CVE-2024-21683

This High severity RCE (Remote Code Execution) vulnerability was introduced in version 5.2 of Confluence Data Center and Server. This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 7.2, allows an authenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction. Atlassian recommends that Confluence Data Center and Server customers upgrade to latest version. If you are unable to do so, upgrade your instance to one of the specified supported fixed versions. See the release notes https://confluence.atlassian.com/doc/confluence-release-notes-327.html You can download the latest version of Confluence Data Center and Server from the download center https://www.atlassian.com/software/confluence/download-archives. This vulnerability was found internally.

References

Link	Resource
https://confluence.atlassian.com/pages/viewpage.action?pageId=1409286211	Vendor Advisory
https://jira.atlassian.com/browse/CONFSERVER-95832	Issue Tracking

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:atlassian:confluence_data_center::::::::
	cpe:2.3:a:atlassian:confluence_data_center::::::::
	cpe:2.3:a:atlassian:confluence_data_center::::::::
	cpe:2.3:a:atlassian:confluence_data_center::::::::
	cpe:2.3:a:atlassian:confluence_data_center::::::::
	cpe:2.3:a:atlassian:confluence_data_center::::::::
	cpe:2.3:a:atlassian:confluence_data_center:::::lts:::*
	cpe:2.3:a:atlassian:confluence_data_center:::::lts:::*
	cpe:2.3:a:atlassian:confluence_data_center::::::::
	cpe:2.3:a:atlassian:confluence_data_center::::::::
	cpe:2.3:a:atlassian:confluence_data_center:8.7.1:::::::*
	cpe:2.3:a:atlassian:confluence_data_center:8.7.2:::::::*
	cpe:2.3:a:atlassian:confluence_data_center:8.8.0:::::::*
	cpe:2.3:a:atlassian:confluence_data_center:8.8.1:::::::*

Configuration 2 (hide)

OR	cpe:2.3:a:atlassian:confluence_server::::::::
	cpe:2.3:a:atlassian:confluence_server::::::::
	cpe:2.3:a:atlassian:confluence_server::::::::
	cpe:2.3:a:atlassian:confluence_server::::::::
	cpe:2.3:a:atlassian:confluence_server::::::::
	cpe:2.3:a:atlassian:confluence_server::::::::
	cpe:2.3:a:atlassian:confluence_server::::::::
	cpe:2.3:a:atlassian:confluence_server:8.8.0:::::::*
	cpe:2.3:a:atlassian:confluence_server:8.8.1:::::::*
	cpe:2.3:a:atlassian:confluence_server:8.7.1:::::::*
	cpe:2.3:a:atlassian:confluence_server:8.7.2:::::::*
	cpe:2.3:a:atlassian:confluence_server::::::::
	cpe:2.3:a:atlassian:confluence_server:::::lts:::*
	cpe:2.3:a:atlassian:confluence_server:::::lts:::*

Configuration 3 (hide)

cpe:2.3:a:atlassian:fisheye:*:*:*:*:*:*:*:*

Configuration 4 (hide)

cpe:2.3:a:atlassian:crucible:*:*:*:*:*:*:*:*

Configuration 5 (hide)

OR	cpe:2.3:a:atlassian:jira_data_center:::::lts:::*
	cpe:2.3:a:atlassian:jira_data_center:::::lts:::*

Configuration 6 (hide)

OR	cpe:2.3:a:atlassian:jira_server:::::lts:::*
	cpe:2.3:a:atlassian:jira_server:::::lts:::*

Configuration 7 (hide)

OR	cpe:2.3:a:atlassian:jira_service_management:::::data_center:::*
	cpe:2.3:a:atlassian:jira_service_management:::::data_center:::*
	cpe:2.3:a:atlassian:jira_service_management:::::data_center:::*

Configuration 8 (hide)

OR	cpe:2.3:a:atlassian:jira_service_management:::::server:::*
	cpe:2.3:a:atlassian:jira_service_management:::::server:::*
	cpe:2.3:a:atlassian:jira_service_management:5.15.2::::server:::

