Third-Party Dependency Vulnerability in Confluence

This high severity Patch Management vulnerability was introduced in version 7.13.15 of Confluence Data Center & Server.

This Patch Management vulnerability, with CVSS Score(s) of 7.5, allows an authenticated attacker to expose assets in your environment susceptible to exploitation which has no impact to confidentiality, no impact to integrity, high impact to availability, and requires no user interaction.

The following Confluence Data Center & Server versions are affected:

>= 7.13.15 < 7.13.19
>= 7.19.7 < 7.19.11
>= 8.1.1 < 8.4.1

Atlassian recommends that you upgrade your instance to latest version, if you’re unable to do so, upgrade to these fixed versions: 7.13.19, 7.19.11, 8.4.1. See the release notes ([https://confluence.atlassian.com/doc/confluence-release-notes-327.html]). You can download the latest version of Confluence Data Center & Server from the download center ([https://www.atlassian.com/software/confluence/download-archives]).

The following is the listed NVD description for this vulnerability’s CVE:

• The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount parameters in the query string, the limit for uploaded request parts could be bypassed with the potential for a denial of service to occur.