CVE-2024-21672: Code Injection
First published: Tue Jan 16 2024(Updated: )
This High severity Remote Code Execution (RCE) vulnerability was introduced in version 2.1.0 of Confluence Data Center and Server. Remote Code Execution (RCE) vulnerability, with a CVSS Score of 8.3 and a CVSS Vector of CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H allows an unauthenticated attacker to remotely expose assets in your environment susceptible to exploitation which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires user interaction. Atlassian recommends that Confluence Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: * Confluence Data Center and Server 7.19: Upgrade to a release 7.19.18, or any higher 7.19.x release * Confluence Data Center and Server 8.5: Upgrade to a release 8.5.5 or any higher 8.5.x release * Confluence Data Center and Server 8.7: Upgrade to a release 8.7.2 or any higher release See the release notes (https://confluence.atlassian.com/doc/confluence-release-notes-327.html ). You can download the latest version of Confluence Data Center and Server from the download center (https://www.atlassian.com/software/confluence/download-archives).
Credit: security@atlassian.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Atlassian Confluence Server/Data Center | >=7.19.0<7.19.18 | |
| Atlassian Confluence Server/Data Center | >=8.5.0<8.5.5 | |
| Atlassian Confluence Server/Data Center | >=8.7.0<8.7.2 | |
| Atlassian Confluence Server and Data Server | >=7.19<7.19.18 | |
| Atlassian Confluence Server and Data Server | >=8.5.0<8.5.5 | |
| Atlassian Confluence Server and Data Server | >=8.7.0<=8.7.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2024-21672?
CVE-2024-21672 has a high severity level with a CVSS score of 8.3.
How do I fix CVE-2024-21672?
To mitigate CVE-2024-21672, update to the latest version of Confluence Data Center or Server as specified in the security bulletin.
What versions are affected by CVE-2024-21672?
CVE-2024-21672 affects Confluence Data Center versions from 7.19.0 to 7.19.18, 8.5.0 to 8.5.5, and 8.7.0 to 8.7.2, as well as Confluence Server versions in the same ranges.
What is the impact of CVE-2024-21672?
The impact of CVE-2024-21672 allows an unauthenticated attacker to execute remote code on affected installations.
Can CVE-2024-21672 be exploited remotely?
Yes, CVE-2024-21672 is a Remote Code Execution vulnerability that can be exploited by unauthenticated attackers over the network.
- agent/author
- agent/type
- agent/first-publish-date
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/references
- agent/weakness
- agent/last-modified-date
- agent/softwarecombine
- agent/event
- collector/epss-latest
- source/FIRST
- agent/epss
- agent/source
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/atlassian
- canonical/atlassian confluence server/data center
- version/atlassian confluence server/data center/7.19.0
- version/atlassian confluence server/data center/8.5.0
- version/atlassian confluence server/data center/8.7.0
- canonical/atlassian confluence server and data server
- version/atlassian confluence server and data server/7.19
- version/atlassian confluence server and data server/8.5.0
- version/atlassian confluence server and data server/8.7.0
- version/atlassian confluence server and data server/8.7.2