History

10 Apr 2025, 19:54

Type	Values Removed	Values Added
First Time		Atlassian jira Server Atlassian jira Service Management Atlassian fisheye Atlassian confluence Data Center Atlassian crucible Atlassian confluence Server Atlassian jira Data Center Atlassian
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 8.8
CPE		cpe:2.3:a:atlassian:jira_data_center:::::lts:::* cpe:2.3:a:atlassian:fisheye:::::::: cpe:2.3:a:atlassian:confluence_data_center:8.7.2:::::::* cpe:2.3:a:atlassian:confluence_server:8.7.2:::::::* cpe:2.3:a:atlassian:confluence_data_center:8.8.1:::::::* cpe:2.3:a:atlassian:confluence_server:::::lts:::* cpe:2.3:a:atlassian:confluence_data_center:::::::: cpe:2.3:a:atlassian:confluence_server:8.8.1:::::::* cpe:2.3:a:atlassian:confluence_data_center:::::lts:::* cpe:2.3:a:atlassian:jira_server:::::lts:::* cpe:2.3:a:atlassian:jira_service_management:::::server:::* cpe:2.3:a:atlassian:confluence_server:8.8.0:::::::* cpe:2.3:a:atlassian:jira_service_management:5.15.2::::server::: cpe:2.3:a:atlassian:jira_service_management:::::data_center:::* cpe:2.3:a:atlassian:confluence_server:::::::: cpe:2.3:a:atlassian:confluence_data_center:8.7.1:::::::* cpe:2.3:a:atlassian:crucible:::::::: cpe:2.3:a:atlassian:confluence_server:8.7.1:::::::* cpe:2.3:a:atlassian:confluence_data_center:8.8.0:::::::*
References	~~() https://confluence.atlassian.com/pages/viewpage.action?pageId=1409286211 -~~	() https://confluence.atlassian.com/pages/viewpage.action?pageId=1409286211 - Vendor Advisory
References	~~() https://jira.atlassian.com/browse/CONFSERVER-95832 -~~	() https://jira.atlassian.com/browse/CONFSERVER-95832 - Issue Tracking
CWE		NVD-CWE-noinfo

14 Mar 2025, 16:15

Type	Values Removed	Values Added
Summary	~~Rejected reason: This CVE's publication may have been a false positive or a mistake. As a result, we have rejected this record.~~	This High severity RCE (Remote Code Execution) vulnerability was introduced in version 5.2 of Confluence Data Center and Server. This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 7.2, allows an authenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction. Atlassian recommends that Confluence Data Center and Server customers upgrade to latest version. If you are unable to do so, upgrade your instance to one of the specified supported fixed versions. See the release notes https://confluence.atlassian.com/doc/confluence-release-notes-327.html You can download the latest version of Confluence Data Center and Server from the download center https://www.atlassian.com/software/confluence/download-archives. This vulnerability was found internally.
References		() https://confluence.atlassian.com/pages/viewpage.action?pageId=1409286211 - () https://jira.atlassian.com/browse/CONFSERVER-95832 -

01 Jan 2025, 00:15

Type	Values Removed	Values Added
Summary	This High severity RCE (Remote Code Execution) vulnerability was introduced in version 5.2 of Confluence Data Center and Server. This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 7.2, allows an authenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction. Atlassian recommends that Confluence Data Center and Server customers upgrade to latest version. If you are unable to do so, upgrade your instance to one of the specified supported fixed versions. See the release notes https://confluence.atlassian.com/doc/confluence-release-notes-327.html You can download the latest version of Confluence Data Center and Server from the download center https://www.atlassian.com/software/confluence/download-archives. This vulnerability was found internally.	Rejected reason: This CVE's publication may have been a false positive or a mistake. As a result, we have rejected this record.
CVSS	v2 : ~~unknown~~ v3 : ~~8.8~~	v2 : unknown v3 : unknown
CWE	~~NVD-CWE-noinfo~~
References	{'url': 'https://confluence.atlassian.com/pages/viewpage.action?pageId=1387867145', 'name': 'https://confluence.atlassian.com/pages/viewpage.action?pageId=1387867145', 'tags': ['Release Notes', 'Vendor Advisory'], 'refsource': ''} ~~{'url': 'https://jira.atlassian.com/browse/CONFSERVER-95832', 'name': 'https://jira.atlassian.com/browse/CONFSERVER-95832', 'tags': ['Issue Tracking'], 'refsource': ''}~~
CPE	cpe:2.3:a:atlassian:confluence_server:8.8.0:::::::* cpe:2.3:a:atlassian:confluence_data_center:8.9.0:::::::* cpe:2.3:a:atlassian:confluence_data_center:8.7.2:::::::* cpe:2.3:a:atlassian:confluence_server:8.7.2:::::::* cpe:2.3:a:atlassian:confluence_data_center:::::::: cpe:2.3:a:atlassian:confluence_server:::::::: cpe:2.3:a:atlassian:confluence_data_center:8.8.1:::::::* cpe:2.3:a:atlassian:confluence_server:8.9.0:::::::* cpe:2.3:a:atlassian:confluence_data_center:8.7.1:::::::* cpe:2.3:a:atlassian:confluence_server:::::lts:::* cpe:2.3:a:atlassian:confluence_server:8.7.1:::::::* cpe:2.3:a:atlassian:confluence_data_center:8.8.0:::::::* cpe:2.3:a:atlassian:confluence_server:8.8.1:::::::* cpe:2.3:a:atlassian:confluence_data_center:::::lts:::*

