CVE-2024-21683
Vulnerability from cvelistv5
Published
2024-05-21 23:00
Modified
2024-08-01 22:27
Severity
Summary
This High severity RCE (Remote Code Execution) vulnerability was introduced in version 5.2 of Confluence Data Center and Server.
This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 7.2, allows an authenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction.
Atlassian recommends that Confluence Data Center and Server customers upgrade to latest version. If you are unable to do so, upgrade your instance to one of the specified supported fixed versions. See the release notes https://confluence.atlassian.com/doc/confluence-release-notes-327.html
You can download the latest version of Confluence Data Center and Server from the download center https://www.atlassian.com/software/confluence/download-archives.
This vulnerability was found internally.
References
| Source | URL | Tags |
|---|---|---|
| security@atlassian.com | https://confluence.atlassian.com/pages/viewpage.action?pageId=1387867145 | Release Notes, Vendor Advisory |
| security@atlassian.com | https://jira.atlassian.com/browse/CONFSERVER-95832 | Issue Tracking |
Impacted products
| Vendor | Product |
|---|---|
| Atlassian | Confluence Data Center |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"product": "confluence_data_center",
"vendor": "atlassian",
"versions": [
{
"status": "affected",
"version": "8.9.0"
},
{
"lessThanOrEqual": "8.8.1",
"status": "affected",
"version": "8.8.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.7.2",
"status": "affected",
"version": "8.7.1",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.6.2",
"status": "affected",
"version": "8.6.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.5.8",
"status": "affected",
"version": "8.5.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.4.5",
"status": "affected",
"version": "8.4.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.3.4",
"status": "affected",
"version": "8.3.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.2.3",
"status": "affected",
"version": "8.2.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.1.4",
"status": "affected",
"version": "8.1.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.0.4",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "7.20.3",
"status": "affected",
"version": "7.20.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "7.1921",
"status": "affected",
"version": "7.19.0",
"versionType": "custom"
},
{
"status": "affected",
"version": "8.9.1"
},
{
"status": "affected",
"version": "8.5.9"
},
{
"status": "affected",
"version": "7.19.22"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-21683",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-19T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-20T03:55:33.558Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:27:35.803Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://packetstormsecurity.com/files/179507"
},
{
"tags": [
"x_transferred"
],
"url": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1387867145"
},
{
"tags": [
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/CONFSERVER-95832"
}
],
"title": "CVE Program Container",
"x_generator": {
"engine": "ADPogram 0.0.1"
}
}
],
"cna": {
"affected": [
{
"product": "Confluence Data Center",
"vendor": "Atlassian",
"versions": [
{
"status": "affected",
"version": "8.9.0"
},
{
"status": "affected",
"version": "8.8.0 to 8.8.1"
},
{
"status": "affected",
"version": "8.7.1 to 8.7.2"
},
{
"status": "affected",
"version": "8.6.0 to 8.6.2"
},
{
"status": "affected",
"version": "8.5.0 to 8.5.8"
},
{
"status": "affected",
"version": "8.4.0 to 8.4.5"
},
{
"status": "affected",
"version": "8.3.0 to 8.3.4"
},
{
"status": "affected",
"version": "8.2.0 to 8.2.3"
},
{
"status": "affected",
"version": "8.1.0 to 8.1.4"
},
{
"status": "affected",
"version": "8.0.0 to 8.0.4"
},
{
"status": "affected",
"version": "7.20.0 to 7.20.3"
},
{
"status": "affected",
"version": "7.19.0 to 7.19.21"
},
{
"status": "unaffected",
"version": "8.9.1 to 8.9.2"
},
{
"status": "unaffected",
"version": "8.5.9 to 8.5.10"
},
{
"status": "unaffected",
"version": "7.19.22 to 7.19.23"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Atlassian"
}
],
"descriptions": [
{
"lang": "en",
