A critical vulnerability impacting Confluence from Atlassian, identified by the references CVE-2024-21683, has been discovered. It has been assigned a respective CVSS 3.1 score of 8.3. It must be noted that there are multiple proofs of concept easily available online and this flaw impacts all versions since the 5.2.
The CVE-2024-21683 allows an attacker to remotely execute malicious commands on the server hosting Confluence. The attack requires to be authenticated as an administrator on the Confluence application, thus lowering the rick of the attack.
Technical details of Atlassian vulnerability
This vulnerability is exploitable by accessing specific API routes, including the following: https://<JiraURL>/admin/plugins/newcode/addlanguage.action. The root cause of this issue comes from the parsing of the data received on this route. This allows an attacker to initiate a java code execution with the potential risk of:
- Stealing sensitive information;
- Modifying or inserting data;
- Denying of service.
Attack modelling with MITRE ATT&CK
MITRE ATT&CK
- T1190 (Exploit Public-Facing Application)
Atlassian vulnerability: Stormshield Network Security protections
Protection to face CVE-2024-21683
Stormshield Network Security firewalls (SNS) detect and block exploitation of CVE-2024-21683 with the protocol inspection:
- http:client:data.177 : Exploitation of a code injection vulnerability in Atlassian Confluence (CVE-2024-21683)
Confidence index for the protection offered by Stormshield |
Confidence index for the absence of false positives |
Recommandations regarding the Atlassian vulnerability
It is highly recommended to update Confluence to one of the following versions:
- 9.1 (or above);
- 5.9 (or above) if you use the LTB branch
The official alert bulleting is available here: confluence.atlassian.com/security/security-bulletin-may-21-2024-1387867145.html
