Server 7.19: actualice a una versi\u00f3n 7.19.18, o cualquier versi\u00f3n superior 7.19.x * Confluence Data Center y Server 8.5: actualice a una versi\u00f3n 8.5.5 o cualquier versi\u00f3n superior 8.5.x * Confluence Data Center y Server 8.7: actualice a una versi\u00f3n 8.7.2 o cualquier versi\u00f3n superior Consulte la notas de la versi\u00f3n (https://confluence.atlassian.com/doc/confluence-release-notes-327.html). Puede descargar la \u00faltima versi\u00f3n de Confluence Data Center and Server desde el centro de descargas (https://www.atlassian.com/software/confluence/download-archives)."
}
],
"id": "CVE-2024-21674",
"lastModified": "2024-11-21T08:54:50.740",
"metrics": {
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 4.0,
"source": "security@atlassian.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-01-16T05:15:08.910",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Permissions Required"
],
"url": "https://jira.atlassian.com/browse/CONFSERVER-94066"
},
{
"source": "nvd@nist.gov",
"tags": [
"Vendor Advisory"
],
"url": "https://confluence.atlassian.com/security/security-bulletin-january-16-2024-1333335615.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required"
],
"url": "https://jira.atlassian.com/browse/CONFSERVER-94066"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
FKIE_CVE-2024-21673
Vulnerability from fkie_nvd - Published: 2024-01-16 05:15 - Updated: 2025-06-03 19:15
Severity ?
Summary
This High severity Remote Code Execution (RCE) vulnerability was introduced in versions 7.13.0 of Confluence Data Center and Server.
Remote Code Execution (RCE) vulnerability, with a CVSS Score of 8.0 and a CVSS Vector of CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H allows an authenticated attacker to expose assets in your environment susceptible to exploitation which has high impact to confidentiality, high impact to integrity, high impact to availability, and does not require user interaction.
Atlassian recommends that Confluence Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:
* Confluence Data Center and Server 7.19: Upgrade to a release 7.19.18, or any higher 7.19.x release
* Confluence Data Center and Server 8.5: Upgrade to a release 8.5.5 or any higher 8.5.x release
* Confluence Data Center and Server 8.7: Upgrade to a release 8.7.2 or any higher release
See the release notes (https://confluence.atlassian.com/doc/confluence-release-notes-327.html ). You can download the latest version of Confluence Data Center and Server from the download center (https://www.atlassian.com/software/confluence/download-archives ).
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | confluence_data_center | * | |
| atlassian | confluence_data_center | * | |
| atlassian | confluence_data_center | * | |
| atlassian | confluence_server | * | |
| atlassian | confluence_server | * | |
| atlassian | confluence_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6315A65C-D63C-4A23-BD87-4CCE7FA41662",
"versionEndExcluding": "7.19.18",
"versionStartIncluding": "7.19.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5910506D-FE53-411D-8684-C5477CE44D48",
"versionEndExcluding": "8.5.5",
"versionStartIncluding": "8.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "30B5862B-E498-44C3-8C73-8474AEA4108D",
"versionEndExcluding": "8.7.2",
"versionStartIncluding": "8.7.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EE863B2C-1277-400C-B9A6-9A7895DEDD8C",
"versionEndExcluding": "7.19.18",
"versionStartIncluding": "7.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A42A7385-4CBB-4EE3-B227-13CD02C50D8A",
"versionEndExcluding": "8.5.5",
"versionStartIncluding": "8.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "50F31DE4-0A6B-4183-8E74-324DA2BF2BD1",
"versionEndIncluding": "8.7.2",
"versionStartIncluding": "8.7.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "This High severity Remote Code Execution (RCE) vulnerability was introduced in versions 7.13.0 of Confluence Data Center and Server.\n\nRemote Code Execution (RCE) vulnerability, with a CVSS Score of 8.0 and a CVSS Vector of\u00a0CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H allows an authenticated attacker to expose assets in your environment susceptible to exploitation which has high impact to confidentiality, high impact to integrity, high impact to availability, and does not require user interaction.\n\nAtlassian recommends that Confluence Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:\n\n* Confluence Data Center and Server 7.19: Upgrade to a release 7.19.18, or any higher 7.19.x release\n* Confluence Data Center and Server 8.5: Upgrade to a release 8.5.5 or any higher 8.5.x release\n* Confluence Data Center and Server 8.7: Upgrade to a release 8.7.2 or any higher release\n\nSee the release notes (https://confluence.atlassian.com/doc/confluence-release-notes-327.html ). You can download the latest version of Confluence Data Center and Server from the download center (https://www.atlassian.com/software/confluence/download-archives )."
},
{
"lang": "es",
"value": "Esta vulnerabilidad de ejecuci\u00f3n remota de c\u00f3digo (RCE) de alta gravedad se introdujo en las versiones 7.13.0 de Confluence Data Center y Server. Vulnerabilidad de ejecuci\u00f3n remota de c\u00f3digo (RCE), con una puntuaci\u00f3n CVSS de 8,0 y un vector CVSS de CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H /A:H permite que un atacante autenticado exponga activos en su entorno susceptibles de explotaci\u00f3n, lo que tiene un alto impacto en la confidencialidad, un alto impacto en la integridad, un alto impacto en la disponibilidad y no requiere interacci\u00f3n del usuario. Atlassian recomienda que los clientes de Confluence Data Center y Server actualicen a la \u00faltima versi\u00f3n; si no puede hacerlo, actualice su instancia a una de las versiones fijas admitidas especificadas: * Confluence Data Center y Server 7.19: actualice a una versi\u00f3n 7.19.18, o cualquier versi\u00f3n superior 7.19.x * Confluence Data Center y Server 8.5: actualice a una versi\u00f3n 8.5.5 o cualquier versi\u00f3n superior 8.5.x * Confluence Data Center y Server 8.7: actualice a una versi\u00f3n 8.7.2 o cualquier versi\u00f3n superior Consulte la notas de la versi\u00f3n (https://confluence.atlassian.com/doc/confluence-release-notes-327.html). Puede descargar la \u00faltima versi\u00f3n de Confluence Data Center and Server desde el centro de descargas (https://www.atlassian.com/software/confluence/download-archives)."
}
],
"id": "CVE-2024-21673",
"lastModified": "2025-06-03T19:15:36.923",
"metrics": {
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 1.3,
"impactScore": 6.0,
"source": "security@atlassian.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-01-16T05:15:08.730",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Permissions Required"
],
"url": "https://jira.atlassian.com/browse/CONFSERVER-94065"
},
{
"source": "nvd@nist.gov",
"tags": [
"Vendor Advisory"
],
"url": "https://confluence.atlassian.com/security/security-bulletin-january-16-2024-1333335615.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required"
],
"url": "https://jira.atlassian.com/browse/CONFSERVER-94065"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
FKIE_CVE-2023-22527
Vulnerability from fkie_nvd - Published: 2024-01-16 05:15 - Updated: 2025-10-24 13:38
Severity ?
Summary
A template injection vulnerability on older versions of Confluence Data Center and Server allows an unauthenticated attacker to achieve RCE on an affected instance. Customers using an affected version must take immediate action.
Most recent supported versions of Confluence Data Center and Server are not affected by this vulnerability as it was ultimately mitigated during regular version updates. However, Atlassian recommends that customers take care to install the latest version to protect their instances from non-critical vulnerabilities outlined in Atlassian’s January Security Bulletin.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | confluence_data_center | * | |
| atlassian | confluence_data_center | 8.7.0 | |
| atlassian | confluence_server | * |
{
"cisaActionDue": "2024-02-14",
"cisaExploitAdd": "2024-01-24",
"cisaRequiredAction": "Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.",
"cisaVulnerabilityName": "Atlassian Confluence Data Center and Server Template Injection Vulnerability",
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "98686E6C-5D52-4EDB-A580-CE01009BADBA",
"versionEndExcluding": "8.5.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:8.7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FED19C83-6D8B-45B1-AAC3-F4C6B12C0E4D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "82C2F4B6-A251-4D8B-8624-99079E50E331",
"versionEndExcluding": "8.5.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A template injection vulnerability on older versions of Confluence Data Center and Server allows an unauthenticated attacker to achieve RCE on an affected instance. Customers using an affected version must take immediate action.\n\nMost recent supported versions of Confluence Data Center and Server are not affected by this vulnerability as it was ultimately mitigated during regular version updates. However, Atlassian recommends that customers take care to install the latest version to protect their instances from non-critical vulnerabilities outlined in Atlassian\u2019s January Security Bulletin."