"value": "This High severity RCE (Remote Code Execution) vulnerability was introduced in version 5.2 of Confluence Data Center and Server.\n\nThis RCE (Remote Code Execution) vulnerability, with a CVSS Score of 7.2, allows an authenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction.\u00a0\n\nAtlassian recommends that Confluence Data Center and Server customers upgrade to latest version. If you are unable to do so, upgrade your instance to one of the specified supported fixed versions. See the release notes https://confluence.atlassian.com/doc/confluence-release-notes-327.html\n\nYou can download the latest version of Confluence Data Center and Server from the download center https://www.atlassian.com/software/confluence/download-archives.\n\nThis vulnerability was found internally."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "RCE (Remote Code Execution)",
"lang": "en",
"type": "RCE (Remote Code Execution)"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-10T17:30:00.572Z",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"url": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1387867145"
},
{
"url": "https://jira.atlassian.com/browse/CONFSERVER-95832"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2024-21683",
"datePublished": "2024-05-21T23:00:00.446Z",
"dateReserved": "2024-01-01T00:05:33.846Z",
"dateUpdated": "2024-08-01T22:27:35.803Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2024-21683\",\"sourceIdentifier\":\"security@atlassian.com\",\"published\":\"2024-05-21T23:15:07.923\",\"lastModified\":\"2024-07-03T01:46:45.440\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"This High severity RCE (Remote Code Execution) vulnerability was introduced in version 5.2 of Confluence Data Center and Server.\\n\\nThis RCE (Remote Code Execution) vulnerability, with a CVSS Score of 7.2, allows an authenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction.\u00a0\\n\\nAtlassian recommends that Confluence Data Center and Server customers upgrade to latest version. If you are unable to do so, upgrade your instance to one of the specified supported fixed versions. See the release notes https://confluence.atlassian.com/doc/confluence-release-notes-327.html\\n\\nYou can download the latest version of Confluence Data Center and Server from the download center https://www.atlassian.com/software/confluence/download-archives.\\n\\nThis vulnerability was found internally.\"},{\"lang\":\"es\",\"value\":\"Esta vulnerabilidad RCE (ejecuci\u00f3n remota de c\u00f3digo) de alta gravedad se introdujo en la versi\u00f3n 5.2 de Confluence Data Center and Server. Esta vulnerabilidad RCE (ejecuci\u00f3n remota de c\u00f3digo), con una puntuaci\u00f3n CVSS de 8,3, permite a un atacante autenticado ejecutar c\u00f3digo arbitrario que tiene un alto impacto en la confidencialidad, un alto impacto en la integridad, un alto impacto en la disponibilidad y no requiere interacci\u00f3n del usuario. Atlassian recomienda que los clientes de Confluence Data Center y Server actualicen a la \u00faltima versi\u00f3n. Si no puede hacerlo, actualice su instancia a una de las versiones fijas admitidas especificadas. Consulte las notas de la versi\u00f3n https://confluence.atlassian.com/doc/confluence-release-notes-327.html Puede descargar la \u00faltima versi\u00f3n de Confluence Data Center and Server desde el centro de descargas https://www.atlassian.com /software/confluence/descargar-archivos. Esta vulnerabilidad se encontr\u00f3 internamente.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:lts:*:*:*\",\"versionStartIncluding\":\"7.19.0\",\"versionEndExcluding\":\"7.19.22\",\"matchCriteriaId\":\"B3441F45-4865-406E-B65D-00B3D3F62854\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"7.20.0\",\"versionEndIncluding\":\"7.20.3\",\"matchCriteriaId\":\"CA11366E-1323-4E23-BC48-98E5A278ACBC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.0.0\",\"versionEndIncluding\":\"8.0.4\",\"matchCriteriaId\":\"3E04D444-3EB1-4738-B7E2-5B7AE2E5E362\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.1.0\",\"versionEndIncluding\":\"8.1.4\",\"matchCriteriaId\":\"1F0C549F-BE94-4E69-AD21-7472364DCDEE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.2.0\",\"versionEndIncluding\":\"8.2.3\