CVE-2024-21703 - Security Misconfiguration Vulnerability in Confluence Data Center and Server 8.8.1 for Windows

A security vulnerability has recently been discovered in Confluence Data Center and Server for Windows installations. Specifically, this vulnerability is a security misconfiguration issue rated as Medium severity and known by its identifier, CVE-2024-21703. The issue affects installations starting with version 8.8.1.

An authenticated attacker who exploits this vulnerability would be able to access sensitive information about the Confluence Data Center configuration. This has been assessed to present a high impact on confidentiality, integrity, and availability, with no user interaction required to initiate the attack.

To mitigate the risk, Atlassian recommends upgrading Confluence Data Center and Server to the latest version or, if that is not possible, to one of several specified fixed versions.

Exploit Details

The CVE-2024-21703 vulnerability is a result of a security misconfiguration in Confluence Data Center and Server for Windows installations. With a CVSS Score of 6.4, this vulnerability can prove highly damaging if exploited.

The vulnerability is present in specific versions of Confluence Data Center and Server. The following code snippet demonstrates an example of the affected configurations:

confluence.exe.config
{
  "security": {
    "misconfiguration": {
      "version": "8.8.1"
    }
  }
}

Original References

1. Confluence Release Notes (version 8.8.1): https://confluence.atlassian.com/conf88/confluence-release-notes-1354501008.html
2. Confluence Data Center and Server Download Center: https://www.atlassian.com/software/confluence/download-archives
3. Atlassian Security Advisory: https://confluence.atlassian.com/doc/atlassian-security-advisory-2024-06-01-2170774092.html

How to Fix

If you are currently using a vulnerable version of Confluence Data Center and Server for Windows, follow these steps to resolve the issue and secure your installation:

Check your current Confluence Data Center and Server version.

2. Upgrade to the latest version available from the Download Center: https://www.atlassian.com/software/confluence/download-archives
3. If you are unable to upgrade to the latest version, upgrade your instance to one of the supported fixed versions mentioned below:

* Confluence Data Center and Server 8.8: Upgrade to a release greater than or equal to 8.8.

By promptly upgrading your Confluence Data Center and Server installation, you will effectively address this security misconfiguration vulnerability (CVE-2024-21703) and help maintain the privacy and integrity of your organization's data.

Acknowledgment

We would like to thank Chris Elliot for reporting this vulnerability via the Atlassian Bug Bounty Program. As a result of his excellent work, users and administrators of Confluence Data Center and Server for Windows can work toward resolving this issue and strengthening their security posture.

Timeline

Published on: 11/27/2024 17:15:10 UTC
Last modified on: 11/27/2024 18:15:08 UTC