},
{
"lang": "es",
"value": "Resumen de vulnerabilidad. Una vulnerabilidad de inyecci\u00f3n de plantilla en versiones anteriores de Confluence Data Center y Server permite que un atacante no autenticado logre RCE en una instancia afectada. Los clientes que utilicen una versi\u00f3n afectada deben tomar medidas inmediatas. Las versiones compatibles m\u00e1s recientes de Confluence Data Center y Server no se ven afectadas por esta vulnerabilidad, ya que finalmente se mitig\u00f3 durante las actualizaciones peri\u00f3dicas de la versi\u00f3n. Sin embargo, Atlassian recomienda que los clientes tengan cuidado de instalar la \u00faltima versi\u00f3n para proteger sus instancias de vulnerabilidades no cr\u00edticas descritas en el Bolet\u00edn de seguridad de enero de Atlassian. Consulte \u201cWhat You Need to Do\u201d para obtener instrucciones detalladas. {panel:bgColor=#deebff} Los sitios de Atlassian Cloud no se ven afectados por esta vulnerabilidad. Si se accede a su sitio de Confluence a trav\u00e9s de un dominio atlassian.net, est\u00e1 alojado en Atlassian y no es vulnerable a este problema. {panel} Versiones afectadas ||Producto||Versiones afectadas|| |Centro de datos y servidor de Confluence| 8.0.x 8.1.x 8.2.x 8.3.x 8.4.x 8.5.0 8.5.1 8.5.2 8.5.3| Versiones fijas ||Producto||Versiones fijas|| |Centro de datos y servidor de Confluence|8.5.4 (LTS)| |Centro de datos de Confluence| 8.6.0 o posterior (solo centro de datos) 8.7.1 o posterior (solo centro de datos)| Qu\u00e9 debe hacer inmediatamente parchear a una versi\u00f3n fija Atlassian recomienda parchear cada una de sus instalaciones afectadas a la \u00faltima versi\u00f3n. Las versiones fijas enumeradas ya no son las versiones m\u00e1s actualizadas y no protegen su instancia de otras vulnerabilidades no cr\u00edticas, como se describe en el Bolet\u00edn de seguridad de enero de Atlassian. ||Producto||Versiones fijas||\u00daltimas versiones|| |Centro de datos y servidor de Confluence| 8.5.4 (LTS)| 8.5.5 (LTS) |Centro de datos de Confluence| 8.6.0 o posterior (solo centro de datos) 8.7.1 o posterior (solo centro de datos)| 8.6.3 o posterior (solo centro de datos) 8.7.2 o posterior (solo centro de datos) Para obtener detalles adicionales, consulte el aviso completo."
}
],
"id": "CVE-2023-22527",
"lastModified": "2025-10-24T13:38:56.433",
"metrics": {
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10.0,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 6.0,
"source": "security@atlassian.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-01-16T05:15:08.290",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/176789/Atlassian-Confluence-SSTI-Injection.html"
},
{
"source": "security@atlassian.com",
"tags": [
"Vendor Advisory"
],
"url": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1333335615"
},
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/CONFSERVER-93833"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/176789/Atlassian-Confluence-SSTI-Injection.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1333335615"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/CONFSERVER-93833"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "https://www.vicarius.io/vsociety/posts/pwning-confluence-via-ognl-injection-for-fun-and-learning-cve-2023-22527"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"US Government Resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-22527"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-74"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-74"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
FKIE_CVE-2024-21672
Vulnerability from fkie_nvd - Published: 2024-01-16 05:15 - Updated: 2025-06-02 16:15
Severity ?
Summary
This High severity Remote Code Execution (RCE) vulnerability was introduced in version 2.1.0 of Confluence Data Center and Server.
Remote Code Execution (RCE) vulnerability, with a CVSS Score of 8.3 and a CVSS Vector of CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H allows an unauthenticated attacker to remotely expose assets in your environment susceptible to exploitation which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires user interaction.
Atlassian recommends that Confluence Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:
* Confluence Data Center and Server 7.19: Upgrade to a release 7.19.18, or any higher 7.19.x release
* Confluence Data Center and Server 8.5: Upgrade to a release 8.5.5 or any higher 8.5.x release
* Confluence Data Center and Server 8.7: Upgrade to a release 8.7.2 or any higher release
See the release notes (https://confluence.atlassian.com/doc/confluence-release-notes-327.html ). You can download the latest version of Confluence Data Center and Server from the download center (https://www.atlassian.com/software/confluence/download-archives).
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | confluence_data_center | * | |
| atlassian | confluence_data_center | * | |
| atlassian | confluence_data_center | * | |
| atlassian | confluence_server | * | |
| atlassian | confluence_server | * | |
| atlassian | confluence_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6315A65C-D63C-4A23-BD87-4CCE7FA41662",
"versionEndExcluding": "7.19.18",
"versionStartIncluding": "7.19.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5910506D-FE53-411D-8684-C5477CE44D48",
"versionEndExcluding": "8.5.5",
"versionStartIncluding": "8.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "30B5862B-E498-44C3-8C73-8474AEA4108D",
"versionEndExcluding": "8.7.2",
"versionStartIncluding": "8.7.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EE863B2C-1277-400C-B9A6-9A7895DEDD8C",
"versionEndExcluding": "7.19.18",
"versionStartIncluding": "7.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A42A7385-4CBB-4EE3-B227-13CD02C50D8A",
"versionEndExcluding": "8.5.5",
"versionStartIncluding": "8.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "50F31DE4-0A6B-4183-8E74-324DA2BF2BD1",
"versionEndIncluding": "8.7.2",
"versionStartIncluding": "8.7.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "This High severity Remote Code Execution (RCE) vulnerability was introduced in version 2.1.0 of Confluence Data Center and Server.\n\nRemote Code Execution (RCE) vulnerability, with a CVSS Score of 8.3 and a CVSS Vector of\u00a0CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H allows an unauthenticated attacker to remotely expose assets in your environment susceptible to exploitation which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires user interaction.\n\nAtlassian recommends that Confluence Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:\n\n* Confluence Data Center and Server 7.19: Upgrade to a release 7.19.18, or any higher 7.19.x release\n* Confluence Data Center and Server 8.5: Upgrade to a release 8.5.5 or any higher 8.5.x release\n* Confluence Data Center and Server 8.7: Upgrade to a release 8.7.2 or any higher release\n\nSee the release notes (https://confluence.atlassian.com/doc/confluence-release-notes-327.html ). You can download the latest version of Confluence Data Center and Server from the download center (https://www.atlassian.com/software/confluence/download-archives)."
},
{
"lang": "es",
"value": "Esta vulnerabilidad de ejecuci\u00f3n remota de c\u00f3digo (RCE) de alta gravedad se introdujo en la versi\u00f3n 2.1.0 de Confluence Data Center and Server. Vulnerabilidad de ejecuci\u00f3n remota de c\u00f3digo (RCE), con una puntuaci\u00f3n CVSS de 8,3 y un vector CVSS de CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H /A:H permite que un atacante no autenticado exponga de forma remota activos en su entorno susceptibles de explotaci\u00f3n, lo que tiene un alto impacto en la confidencialidad, un alto impacto en la integridad, un alto impacto en la disponibilidad y requiere la interacci\u00f3n del usuario. Atlassian recomienda que los clientes de Confluence Data Center y Server actualicen a la \u00faltima versi\u00f3n; si no puede hacerlo, actualice su instancia a una de las versiones fijas admitidas especificadas: * Confluence Data Center y Server 7.19: actualice a una versi\u00f3n 7.19.18, o cualquier versi\u00f3n superior 7.19.x * Confluence Data Center y Server 8.5: actualice a una versi\u00f3n 8.5.5 o cualquier versi\u00f3n superior 8.5.x * Confluence Data Center y Server 8.7: actualice a una versi\u00f3n 8.7.2 o cualquier versi\u00f3n superior Consulte la notas de la versi\u00f3n (https://confluence.atlassian.com/doc/confluence-release-notes-327.html). Puede descargar la \u00faltima versi\u00f3n de Confluence Data Center and Server desde el centro de descargas (https://www.atlassian.com/software/confluence/download-archives)."
}
],
"id": "CVE-2024-21672",
"lastModified": "2025-06-02T16:15:26.527",
"metrics": {
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 1.6,
"impactScore": 6.0,
"source": "security@atlassian.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-01-16T05:15:08.537",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Permissions Required"
],
"url": "https://jira.atlassian.com/browse/CONFSERVER-94064"
},
{
"source": "nvd@nist.gov",
"tags": [
"Vendor Advisory"
],
"url": "https://confluence.atlassian.com/security/security-bulletin-january-16-2024-1333335615.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required"
],
"url": "https://jira.atlassian.com/browse/CONFSERVER-94064"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
FKIE_CVE-2023-22526
Vulnerability from fkie_nvd - Published: 2024-01-16 05:15 - Updated: 2025-06-20 17:15
Severity ?
Summary
This High severity RCE (Remote Code Execution) vulnerability was introduced in version 7.19.0 of Confluence Data Center.
This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 7.2, allows an authenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction.
Atlassian recommends that Confluence Data Center customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:
Confluence Data Center and Server 7.19: Upgrade to a release 7.19.17, or any higher 7.19.x release
Confluence Data Center and Server 8.5: Upgrade to a release 8.5.5 or any higher 8.5.x release
Confluence Data Center and Server 8.7: Upgrade to a release 8.7.2 or any higher release
See the release notes ([https://confluence.atlassian.com/doc/confluence-release-notes-327.html]). You can download the latest version of Confluence Data Center from the download center ([https://www.atlassian.com/software/confluence/download-archives]).
This vulnerability was discovered by m1sn0w and reported via our Bug Bounty program
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atlassian | confluence_data_center | * | |
| atlassian | confluence_data_center | * | |
| atlassian | confluence_data_center | * | |
| atlassian | confluence_server | * | |
| atlassian | confluence_server | * | |
| atlassian | confluence_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FFAC515C-172B-44D9-89A9-062F33E644E7",
"versionEndExcluding": "7.19.17",
"versionStartIncluding": "7.19.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5910506D-FE53-411D-8684-C5477CE44D48",
"versionEndExcluding": "8.5.5",
"versionStartIncluding": "8.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "30B5862B-E498-44C3-8C73-8474AEA4108D",
"versionEndExcluding": "8.7.2",
"versionStartIncluding": "8.7.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "56354085-184F-4B7A-B384-34A0D3B38EE0",
"versionEndExcluding": "7.19.17",
"versionStartIncluding": "7.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A42A7385-4CBB-4EE3-B227-13CD02C50D8A",
"versionEndExcluding": "8.5.5",
"versionStartIncluding": "8.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "50F31DE4-0A6B-4183-8E74-324DA2BF2BD1",
"versionEndIncluding": "8.7.2",
"versionStartIncluding": "8.7.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "This High severity RCE (Remote Code Execution) vulnerability was introduced in version 7.19.0 of Confluence Data Center.\r\n\r\nThis RCE (Remote Code Execution) vulnerability, with a CVSS Score of 7.2, allows an authenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction.\r\n\r\nAtlassian recommends that Confluence Data Center customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:\r\n Confluence Data Center and Server 7.19: Upgrade to a release 7.19.17, or any higher 7.19.x release\r\n Confluence Data Center and Server 8.5: Upgrade to a release 8.5.5 or any higher 8.5.x release\r\n Confluence Data Center and Server 8.7: Upgrade to a release 8.7.2 or any higher release\r\n\r\nSee the release notes ([https://confluence.atlassian.com/doc/confluence-release-notes-327.html]). You can download the latest version of Confluence Data Center from the download center ([https://www.atlassian.com/software/confluence/download-archives]).\r\n\r\nThis vulnerability was discovered by m1sn0w and reported via our Bug Bounty program"
},
{
"lang": "es",
"value": "Esta vulnerabilidad RCE (ejecuci\u00f3n remota de c\u00f3digo) de alta gravedad se introdujo en la versi\u00f3n 7.19.0 de Confluence Data Center. Esta vulnerabilidad RCE (ejecuci\u00f3n remota de c\u00f3digo), con una puntuaci\u00f3n CVSS de 7,2, permite a un atacante autenticado ejecutar c\u00f3digo arbitrario que tiene un alto impacto en la confidencialidad, un alto impacto en la integridad, un alto impacto en la disponibilidad y no requiere interacci\u00f3n del usuario. Atlassian recomienda que los clientes de Confluence Data Center actualicen a la \u00faltima versi\u00f3n; si no pueden hacerlo, actualicen su instancia a una de las versiones fijas admitidas especificadas: Confluence Data Center y Server 7.19: actualice a una versi\u00f3n 7.19.17 o superior. Versi\u00f3n 7.19.x Confluence Data Center y Server 8.5: actualice a una versi\u00f3n 8.5.5 o superior. 8.5.x Confluence Data Center y Server 8.7: actualice a una versi\u00f3n 8.7.2 o superior. Consulte las notas de la versi\u00f3n ([https ://confluence.atlassian.com/doc/confluence-release-notes-327.html]). Puede descargar la \u00faltima versi\u00f3n de Confluence Data Center desde el centro de descargas ([https://www.atlassian.com/software/confluence/download-archives]). Esta vulnerabilidad fue descubierta por m1sn0w y reportada a trav\u00e9s de nuestro programa Bug Bounty."
}
],
"id": "CVE-2023-22526",
"lastModified": "2025-06-20T17:15:30.447",
"metrics": {
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "security@atlassian.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-01-16T05:15:07.933",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Vendor Advisory"
],
"url": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1333335615"
},
{
"source": "security@atlassian.com",
"tags": [
"Permissions Required"
],
"url": "https://jira.atlassian.com/browse/CONFSERVER-93516"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1333335615"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required"
],
"url": "https://jira.atlassian.com/browse/CONFSERVER-93516"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
CVE-2025-22166 (GCVE-0-2025-22166)
Vulnerability from cvelistv5 – Published: 2025-10-21 16:00 – Updated: 2025-10-21 16:21
VLAI?
Summary
This High severity DoS (Denial of Service) vulnerability was introduced in version 2.0 of Confluence Data Center.
This DoS (Denial of Service) vulnerability, with a CVSS Score of 8.3, allows an attacker to cause a resource to be unavailable for its intended users by temporarily or indefinitely disrupting services of a host connected to a network.
Atlassian recommends that Confluence Data Center customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:
Confluence Data Center and Server 8.5: Upgrade to a release greater than or equal to 8.5.25
Confluence Data Center and Server 9.2: Upgrade to a release greater than or equal to 9.2.7
Confluence Data Center and Server 10.0: Upgrade to a release greater than or equal to 10.0.2
See the release notes ([https://confluence.atlassian.com/doc/confluence-release-notes-327.html]). You can download the latest version of Confluence Data Center from the download center ([https://www.atlassian.com/software/confluence/download-archives]).
This vulnerability was reported via our Atlassian (Internal) program.
Severity ?
CWE
- DoS (Denial of Service)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Atlassian | Confluence Data Center |
Affected:
9.5.1 to 9.5.4
Affected: 9.4.0 to 9.4.1 Affected: 9.3.1 to 9.3.2 Affected: 9.2.0 to 9.2.6 Affected: 9.1.0 to 9.1.1 Affected: 9.0.1 to 9.0.3 Affected: 8.9.0 to 8.9.8 Affected: 8.8.0 to 8.8.1 Affected: 8.7.1 to 8.7.2 Affected: 8.6.1 to 8.6.2 Affected: 8.5.3 to 8.5.24 Affected: 7.19.16 to 7.19.30 Unaffected: 10.0.2 to 10.0.3 Unaffected: 9.2.7 to 9.2.9 Unaffected: 8.5.25 to 8.5.27 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-22166",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-21T16:21:21.142041Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-405",
"description": "CWE-405 Asymmetric Resource Consumption (Amplification)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T16:21:27.828Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Confluence Data Center",
"vendor": "Atlassian",
"versions": [
{
"status": "affected",
"version": "9.5.1 to 9.5.4"
},
{
"status": "affected",
"version": "9.4.0 to 9.4.1"
},
{
"status": "affected",
"version": "9.3.1 to 9.3.2"
},
{
"status": "affected",
"version": "9.2.0 to 9.2.6"
},
{
"status": "affected",
"version": "9.1.0 to 9.1.1"
},
{
"status": "affected",
"version": "9.0.1 to 9.0.3"
},
{
"status": "affected",
"version": "8.9.0 to 8.9.8"
},
{
"status": "affected",
"version": "8.8.0 to 8.8.1"
},
{
"status": "affected",
"version": "8.7.1 to 8.7.2"
},
{
"status": "affected",
"version": "8.6.1 to 8.6.2"
},
{
"status": "affected",
"version": "8.5.3 to 8.5.24"
},
{
"status": "affected",
"version": "7.19.16 to 7.19.30"
},
{
"status": "unaffected",
"version": "10.0.2 to 10.0.3"
},
{
"status": "unaffected",
"version": "9.2.7 to 9.2.9"
},
{
"status": "unaffected",
"version": "8.5.25 to 8.5.27"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"versionEndIncluding": "9.4.1",
"versionStartIncluding": "9.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:9.4.1:*:*:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"versionEndIncluding": "9.3.2",
"versionStartIncluding": "9.3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"versionEndIncluding": "9.2.6",
"versionStartIncluding": "9.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:9.2.2:*:*:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:9.2.3:*:*:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:9.2.4:*:*:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:9.2.5:*:*:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:9.2.6:*:*:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"versionEndIncluding": "9.1.1",
"versionStartIncluding": "9.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"versionEndIncluding": "9.0.3",
"versionStartIncluding": "9.0.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"versionEndIncluding": "8.9.8",
"versionStartIncluding": "8.9.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"versionEndIncluding": "8.8.1",
"versionStartIncluding": "8.8.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"versionEndIncluding": "8.7.2",
"versionStartIncluding": "8.7.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"versionEndIncluding": "8.6.2",
"versionStartIncluding": "8.6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"versionEndIncluding": "8.5.24",
"versionStartIncluding": "8.5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:8.5.13:*:*:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:8.5.22:*:*:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:8.5.23:*:*:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:8.5.24:*:*:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"versionEndIncluding": "7.19.30",
"versionStartIncluding": "7.19.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:9.2.7:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:9.2.8:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:9.2.9:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:8.5.25:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:8.5.26:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:8.5.27:*:*:*:*:*:*:*",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "This High severity DoS (Denial of Service) vulnerability was introduced in version 2.0 of Confluence Data Center.\r\n\r\nThis DoS (Denial of Service) vulnerability, with a CVSS Score of 8.3, allows an attacker to cause a resource to be unavailable for its intended users by temporarily or indefinitely disrupting services of a host connected to a network.\r\n\r\nAtlassian recommends that Confluence Data Center customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:\r\n Confluence Data Center and Server 8.5: Upgrade to a release greater than or equal to 8.5.25\r\n Confluence Data Center and Server 9.2: Upgrade to a release greater than or equal to 9.2.7\r\n Confluence Data Center and Server 10.0: Upgrade to a release greater than or equal to 10.0.2\r\n\r\nSee the release notes ([https://confluence.atlassian.com/doc/confluence-release-notes-327.html]). You can download the latest version of Confluence Data Center from the download center ([https://www.atlassian.com/software/confluence/download-archives]).\r\n\r\nThis vulnerability was reported via our Atlassian (Internal) program."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 8.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H",
"version": "4.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "DoS (Denial of Service)",
"lang": "en",
"type": "DoS (Denial of Service)"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T16:00:05.978Z",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"url": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1652920034"
},
{
"url": "https://jira.atlassian.com/browse/CONFSERVER-100907"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2025-22166",
"datePublished": "2025-10-21T16:00:05.978Z",
"dateReserved": "2025-01-01T00:01:27.176Z",
"dateUpdated": "2025-10-21T16:21:27.828Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-22512 (GCVE-0-2023-22512)
Vulnerability from cvelistv5 – Published: 2025-03-17 22:34 – Updated: 2025-05-12 15:39
VLAI?