10 Jun 2024, 18:15

Type	Values Removed	Values Added
Summary	This High severity RCE (Remote Code Execution) vulnerability was introduced in version 5.2 of Confluence Data Center and Server. This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 8.3, allows an authenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction. Atlassian recommends that Confluence Data Center and Server customers upgrade to latest version. If you are unable to do so, upgrade your instance to one of the specified supported fixed versions. See the release notes https://confluence.atlassian.com/doc/confluence-release-notes-327.html You can download the latest version of Confluence Data Center and Server from the download center https://www.atlassian.com/software/confluence/download-archives. This vulnerability was found internally.	This High severity RCE (Remote Code Execution) vulnerability was introduced in version 5.2 of Confluence Data Center and Server. This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 7.2, allows an authenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction. Atlassian recommends that Confluence Data Center and Server customers upgrade to latest version. If you are unable to do so, upgrade your instance to one of the specified supported fixed versions. See the release notes https://confluence.atlassian.com/doc/confluence-release-notes-327.html You can download the latest version of Confluence Data Center and Server from the download center https://www.atlassian.com/software/confluence/download-archives. This vulnerability was found internally.

04 Jun 2024, 14:30

Type	Values Removed	Values Added
References	~~() https://confluence.atlassian.com/pages/viewpage.action?pageId=1387867145 -~~	() https://confluence.atlassian.com/pages/viewpage.action?pageId=1387867145 - Release Notes, Vendor Advisory
References	~~() https://jira.atlassian.com/browse/CONFSERVER-95832 -~~	() https://jira.atlassian.com/browse/CONFSERVER-95832 - Issue Tracking
CWE		NVD-CWE-noinfo
First Time		Atlassian confluence Data Center Atlassian confluence Server Atlassian
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 8.8
CPE		cpe:2.3:a:atlassian:confluence_server:8.8.0:::::::* cpe:2.3:a:atlassian:confluence_data_center:8.8.1:::::::* cpe:2.3:a:atlassian:confluence_data_center:::::lts:::* cpe:2.3:a:atlassian:confluence_server:8.7.1:::::::* cpe:2.3:a:atlassian:confluence_server:::::lts:::* cpe:2.3:a:atlassian:confluence_data_center:8.8.0:::::::* cpe:2.3:a:atlassian:confluence_data_center:8.7.2:::::::* cpe:2.3:a:atlassian:confluence_data_center:8.9.0:::::::* cpe:2.3:a:atlassian:confluence_server:8.9.0:::::::* cpe:2.3:a:atlassian:confluence_data_center:8.7.1:::::::* cpe:2.3:a:atlassian:confluence_data_center:::::::: cpe:2.3:a:atlassian:confluence_server:::::::: cpe:2.3:a:atlassian:confluence_server:8.7.2:::::::* cpe:2.3:a:atlassian:confluence_server:8.8.1:::::::*

21 May 2024, 23:15

Type	Values Removed	Values Added
New CVE

8.8^/10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED