CVE-2024-21673: Code Injection
First published: Tue Jan 16 2024(Updated: )
This High severity Remote Code Execution (RCE) vulnerability was introduced in versions 7.13.0 of Confluence Data Center and Server. Remote Code Execution (RCE) vulnerability, with a CVSS Score of 8.0 and a CVSS Vector of CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H allows an authenticated attacker to expose assets in your environment susceptible to exploitation which has high impact to confidentiality, high impact to integrity, high impact to availability, and does not require user interaction. Atlassian recommends that Confluence Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: * Confluence Data Center and Server 7.19: Upgrade to a release 7.19.18, or any higher 7.19.x release * Confluence Data Center and Server 8.5: Upgrade to a release 8.5.5 or any higher 8.5.x release * Confluence Data Center and Server 8.7: Upgrade to a release 8.7.2 or any higher release See the release notes (https://confluence.atlassian.com/doc/confluence-release-notes-327.html ). You can download the latest version of Confluence Data Center and Server from the download center (https://www.atlassian.com/software/confluence/download-archives ).
Credit: security@atlassian.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Atlassian Confluence Server/Data Center | >=7.19.0<7.19.18 | |
| Atlassian Confluence Server/Data Center | >=8.5.0<8.5.5 | |
| Atlassian Confluence Server/Data Center | >=8.7.0<8.7.2 | |
| Atlassian Confluence Server and Data Server | >=7.19<7.19.18 | |
| Atlassian Confluence Server and Data Server | >=8.5.0<8.5.5 | |
| Atlassian Confluence Server and Data Server | >=8.7.0<=8.7.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2024-21673?
CVE-2024-21673 has a high severity rating with a CVSS score of 8.0.
How do I fix CVE-2024-21673?
To fix CVE-2024-21673, update your Confluence Data Center or Server to versions 7.19.19, 8.5.6, or 8.7.3 or later.
What types of attacks can CVE-2024-21673 facilitate?
CVE-2024-21673 allows for Remote Code Execution (RCE), enabling authenticated attackers to execute arbitrary code.
Which versions of Confluence are affected by CVE-2024-21673?
CVE-2024-21673 affects Confluence Data Center and Server versions from 7.13.0 through 8.7.2.
Is authentication required to exploit CVE-2024-21673?
Yes, an attacker must be authenticated to exploit CVE-2024-21673.
- agent/author
- agent/type
- agent/first-publish-date
- agent/description
- agent/severity
- agent/references
- agent/weakness
- agent/softwarecombine
- agent/event
- collector/epss-latest
- source/FIRST
- agent/epss
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/source
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/atlassian
- canonical/atlassian confluence server/data center
- version/atlassian confluence server/data center/7.19.0
- version/atlassian confluence server/data center/8.5.0
- version/atlassian confluence server/data center/8.7.0
- canonical/atlassian confluence server and data server
- version/atlassian confluence server and data server/7.19
- version/atlassian confluence server and data server/8.5.0
- version/atlassian confluence server and data server/8.7.0
- version/atlassian confluence server and data server/8.7.2