High-risk Atlassian Confluence RCE fixed, PoC available (CVE-2024-21683)

If you’re self-hosting an Atlassian Confluence Server or Data Center installation, you should upgrade to the latest available version to fix a high-severity RCE flaw (CVE-2024-21683) for which a PoC and technical details are already public.

CVE-2024-21683 PoC

About CVE-2024-21683

Confluence Server and Data Center are software solutions that are widely used in enterprise settings to manage knowledge bases, documentation, and standardize collaboration.

CVE-2024-21683 is a remote code execution vulnerability that’s easy to weaponize (via a specially crafted JavaScript language file) and requires no user interaction to be exploited, but isn’t deemed to be critical because other preconditions must be fulfilled, namely:

  • The attacker must be logged into Confluence
  • The attacker must have high enough privileges to add new macro languages
  • The JavaScript file containing malicious Java code must be uploaded to the Configure Code Macro > Add a new language

“This vulnerability arises due to a flaw in the input validation mechanism in the ‘Add a new language’ function of the ‘Configure Code Macro’ section,” Sonicwall researchers explained.

“This function allows users to upload a new code block macro language definition to customize the formatting and syntax highlighting. It expects the Javascript file to be formatted according to the custom brush syntax. Insufficient validation allows the authenticated attacker to inject malicious Java code embedded in a file (…), which will be executed on the server.”

A PoC for CVE-2024-21683 can be found on GitHub and is based on a by security researcher Huong Kieu.

Upgrade Confluence ASAP

“Considering Confluence Server’s pivotal role in maintaining an organization’s knowledge base, users are strongly encouraged to upgrade their instances to the latest versions, as mentioned in the vendor advisory,” Sonicwall researchers advised.

Vulnerabilities in Data Center and Confluence Server are regularly leveraged by attackers.



Don't miss