",\"matchCriteriaId\":\"0850948D-AE6D-4DCA-9BA0-9980E6BFC202\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.3.0\",\"versionEndIncluding\":\"8.3.4\",\"matchCriteriaId\":\"63D5B3B0-7F7E-49B6-8C2D-FF4D824A9315\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.4.0\",\"versionEndIncluding\":\"8.4.5\",\"matchCriteriaId\":\"57BDBED4-B502-444B-8C8C-EDC8CD0717F1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:lts:*:*:*\",\"versionStartIncluding\":\"8.5.0\",\"versionEndExcluding\":\"8.5.9\",\"matchCriteriaId\":\"3DA35EFC-343E-4672-B25F-3BF347D1569A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.6.0\",\"versionEndIncluding\":\"8.6.2\",\"matchCriteriaId\":\"A28B7617-2765-4C27-AC74-8C583ABF1977\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:confluence_data_center:8.7.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D0A3DA1F-C35D-464A-8E01-B2D8F05F85A0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:confluence_data_center:8.7.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"1147BC2D-633D-40BB-8303-53D5FE8CB0FD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:confluence_data_center:8.8.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"3F13F5EE-7BAE-4F46-ACDD-65155EF457F8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:confluence_data_center:8.8.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"3AFB1065-37A0-49ED-BA0A-F2F01797F45A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:confluence_data_center:8.9.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A9CDEDBB-0657-4391-BF76-44E2B8011004\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:confluence_server:*:*:*:*:lts:*:*:*\",\"versionStartIncluding\":\"7.19.0\",\"versionEndExcluding\":\"7.19.22\",\"matchCriteriaId\":\"3119D0A7-6270-4F16-AA5E-D6B36310BB34\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"7.20.0\",\"versionEndIncluding\":\"7.20.3\",\"matchCriteriaId\":\"72EB6154-9A86-4A14-A341-D357D9FCB0DF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.0.0\",\"versionEndIncluding\":\"8.0.4\",\"matchCriteriaId\":\"ACE3F2DE-01CD-4CBC-B8F5-86ACCA6DC62A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.1.0\",\"versionEndIncluding\":\"8.1.4\",\"matchCriteriaId\":\"8201C848-0F3F-42B3-9430-A628CFC96B1B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.2.0\",\"versionEndIncluding\":\"8.2.3\",\"matchCriteriaId\":\"4451E75A-00F4-4AC2-BE18-CCB1471B88BF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.3.0\",\"versionEndIncluding\":\"8.3.4\",\"matchCriteriaId\":\"D5FF2B9F-070E-458F-BD17-20A4ECBEAD72\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.4.0\",\"versionEndIncluding\":\"8.4.5\",\"matchCriteriaId\":\"71CE6EAD-724D-49C4-BE5A-C45884C1F237\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:confluence_server:*:*:*:*:lts:*:*:*\",\"versionStartIncluding\":\"8.5.0\",\"versionEndExcluding\":\"8.5.9\",\"matchCriteriaId\":\"E64FAC9F-2E03-496D-B1FA-01DE40473675\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.6.0\",\"versionEndIncluding\":\"8.6.2\",\"matchCriteriaId\":\"BA046009-AC63-4DF2-90E0-38873BD4614E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:confluence_server:8.7.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"ABB0C806-A61F-4238-BE92-25FD9B771EFA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:confluence_server:8.7.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C1245106-DD17-410F-963D-6877C19ED65D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:confluence_server:8.8.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F4F9DEA9-BBB4-4205-9557-CAD0184DA3F4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:confluence_server:8.8.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"7228BE60-B856-4C52-B7A5-014D1768CD33\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:confluence_server:8.9.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F3381AD0-F839-4AEC-9D90-EB78F271BD4C\"}]}]}],\"references\":[{\"url\":\"https://confluence.atlassian.com/pages/viewpage.action?pageId=1387867145\",\"source\":\"security@atlassian.com\",\"tags\":[\"Release Notes\",\"Vendor Advisory\"]},{\"url\":\"https://jira.atlassian.com/browse/CONFSERVER-95832\",\"source\":\"security@atlassian.com\",\"tags\":[\"Issue Tracking\"]}]}}"
}
}
Loading...