Summary
This High severity DoS (Denial of Service) vulnerability was introduced in version 5.6.0 of Confluence Data Center and Server. With a CVSS Score of 7.5, this vulnerability allows an unauthenticated attacker to cause a resource to be unavailable for its intended users by temporarily or indefinitely disrupting services of a vulnerable host (Confluence instance) connected to a network, which has no impact to confidentiality, no impact to integrity, high impact to availability, and requires no user interaction. Atlassian recommends that Confluence Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Confluence Data Center and Server 7.19: Upgrade to a release greater than or equal to 7.19.14 Confluence Data Center and Server 8.5: Upgrade to a release greater than or equal to 8.5.1 Confluence Data Center and Server 8.6 or above: No need to upgrade, you're already on a patched version See the release notes (https://confluence.atlassian.com/doc/confluence-release-notes-327.html ). You can download the latest version of Confluence Data Center and Server from the download center (https://www.atlassian.com/software/confluence/download-archives ]). This vulnerability was reported via our Bug Bounty program.
Severity ?
7.5 (High)
CWE
- DoS (Denial of Service)
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Atlassian | Confluence Data Center |
Unaffected:
< 5.6.0
Affected: >= 5.6.0 Unaffected: >= 7.19.13 Unaffected: >= 7.19.14 Unaffected: >= 8.5.1 Unaffected: >= 8.6.0 |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-22512",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-12T15:38:47.977501Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-12T15:39:27.035Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Confluence Data Center",
"vendor": "Atlassian",
"versions": [
{
"status": "unaffected",
"version": "\u003c 5.6.0"
},
{
"status": "affected",
"version": "\u003e= 5.6.0"
},
{
"status": "unaffected",
"version": "\u003e= 7.19.13"
},
{
"status": "unaffected",
"version": "\u003e= 7.19.14"
},
{
"status": "unaffected",
"version": "\u003e= 8.5.1"
},
{
"status": "unaffected",
"version": "\u003e= 8.6.0"
}
]
},
{
"product": "Confluence Server",
"vendor": "Atlassian",
"versions": [
{
"status": "unaffected",
"version": "\u003c 5.6.0"
},
{
"status": "affected",
"version": "\u003e= 5.6.0"
},
{
"status": "unaffected",
"version": "\u003e= 7.19.13"
},
{
"status": "unaffected",
"version": "\u003e= 7.19.14"
},
{
"status": "unaffected",
"version": "\u003e= 8.5.1"
},
{
"status": "unaffected",
"version": "\u003e= 8.6.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "This High severity DoS (Denial of Service) vulnerability was introduced in version 5.6.0 of Confluence Data Center and Server. With a CVSS Score of 7.5, this vulnerability allows an unauthenticated attacker to cause a resource to be unavailable for its intended users by temporarily or indefinitely disrupting services of a vulnerable host (Confluence instance) connected to a network, which has no impact to confidentiality, no impact to integrity, high impact to availability, and requires no user interaction. Atlassian recommends that Confluence Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Confluence Data Center and Server 7.19: Upgrade to a release greater than or equal to 7.19.14 Confluence Data Center and Server 8.5: Upgrade to a release greater than or equal to 8.5.1 Confluence Data Center and Server 8.6 or above: No need to upgrade, you\u0027re already on a patched version See the release notes (https://confluence.atlassian.com/doc/confluence-release-notes-327.html ). You can download the latest version of Confluence Data Center and Server from the download center (https://www.atlassian.com/software/confluence/download-archives ]). This vulnerability was reported via our Bug Bounty program."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "DoS (Denial of Service)",
"lang": "en",
"type": "DoS (Denial of Service)"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-17T22:34:42.950Z",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"url": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1283691616"
},
{
"url": "https://jira.atlassian.com/browse/CONFSERVER-91258"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2023-22512",
"datePublished": "2025-03-17T22:34:42.950Z",
"dateReserved": "2023-01-01T00:01:22.330Z",
"dateUpdated": "2025-05-12T15:39:27.035Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-21703 (GCVE-0-2024-21703)
Vulnerability from cvelistv5 – Published: 2024-11-27 17:00 – Updated: 2024-11-27 17:33
VLAI?
Summary
This Medium severity Security Misconfiguration vulnerability was introduced in version 8.8.1 of Confluence Data Center and Server for Windows installations.
This Security Misconfiguration vulnerability, with a CVSS Score of 6.4 allows an authenticated attacker of the Windows host to read sensitive information about the Confluence Data Center configuration which has high impact to confidentiality, high impact to integrity, high impact to availability, and no user interaction.
Atlassian recommends that Confluence Data Center and Server customers upgrade to the latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:
* Confluence Data Center and Server 7.19: Upgrade to a release greater than or equal to 7.19.18
* Confluence Data Center and Server 8.5: Upgrade to a release greater than or equal to 8.5.5
* Confluence Data Center and Server 8.7: Upgrade to a release greater than or equal to 8.7.2
* Confluence Data Center and Server 8.8: Upgrade to a release greater than or equal to 8.8.0
See the release notes (https://confluence.atlassian.com/conf88/confluence-release-notes-1354501008.html ). You can download the latest version of Confluence Data Center and Server from the download center (https://www.atlassian.com/software/confluence/download-archives ).
This vulnerability was reported via our Atlassian Bug Bounty Program by Chris Elliot.
Severity ?
6.4 (Medium)
CWE
- Security Misconfiguration
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Atlassian | Confluence Data Center |
Affected:
8.7.1
Unaffected: 8.8.0 to 8.8.1 Unaffected: 8.7.2 Unaffected: 8.5.5 to 8.5.17 Unaffected: 7.19.18 to 7.19.29 |
|||||||
|
|||||||||
Credits
Chris Elliot
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "confluence_data_center",
"vendor": "atlassian",
"versions": [
{
"lessThan": "7.1918",
"status": "affected",
"version": "7.19",
"versionType": "custom"
},
{
"lessThan": "8.5.5",
"status": "affected",
"version": "8.5",
"versionType": "custom"
},
{
"lessThan": "8.7.2",
"status": "affected",
"version": "8.7",
"versionType": "custom"
},
{
"lessThan": "8.8.0",
"status": "affected",
"version": "8.8",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "confluence_server",
"vendor": "atlassian",
"versions": [
{
"lessThan": "7.19.18",
"status": "affected",
"version": "7.19",
"versionType": "custom"
},
{
"lessThan": "8.5.5",
"status": "affected",
"version": "8.5",
"versionType": "custom"
},
{
"lessThan": "8.7.2",
"status": "affected",
"version": "8.7",
"versionType": "custom"
},
{
"lessThan": "8.8.0",
"status": "affected",
"version": "8.8",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-21703",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-27T17:24:22.500451Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-732",
"description": "CWE-732 Incorrect Permission Assignment for Critical Resource",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-27T17:33:53.585Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Confluence Data Center",
"vendor": "Atlassian",
"versions": [
{
"status": "affected",
"version": "8.7.1"
},
{
"status": "unaffected",
"version": "8.8.0 to 8.8.1"
},
{
"status": "unaffected",
"version": "8.7.2"
},
{
"status": "unaffected",
"version": "8.5.5 to 8.5.17"
},
{
"status": "unaffected",
"version": "7.19.18 to 7.19.29"
}
]
},
{
"product": "Confluence Server",
"vendor": "Atlassian",
"versions": [
{
"status": "unaffected",
"version": "8.5.5 to 8.5.17"
},
{
"status": "unaffected",
"version": "7.19.18 to 7.19.29"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Chris Elliot"
}
],
"descriptions": [
{
"lang": "en",
"value": "This Medium severity Security Misconfiguration vulnerability was introduced in version 8.8.1 of Confluence Data Center and Server for Windows installations.\n\n\n\nThis Security Misconfiguration vulnerability, with a CVSS Score of 6.4 allows an authenticated attacker of the Windows host to read sensitive information about the Confluence Data Center configuration which has high impact to confidentiality, high impact to integrity, high impact to availability, and no user interaction.\n\n\n\nAtlassian recommends that Confluence Data Center and Server customers upgrade to the latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:\n\n* Confluence Data Center and Server 7.19: Upgrade to a release greater than or equal to 7.19.18 \n* Confluence Data Center and Server 8.5: Upgrade to a release greater than or equal to 8.5.5\n* Confluence Data Center and Server 8.7: Upgrade to a release greater than or equal to 8.7.2\n* Confluence Data Center and Server 8.8: Upgrade to a release greater than or equal to 8.8.0\n\n\n\nSee the release notes (https://confluence.atlassian.com/conf88/confluence-release-notes-1354501008.html ). You can download the latest version of Confluence Data Center and Server from the download center (https://www.atlassian.com/software/confluence/download-archives ). \n\nThis vulnerability was reported via our Atlassian Bug Bounty Program by Chris Elliot."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Security Misconfiguration",
"lang": "en",
"type": "Security Misconfiguration"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-27T17:00:01.507Z",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"url": "https://jira.atlassian.com/browse/CONFSERVER-98413"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2024-21703",
"datePublished": "2024-11-27T17:00:01.507Z",
"dateReserved": "2024-01-01T00:05:33.849Z",
"dateUpdated": "2024-11-27T17:33:53.585Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-21690 (GCVE-0-2024-21690)
Vulnerability from cvelistv5 – Published: 2024-08-21 16:05 – Updated: 2024-11-06 18:47
VLAI?
Summary
This High severity Reflected XSS and CSRF (Cross-Site Request Forgery) vulnerability was introduced in versions 7.19.0, 7.20.0, 8.0.0, 8.1.0, 8.2.0, 8.3.0, 8.4.0, 8.5.0, 8.6.0, 8.7.1, 8.8.0, and 8.9.0 of Confluence Data Center and Server.
This Reflected XSS and CSRF (Cross-Site Request Forgery) vulnerability, with a CVSS Score of 7.1, allows an unauthenticated attacker to execute arbitrary HTML or JavaScript code on a victims browser and force a end user to execute unwanted actions on a web application in which they're currently authenticated which has high impact to confidentiality, low impact to integrity, no impact to availability, and requires user interaction.
Atlassian recommends that Confluence Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:
* Confluence Data Center and Server 7.19: Upgrade to a release greater than or equal to 7.19.26
* Confluence Data Center and Server 8.5: Upgrade to a release greater than or equal to 8.5.14
* Confluence Data Center and Server 9.0: Upgrade to a release greater than or equal to 9.0.1
See the release notes (https://confluence.atlassian.com/doc/confluence-release-notes-327.html). You can download the latest version of Confluence Data Center and Server from the download center (https://www.atlassian.com/software/confluence/download-archives).
This vulnerability was reported via our Bug Bounty program.
Severity ?
7.1 (High)
CWE
- Reflected XSS
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Atlassian | Confluence Data Center |
Affected:
8.9.0 to 8.9.5
Affected: 8.8.0 to 8.8.1 Affected: 8.7.1 to 8.7.2 Affected: 8.6.0 to 8.6.2 Affected: 8.5.0 to 8.5.12 Affected: 8.4.0 to 8.4.5 Affected: 8.3.0 to 8.3.4 Affected: 8.2.0 to 8.2.3 Affected: 8.1.0 to 8.1.4 Affected: 8.0.0 to 8.0.4 Affected: 7.20.0 to 7.20.3 Unaffected: 9.0.1 to 9.0.2 Unaffected: 8.5.14 Unaffected: 7.19.26 |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-21690",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-22T13:51:34.740469Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-06T18:47:21.992Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Confluence Data Center",
"vendor": "Atlassian",
"versions": [
{
"status": "affected",
"version": "8.9.0 to 8.9.5"
},
{
"status": "affected",
"version": "8.8.0 to 8.8.1"
},
{
"status": "affected",
"version": "8.7.1 to 8.7.2"
},
{
"status": "affected",
"version": "8.6.0 to 8.6.2"
},
{
"status": "affected",
"version": "8.5.0 to 8.5.12"
},
{
"status": "affected",
"version": "8.4.0 to 8.4.5"
},
{
"status": "affected",
"version": "8.3.0 to 8.3.4"
},
{
"status": "affected",
"version": "8.2.0 to 8.2.3"
},
{
"status": "affected",
"version": "8.1.0 to 8.1.4"
},
{
"status": "affected",
"version": "8.0.0 to 8.0.4"
},
{
"status": "affected",
"version": "7.20.0 to 7.20.3"
},
{
"status": "unaffected",
"version": "9.0.1 to 9.0.2"
},
{
"status": "unaffected",
"version": "8.5.14"
},
{
"status": "unaffected",
"version": "7.19.26"
}
]
},
{
"product": "Confluence Server",
"vendor": "Atlassian",
"versions": [
{
"status": "affected",
"version": "8.5.0 to 8.5.12"
},
{
"status": "affected",
"version": "8.4.0 to 8.4.5"
},
{
"status": "affected",
"version": "8.3.0 to 8.3.4"
},
{
"status": "affected",
"version": "8.2.0 to 8.2.3"
},
{
"status": "affected",
"version": "8.1.0 to 8.1.4"
},
{
"status": "affected",
"version": "8.0.0 to 8.0.4"
},
{
"status": "affected",
"version": "7.20.0 to 7.20.3"
},
{
"status": "unaffected",
"version": "8.5.14"
},
{
"status": "unaffected",
"version": "7.19.26"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "This High severity Reflected XSS and CSRF (Cross-Site Request Forgery) vulnerability was introduced in versions 7.19.0, 7.20.0, 8.0.0, 8.1.0, 8.2.0, 8.3.0, 8.4.0, 8.5.0, 8.6.0, 8.7.1, 8.8.0, and 8.9.0 of Confluence Data Center and Server. \n\t\n\tThis Reflected XSS and CSRF (Cross-Site Request Forgery) vulnerability, with a CVSS Score of 7.1, allows an unauthenticated attacker to execute arbitrary HTML or JavaScript code on a victims browser and force a end user to execute unwanted actions on a web application in which they\u0027re currently authenticated which has high impact to confidentiality, low impact to integrity, no impact to availability, and requires user interaction. \n\t\n\tAtlassian recommends that Confluence Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:\n\t\t\n\t\t* Confluence Data Center and Server 7.19: Upgrade to a release greater than or equal to 7.19.26\n\t\t\n\t\t* Confluence Data Center and Server 8.5: Upgrade to a release greater than or equal to 8.5.14\n\t\t\n\t\t* Confluence Data Center and Server 9.0: Upgrade to a release greater than or equal to 9.0.1\n\t\t\n\t\t\n\t\n\tSee the release notes (https://confluence.atlassian.com/doc/confluence-release-notes-327.html). You can download the latest version of Confluence Data Center and Server from the download center (https://www.atlassian.com/software/confluence/download-archives). \n\t\n\tThis vulnerability was reported via our Bug Bounty program."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Reflected XSS",
"lang": "en",
"type": "Reflected XSS"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-21T17:00:02.995Z",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"url": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1431535667"
},
{
"url": "https://jira.atlassian.com/browse/CONFSERVER-97720"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2024-21690",
"datePublished": "2024-08-21T16:05:00.394Z",
"dateReserved": "2024-01-01T00:05:33.847Z",
"dateUpdated": "2024-11-06T18:47:21.992Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-21686 (GCVE-0-2024-21686)
Vulnerability from cvelistv5 – Published: 2024-07-16 20:00 – Updated: 2025-03-19 18:24
VLAI?
Summary
This High severity Stored XSS vulnerability was introduced in versions 7.13 of Confluence Data Center and Server.
This Stored XSS vulnerability, with a CVSS Score of 7.3, allows an authenticated attacker to execute arbitrary HTML or JavaScript code on a victims browser which has high impact to confidentiality, high impact to integrity, no impact to availability, and requires user interaction.
Atlassian recommends that Confluence Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions listed on this CVE
See the release notes (https://confluence.atlassian.com/doc/confluence-release-notes-327.html). You can download the latest version of Confluence Data Center and Server from the download center (https://www.atlassian.com/software/confluence/download-archives).
This vulnerability was reported via our Bug Bounty program.
Severity ?
7.3 (High)
CWE
- Stored XSS
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Atlassian | Confluence Data Center |
Affected:
8.9.0
Affected: 8.8.0 to 8.8.1 Affected: 8.7.1 to 8.7.2 Affected: 8.6.0 to 8.6.2 Affected: 8.5.0 to 8.5.8 Affected: 8.4.0 to 8.4.5 Affected: 8.3.0 to 8.3.4 Affected: 8.2.0 to 8.2.3 Affected: 8.1.0 to 8.1.4 Affected: 8.0.0 to 8.0.4 Affected: 7.20.0 to 7.20.3 Affected: 7.19.0 to 7.19.21 Unaffected: 8.9.1 to 8.9.4 Unaffected: 8.5.9 to 8.5.12 Unaffected: 7.19.22 to 7.19.25 |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:27:36.033Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1417150917"
},
{
"tags": [
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/CONFSERVER-96134"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:atlassian:confluence_data_center:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "confluence_data_center",
"vendor": "atlassian",
"versions": [
{
"status": "affected",
"version": "8.9.0"
},
{
"lessThanOrEqual": "8.8.1",
"status": "affected",
"version": "8.8.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.7.2",
"status": "affected",
"version": "8.7.1",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.6.2",
"status": "affected",
"version": "8.6.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.5.8",
"status": "affected",
"version": "8.5.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.4.5",
"status": "affected",
"version": "8.4.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.3.4",
"status": "affected",
"version": "8.3.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.2.3",
"status": "affected",
"version": "8.2.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.1.4",
"status": "affected",
"version": "8.1.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.0.4",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "7.20.3",
"status": "affected",
"version": "7.20.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "7.19.21",
"status": "affected",
"version": "7.19.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.9.4",
"status": "affected",
"version": "8.9.1",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.5.12",
"status": "affected",
"version": "8.5.9",
"versionType": "custom"
},
{
"lessThanOrEqual": "7.19.25",
"status": "affected",
"version": "7.19.22",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:confluence_server:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "confluence_server",
"vendor": "atlassian",
"versions": [
{
"lessThanOrEqual": "8.5.8",
"status": "affected",
"version": "8.5.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.4.5",
"status": "affected",
"version": "8.4.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.3.4",
"status": "affected",
"version": "8.3.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.2.3",
"status": "affected",
"version": "8.2.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.1.4",
"status": "affected",
"version": "8.1.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.0.4",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "7.20.3",
"status": "affected",
"version": "7.20.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "7.19.21",
"status": "affected",
"version": "7.19.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.5.12",
"status": "affected",
"version": "8.5.9",
"versionType": "custom"
},
{
"lessThanOrEqual": "7.19.25",
"status": "affected",
"version": "7.19.22",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-21686",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-05T15:34:59.884690Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-19T18:24:42.880Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Confluence Data Center",
"vendor": "Atlassian",
"versions": [
{
"status": "affected",
"version": "8.9.0"
},
{
"status": "affected",
"version": "8.8.0 to 8.8.1"
},
{
"status": "affected",
"version": "8.7.1 to 8.7.2"
},
{
"status": "affected",
"version": "8.6.0 to 8.6.2"
},
{
"status": "affected",
"version": "8.5.0 to 8.5.8"
},
{
"status": "affected",
"version": "8.4.0 to 8.4.5"
},
{
"status": "affected",
"version": "8.3.0 to 8.3.4"
},
{
"status": "affected",
"version": "8.2.0 to 8.2.3"
},
{
"status": "affected",
"version": "8.1.0 to 8.1.4"
},
{
"status": "affected",
"version": "8.0.0 to 8.0.4"
},
{
"status": "affected",
"version": "7.20.0 to 7.20.3"
},
{
"status": "affected",
"version": "7.19.0 to 7.19.21"
},
{
"status": "unaffected",
"version": "8.9.1 to 8.9.4"
},
{
"status": "unaffected",
"version": "8.5.9 to 8.5.12"
},
{
"status": "unaffected",
"version": "7.19.22 to 7.19.25"
}
]
},
{
"product": "Confluence Server",
"vendor": "Atlassian",
"versions": [
{
"status": "affected",
"version": "8.5.0 to 8.5.8"
},
{
"status": "affected",
"version": "8.4.0 to 8.4.5"
},
{
"status": "affected",
"version": "8.3.0 to 8.3.4"
},
{
"status": "affected",
"version": "8.2.0 to 8.2.3"
},
{
"status": "affected",
"version": "8.1.0 to 8.1.4"
},
{
"status": "affected",
"version": "8.0.0 to 8.0.4"
},
{
"status": "affected",
"version": "7.20.0 to 7.20.3"
},
{
"status": "affected",
"version": "7.19.0 to 7.19.21"
},
{
"status": "unaffected",
"version": "8.5.9 to 8.5.12"
},
{
"status": "unaffected",
"version": "7.19.22 to 7.19.25"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "This High severity Stored XSS vulnerability was introduced in versions 7.13 of Confluence Data Center and Server.\n\nThis Stored XSS vulnerability, with a CVSS Score of 7.3, allows an authenticated attacker to execute arbitrary HTML or JavaScript code on a victims browser which has high impact to confidentiality, high impact to integrity, no impact to availability, and requires user interaction.\n\nAtlassian recommends that Confluence Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions listed on this CVE\n\nSee the release notes (https://confluence.atlassian.com/doc/confluence-release-notes-327.html). You can download the latest version of Confluence Data Center and Server from the download center (https://www.atlassian.com/software/confluence/download-archives).\n\nThis vulnerability was reported via our Bug Bounty program."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Stored XSS",
"lang": "en",
"type": "Stored XSS"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-16T20:00:02.617Z",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"url": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1417150917"
},
{
"url": "https://jira.atlassian.com/browse/CONFSERVER-96134"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2024-21686",
"datePublished": "2024-07-16T20:00:02.156Z",
"dateReserved": "2024-01-01T00:05:33.847Z",
"dateUpdated": "2025-03-19T18:24:42.880Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-21683 (GCVE-0-2024-21683)
Vulnerability from cvelistv5 – Published: 2024-05-21 23:00 – Updated: 2025-05-12 15:22
VLAI?
Summary
This High severity RCE (Remote Code Execution) vulnerability was introduced in version 5.2 of Confluence Data Center and Server.
This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 7.2, allows an authenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction.
Atlassian recommends that Confluence Data Center and Server customers upgrade to latest version. If you are unable to do so, upgrade your instance to one of the specified supported fixed versions. See the release notes https://confluence.atlassian.com/doc/confluence-release-notes-327.html
You can download the latest version of Confluence Data Center and Server from the download center https://www.atlassian.com/software/confluence/download-archives.
This vulnerability was found internally.
Severity ?
7.2 (High)
CWE
- RCE (Remote Code Execution)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Atlassian | Confluence Data Center |
Affected:
8.9.0
Affected: 8.8.0 to 8.8.1 Affected: 8.7.1 to 8.7.2 Affected: 8.6.0 to 8.6.2 Affected: 8.5.0 to 8.5.8 Affected: 8.4.0 to 8.4.5 Affected: 8.3.0 to 8.3.4 Affected: 8.2.0 to 8.2.3 Affected: 8.1.0 to 8.1.4 Affected: 8.0.0 to 8.0.4 Affected: 7.20.0 to 7.20.3 Affected: 7.19.0 to 7.19.21 Unaffected: 8.9.1 to 8.9.2 Unaffected: 8.5.9 to 8.5.10 Unaffected: 7.19.22 to 7.19.23 |
Credits
Atlassian
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"product": "confluence_data_center",
"vendor": "atlassian",
"versions": [
{
"status": "affected",
"version": "8.9.0"
},
{
"lessThanOrEqual": "8.8.1",
"status": "affected",
"version": "8.8.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.7.2",
"status": "affected",
"version": "8.7.1",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.6.2",
"status": "affected",
"version": "8.6.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.5.8",
"status": "affected",
"version": "8.5.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.4.5",
"status": "affected",
"version": "8.4.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.3.4",
"status": "affected",
"version": "8.3.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.2.3",
"status": "affected",
"version": "8.2.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.1.4",
"status": "affected",
"version": "8.1.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.0.4",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "7.20.3",
"status": "affected",
"version": "7.20.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "7.1921",
"status": "affected",
"version": "7.19.0",
"versionType": "custom"
},
{
"status": "affected",
"version": "8.9.1"
},
{
"status": "affected",
"version": "8.5.9"
},
{
"status": "affected",
"version": "7.19.22"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-21683",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-20T03:55:34.077361Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-12T15:22:41.587Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Confluence Data Center",
"vendor": "Atlassian",
"versions": [
{
"status": "affected",
"version": "8.9.0"
},
{
"status": "affected",
"version": "8.8.0 to 8.8.1"
},
{
"status": "affected",
"version": "8.7.1 to 8.7.2"
},
{
"status": "affected",
"version": "8.6.0 to 8.6.2"
},
{
"status": "affected",
"version": "8.5.0 to 8.5.8"
},
{
"status": "affected",
"version": "8.4.0 to 8.4.5"
},
{
"status": "affected",
"version": "8.3.0 to 8.3.4"
},
{
"status": "affected",
"version": "8.2.0 to 8.2.3"
},
{
"status": "affected",
"version": "8.1.0 to 8.1.4"
},
{
"status": "affected",
"version": "8.0.0 to 8.0.4"
},
{
"status": "affected",
"version": "7.20.0 to 7.20.3"
},
{
"status": "affected",
"version": "7.19.0 to 7.19.21"
},
{
"status": "unaffected",
"version": "8.9.1 to 8.9.2"
},
{
"status": "unaffected",
"version": "8.5.9 to 8.5.10"
},
{
"status": "unaffected",
"version": "7.19.22 to 7.19.23"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Atlassian"
}
],
"descriptions": [
{
"lang": "en",
"value": "This High severity RCE (Remote Code Execution) vulnerability was introduced in version 5.2 of Confluence Data Center and Server.\n\nThis RCE (Remote Code Execution) vulnerability, with a CVSS Score of 7.2, allows an authenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction.\u00a0\n\nAtlassian recommends that Confluence Data Center and Server customers upgrade to latest version. If you are unable to do so, upgrade your instance to one of the specified supported fixed versions. See the release notes https://confluence.atlassian.com/doc/confluence-release-notes-327.html\n\nYou can download the latest version of Confluence Data Center and Server from the download center https://www.atlassian.com/software/confluence/download-archives.\n\nThis vulnerability was found internally."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "RCE (Remote Code Execution)",
"lang": "en",
"type": "RCE (Remote Code Execution)"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-14T20:55:38.532Z",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"url": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1409286211"
},
{
"url": "https://jira.atlassian.com/browse/CONFSERVER-95832"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2024-21683",
"datePublished": "2024-05-21T23:00:00.446Z",
"dateReserved": "2024-01-01T00:05:33.846Z",
"dateUpdated": "2025-05-12T15:22:41.587Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-21677 (GCVE-0-2024-21677)
Vulnerability from cvelistv5 – Published: 2024-03-19 17:00 – Updated: 2025-03-13 17:39
VLAI?
Summary
This High severity Path Traversal vulnerability was introduced in version 6.13.0 of Confluence Data Center. This Path Traversal vulnerability, with a CVSS Score of 8.3, allows an unauthenticated attacker to exploit an undefinable vulnerability which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires user interaction.
Atlassian recommends that Confluence Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Data Center Atlassian recommends that Confluence Data Center customers upgrade to the latest version and that Confluence Server customers upgrade to the latest 8.5.x LTS version.
If you are unable to do so, upgrade your instance to one of the specified supported fixed versions See the release notes https://confluence.atlassian.com/doc/confluence-release-notes-327.html
You can download the latest version of Confluence Data Center and Server from the download center https://www.atlassian.com/software/confluence/download-archives.
This vulnerability was reported via our Bug Bounty program.
Severity ?
8.3 (High)
CWE
- Other
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Atlassian | Confluence Data Center |
Unaffected:
< 6.13.0
Affected: >= 6.13.0 Affected: >= 7.19.0 Affected: >= 7.20.0 Affected: >= 8.0.0 Affected: >= 8.1.0 Affected: >= 8.2.0 Affected: >= 8.3.0 Affected: >= 8.4.0 Affected: >= 8.5.0 Affected: >= 8.6.0 Affected: >= 8.7.1 Affected: >= 8.8.0 Unaffected: >= 7.19.20 Unaffected: >= 8.5.7 Unaffected: >= 8.8.1 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:atlassian:confluence_data_center:8.8.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "confluence_data_center",
"vendor": "atlassian",
"versions": [
{
"status": "affected",
"version": "8.8.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:confluence_data_center:8.7.0:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_data_center:7.19.0:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_data_center:7.20.0:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_data_center:8.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_data_center:8.1.0:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_data_center:8.2.0:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_data_center:8.3.0:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_data_center:8.4.0:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_data_center:8.5:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_data_center:8.6.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "confluence_data_center",
"vendor": "atlassian",
"versions": [
{
"lessThan": "7.19.19",
"status": "affected",
"version": "7.19.0",
"versionType": "custom"
},
{
"lessThan": "7.20.3",
"status": "affected",
"version": "7.20.0",
"versionType": "custom"
},
{
"lessThan": "8.0.4",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
},
{
"lessThan": "8.1.4",
"status": "affected",
"version": "8.1.0",
"versionType": "custom"
},
{
"lessThan": "8.2.3",
"status": "affected",
"version": "8.2.0",
"versionType": "custom"
},
{
"lessThan": "8.3.4",
"status": "affected",
"version": "8.3.0",
"versionType": "custom"
},
{
"lessThan": "8.4.5",
"status": "affected",
"version": "8.4.0",
"versionType": "custom"
},
{
"lessThan": "8.5.6",
"status": "affected",
"version": "8.5",
"versionType": "custom"
},
{
"lessThan": "8.6.2",
"status": "affected",
"version": "8.6.0",
"versionType": "custom"
},
{
"lessThan": "8.7.2",
"status": "affected",
"version": "8.7.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:confluence_data_center:7.17.0:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:confluence_data_center:7.18.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "confluence_data_center",
"vendor": "atlassian",
"versions": [
{
"lessThan": "7.17.5",
"status": "affected",
"version": "7.17.0",
"versionType": "custom"
},
{
"lessThan": "7.18.3",
"status": "affected",
"version": "7.18.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:confluence_data_center:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "confluence_data_center",
"vendor": "atlassian",
"versions": [
{
"lessThan": "7.17.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-21677",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-10T04:00:27.568364Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-13T17:39:21.647Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:27:35.969Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1369444862"
},
{
"tags": [
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/CONFSERVER-94604"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Confluence Data Center",
"vendor": "Atlassian",
"versions": [
{
"status": "unaffected",
"version": "\u003c 6.13.0"
},
{
"status": "affected",
"version": "\u003e= 6.13.0"
},
{
"status": "affected",
"version": "\u003e= 7.19.0"
},
{
"status": "affected",
"version": "\u003e= 7.20.0"
},
{
"status": "affected",
"version": "\u003e= 8.0.0"
},
{
"status": "affected",
"version": "\u003e= 8.1.0"
},
{
"status": "affected",
"version": "\u003e= 8.2.0"
},
{
"status": "affected",
"version": "\u003e= 8.3.0"
},
{
"status": "affected",
"version": "\u003e= 8.4.0"
},
{
"status": "affected",
"version": "\u003e= 8.5.0"
},
{
"status": "affected",
"version": "\u003e= 8.6.0"
},
{
"status": "affected",
"version": "\u003e= 8.7.1"
},
{
"status": "affected",
"version": "\u003e= 8.8.0"
},
{
"status": "unaffected",
"version": "\u003e= 7.19.20"
},
{
"status": "unaffected",
"version": "\u003e= 8.5.7"
},
{
"status": "unaffected",
"version": "\u003e= 8.8.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "This High severity Path Traversal vulnerability was introduced in version 6.13.0 of Confluence Data Center. This Path Traversal vulnerability, with a CVSS Score of 8.3, allows an unauthenticated attacker to exploit an undefinable vulnerability which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires user interaction.\n\nAtlassian recommends that Confluence Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Data Center Atlassian recommends that Confluence Data Center customers upgrade to the latest version and that Confluence Server customers upgrade to the latest 8.5.x LTS version.\n\nIf you are unable to do so, upgrade your instance to one of the specified supported fixed versions See the release notes https://confluence.atlassian.com/doc/confluence-release-notes-327.html\n\nYou can download the latest version of Confluence Data Center and Server from the download center https://www.atlassian.com/software/confluence/download-archives. \n\nThis vulnerability was reported via our Bug Bounty program."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 8.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Other",
"lang": "en",
"type": "Other"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-19T17:30:00.500Z",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"url": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1369444862"
},
{
"url": "https://jira.atlassian.com/browse/CONFSERVER-94604"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2024-21677",
"datePublished": "2024-03-19T17:00:00.486Z",
"dateReserved": "2024-01-01T00:05:33.846Z",
"dateUpdated": "2025-03-13T17:39:21.647Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-21678 (GCVE-0-2024-21678)
Vulnerability from cvelistv5 – Published: 2024-02-20 18:00 – Updated: 2024-10-31 15:16
VLAI?
Summary
This High severity Stored XSS vulnerability was introduced in version 2.7.0 of Confluence Data Center.
This Stored XSS vulnerability, with a CVSS Score of 8.5, allows an authenticated attacker to execute arbitrary HTML or JavaScript code on a victims browser which has high impact to confidentiality, low impact to integrity, no impact to availability, and requires no user interaction.
Data Center
Atlassian recommends that Confluence Data Center customers upgrade to the latest version. If you are unable to do so, upgrade your instance to one of the specified supported fixed versions:
||Affected versions||Fixed versions||
|from 8.7.0 to 8.7.1|8.8.0 recommended or 8.7.2|
|from 8.6.0 to 8.6.1|8.8.0 recommended|
|from 8.5.0 to 8.5.4 LTS|8.8.0 recommended or 8.5.5 LTS or 8.5.6 LTS|
|from 8.4.0 to 8.4.5|8.8.0 recommended or 8.5.6 LTS|
|from 8.3.0 to 8.3.4|8.8.0 recommended or 8.5.6 LTS|
|from 8.2.0 to 8.2.3|8.8.0 recommended or 8.5.6 LTS|
|from 8.1.0 to 8.1.4|8.8.0 recommended or 8.5.6 LTS|
|from 8.0.0 to 8.0.4|8.8.0 recommended or 8.5.6 LTS|
|from 7.20.0 to 7.20.3|8.8.0 recommended or 8.5.6 LTS|
|from 7.19.0 to 7.19.17 LTS|8.8.0 recommended or 8.5.6 LTS or 7.19.18 LTS or 7.19.19 LTS|
|from 7.18.0 to 7.18.3|8.8.0 recommended or 8.5.6 LTS or 7.19.19 LTS|
|from 7.17.0 to 7.17.5|8.8.0 recommended or 8.5.6 LTS or 7.19.19 LTS|
|Any earlier versions|8.8.0 recommended or 8.5.6 LTS or 7.19.19 LTS|
Server
Atlassian recommends that Confluence Server customers upgrade to the latest 8.5.x LTS version. If you are unable to do so, upgrade your instance to one of the specified supported fixed versions:
||Affected versions||Fixed versions||
|from 8.5.0 to 8.5.4 LTS|8.5.5 LTS or 8.5.6 LTS recommended |
|from 8.4.0 to 8.4.5|8.5.6 LTS recommended|
|from 8.3.0 to 8.3.4|8.5.6 LTS recommended|
|from 8.2.0 to 8.2.3|8.5.6 LTS recommended|
|from 8.1.0 to 8.1.4|8.5.6 LTS recommended|
|from 8.0.0 to 8.0.4|8.5.6 LTS recommended|
|from 7.20.0 to 7.20.3|8.5.6 LTS recommended|
|from 7.19.0 to 7.19.17 LTS|8.5.6 LTS recommended or 7.19.18 LTS or 7.19.19 LTS|
|from 7.18.0 to 7.18.3|8.5.6 LTS recommended or 7.19.19 LTS|
|from 7.17.0 to 7.17.5|8.5.6 LTS recommended or 7.19.19 LTS|
|Any earlier versions|8.5.6 LTS recommended or 7.19.19 LTS|
See the release notes ([https://confluence.atlassian.com/doc/confluence-release-notes-327.html]). You can download the latest version of Confluence Data Center from the download center ([https://www.atlassian.com/software/confluence/download-archives]).
This vulnerability was reported via our Bug Bounty program.
Severity ?
8.5 (High)
CWE
- Stored XSS
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Atlassian | Confluence Data Center |
Unaffected:
< 2.7.0
Affected: >= 2.7.0 Affected: >= 7.13.0 Affected: >= 7.19.0 Affected: >= 7.20.0 Affected: >= 8.0.0 Affected: >= 8.1.0 Affected: >= 8.2.0 Affected: >= 8.3.0 Affected: >= 8.4.0 Affected: >= 8.5.0 Affected: >= 8.6.0 Affected: >= 8.7.1 Unaffected: >= 7.19.18 Unaffected: >= 8.5.5 Unaffected: >= 8.7.2 Unaffected: >= 8.8.0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-21678",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-21T18:49:48.543984Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-31T15:16:18.788Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:27:35.810Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1354501606"
},
{
"tags": [
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/CONFSERVER-94513"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Confluence Data Center",
"vendor": "Atlassian",
"versions": [
{
"status": "unaffected",
"version": "\u003c 2.7.0"
},
{
"status": "affected",
"version": "\u003e= 2.7.0"
},
{
"status": "affected",
"version": "\u003e= 7.13.0"
},
{
"status": "affected",
"version": "\u003e= 7.19.0"
},
{
"status": "affected",
"version": "\u003e= 7.20.0"
},
{
"status": "affected",
"version": "\u003e= 8.0.0"
},
{
"status": "affected",
"version": "\u003e= 8.1.0"
},
{
"status": "affected",
"version": "\u003e= 8.2.0"
},
{
"status": "affected",
"version": "\u003e= 8.3.0"
},
{
"status": "affected",
"version": "\u003e= 8.4.0"
},
{
"status": "affected",
"version": "\u003e= 8.5.0"
},
{
"status": "affected",
"version": "\u003e= 8.6.0"
},
{
"status": "affected",
"version": "\u003e= 8.7.1"
},
{
"status": "unaffected",
"version": "\u003e= 7.19.18"
},
{
"status": "unaffected",
"version": "\u003e= 8.5.5"
},
{
"status": "unaffected",
"version": "\u003e= 8.7.2"
},
{
"status": "unaffected",
"version": "\u003e= 8.8.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "This High severity Stored XSS vulnerability was introduced in version 2.7.0 of Confluence Data Center.\r\n\r\nThis Stored XSS vulnerability, with a CVSS Score of 8.5, allows an authenticated attacker to execute arbitrary HTML or JavaScript code on a victims browser which has high impact to confidentiality, low impact to integrity, no impact to availability, and requires no user interaction.\r\nData Center\r\n\r\nAtlassian recommends that Confluence Data Center customers upgrade to the latest version. If you are unable to do so, upgrade your instance to one of the specified supported fixed versions:\r\n||Affected versions||Fixed versions||\r\n|from 8.7.0 to 8.7.1|8.8.0 recommended or 8.7.2|\r\n|from 8.6.0 to 8.6.1|8.8.0 recommended|\r\n|from 8.5.0 to 8.5.4 LTS|8.8.0 recommended or 8.5.5 LTS or 8.5.6 LTS|\r\n|from 8.4.0 to 8.4.5|8.8.0 recommended or 8.5.6 LTS|\r\n|from 8.3.0 to 8.3.4|8.8.0 recommended or 8.5.6 LTS|\r\n|from 8.2.0 to 8.2.3|8.8.0 recommended or 8.5.6 LTS|\r\n|from 8.1.0 to 8.1.4|8.8.0 recommended or 8.5.6 LTS|\r\n|from 8.0.0 to 8.0.4|8.8.0 recommended or 8.5.6 LTS|\r\n|from 7.20.0 to 7.20.3|8.8.0 recommended or 8.5.6 LTS|\r\n|from 7.19.0 to 7.19.17 LTS|8.8.0 recommended or 8.5.6 LTS or 7.19.18 LTS or 7.19.19 LTS|\r\n|from 7.18.0 to 7.18.3|8.8.0 recommended or 8.5.6 LTS or 7.19.19 LTS|\r\n|from 7.17.0 to 7.17.5|8.8.0 recommended or 8.5.6 LTS or 7.19.19 LTS|\r\n|Any earlier versions|8.8.0 recommended or 8.5.6 LTS or 7.19.19 LTS|\r\nServer\r\n\r\nAtlassian recommends that Confluence Server customers upgrade to the latest 8.5.x LTS version. If you are unable to do so, upgrade your instance to one of the specified supported fixed versions:\r\n\r\n\u00a0\r\n||Affected versions||Fixed versions||\r\n|from 8.5.0 to 8.5.4 LTS|8.5.5 LTS or 8.5.6 LTS recommended\u00a0|\r\n|from 8.4.0 to 8.4.5|8.5.6 LTS recommended|\r\n|from 8.3.0 to 8.3.4|8.5.6 LTS recommended|\r\n|from 8.2.0 to 8.2.3|8.5.6 LTS recommended|\r\n|from 8.1.0 to 8.1.4|8.5.6 LTS recommended|\r\n|from 8.0.0 to 8.0.4|8.5.6 LTS recommended|\r\n|from 7.20.0 to 7.20.3|8.5.6 LTS recommended|\r\n|from 7.19.0 to 7.19.17 LTS|8.5.6 LTS recommended or 7.19.18 LTS or 7.19.19 LTS|\r\n|from 7.18.0 to 7.18.3|8.5.6 LTS recommended or 7.19.19 LTS|\r\n|from 7.17.0 to 7.17.5|8.5.6 LTS recommended or 7.19.19 LTS|\r\n|Any earlier versions|8.5.6 LTS recommended or 7.19.19 LTS|\r\n\r\nSee the release notes ([https://confluence.atlassian.com/doc/confluence-release-notes-327.html]). You can download the latest version of Confluence Data Center from the download center ([https://www.atlassian.com/software/confluence/download-archives]).\r\n\r\nThis vulnerability was reported via our Bug Bounty program."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 8.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Stored XSS",
"lang": "en",
"type": "Stored XSS"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-20T18:00:00.727Z",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"url": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1354501606"
},
{
"url": "https://jira.atlassian.com/browse/CONFSERVER-94513"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2024-21678",
"datePublished": "2024-02-20T18:00:00.727Z",
"dateReserved": "2024-01-01T00:05:33.846Z",
"dateUpdated": "2024-10-31T15:16:18.788Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-21673 (GCVE-0-2024-21673)
Vulnerability from cvelistv5 – Published: 2024-01-16 05:00 – Updated: 2025-06-03 18:47
VLAI?
Summary
This High severity Remote Code Execution (RCE) vulnerability was introduced in versions 7.13.0 of Confluence Data Center and Server.
Remote Code Execution (RCE) vulnerability, with a CVSS Score of 8.0 and a CVSS Vector of CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H allows an authenticated attacker to expose assets in your environment susceptible to exploitation which has high impact to confidentiality, high impact to integrity, high impact to availability, and does not require user interaction.
Atlassian recommends that Confluence Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:
* Confluence Data Center and Server 7.19: Upgrade to a release 7.19.18, or any higher 7.19.x release
* Confluence Data Center and Server 8.5: Upgrade to a release 8.5.5 or any higher 8.5.x release
* Confluence Data Center and Server 8.7: Upgrade to a release 8.7.2 or any higher release
See the release notes (https://confluence.atlassian.com/doc/confluence-release-notes-327.html ). You can download the latest version of Confluence Data Center and Server from the download center (https://www.atlassian.com/software/confluence/download-archives ).
Severity ?
CWE
- RCE (Remote Code Execution)
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Atlassian | Confluence Data Center |
Unaffected:
< 7.13.0
Affected: >= 7.13.0 Affected: >= 7.19.0 Affected: >= 8.0.0 Affected: >= 8.1.0 Affected: >= 8.2.0 Affected: >= 8.3.0 Affected: >= 8.4.0 Affected: >= 8.5.0 Affected: >= 8.6.0 Affected: >= 8.7.1 Unaffected: >= 7.19.18 Unaffected: >= 8.5.5 Unaffected: >= 8.7.2 |
|||||||
|
|||||||||
Credits
xiaoc
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:27:36.035Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/CONFSERVER-94065"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:atlassian:confluence_data_center:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "confluence_data_center",
"vendor": "atlassian",
"versions": [
{
"lessThan": "8.7.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:confluence_server:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "confluence_server",
"vendor": "atlassian",
"versions": [
{
"lessThan": "8.7.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-21673",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-01-25T05:00:56.340614Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-03T18:47:43.178Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Confluence Data Center",
"vendor": "Atlassian",
"versions": [
{
"status": "unaffected",
"version": "\u003c 7.13.0"
},
{
"status": "affected",
"version": "\u003e= 7.13.0"
},
{
"status": "affected",
"version": "\u003e= 7.19.0"
},
{
"status": "affected",
"version": "\u003e= 8.0.0"
},
{
"status": "affected",
"version": "\u003e= 8.1.0"
},
{
"status": "affected",
"version": "\u003e= 8.2.0"
},
{
"status": "affected",
"version": "\u003e= 8.3.0"
},
{
"status": "affected",
"version": "\u003e= 8.4.0"
},
{
"status": "affected",
"version": "\u003e= 8.5.0"
},
{
"status": "affected",
"version": "\u003e= 8.6.0"
},
{
"status": "affected",
"version": "\u003e= 8.7.1"
},
{
"status": "unaffected",
"version": "\u003e= 7.19.18"
},
{
"status": "unaffected",
"version": "\u003e= 8.5.5"
},
{
"status": "unaffected",
"version": "\u003e= 8.7.2"
}
]
},
{
"product": "Confluence Server",
"vendor": "Atlassian",
"versions": [
{
"status": "unaffected",
"version": "\u003c 7.13.0"
},
{
"status": "affected",
"version": "\u003e= 7.13.0"
},
{
"status": "affected",
"version": "\u003e= 7.19.0"
},
{
"status": "affected",
"version": "\u003e= 8.0.0"
},
{
"status": "affected",
"version": "\u003e= 8.1.0"
},
{
"status": "affected",
"version": "\u003e= 8.2.0"
},
{
"status": "affected",
"version": "\u003e= 8.3.0"
},
{
"status": "affected",
"version": "\u003e= 8.4.0"
},
{
"status": "affected",
"version": "\u003e= 8.5.0"
},
{
"status": "affected",
"version": "\u003e= 8.6.0"
},
{
"status": "affected",
"version": "\u003e= 8.7.1"
},
{
"status": "unaffected",
"version": "\u003e= 7.19.18"
},
{
"status": "unaffected",
"version": "\u003e= 8.5.5"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "xiaoc"
}
],
"descriptions": [
{
"lang": "en",
"value": "This High severity Remote Code Execution (RCE) vulnerability was introduced in versions 7.13.0 of Confluence Data Center and Server.\n\nRemote Code Execution (RCE) vulnerability, with a CVSS Score of 8.0 and a CVSS Vector of\u00a0CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H allows an authenticated attacker to expose assets in your environment susceptible to exploitation which has high impact to confidentiality, high impact to integrity, high impact to availability, and does not require user interaction.\n\nAtlassian recommends that Confluence Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:\n\n* Confluence Data Center and Server 7.19: Upgrade to a release 7.19.18, or any higher 7.19.x release\n* Confluence Data Center and Server 8.5: Upgrade to a release 8.5.5 or any higher 8.5.x release\n* Confluence Data Center and Server 8.7: Upgrade to a release 8.7.2 or any higher release\n\nSee the release notes (https://confluence.atlassian.com/doc/confluence-release-notes-327.html ). You can download the latest version of Confluence Data Center and Server from the download center (https://www.atlassian.com/software/confluence/download-archives )."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "RCE (Remote Code Execution)",
"lang": "en",
"type": "RCE (Remote Code Execution)"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-16T18:00:00.463Z",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"url": "https://jira.atlassian.com/browse/CONFSERVER-94065"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2024-21673",
"datePublished": "2024-01-16T05:00:00.724Z",
"dateReserved": "2024-01-01T00:05:33.845Z",
"dateUpdated": "2025-06-03T18:47:43.178Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}