Confluence Data Center and Server Security Misconfiguration on Windows
CVE-2024-21703 Published on November 27, 2024
This Medium severity Security Misconfiguration vulnerability was introduced in version 8.8.1 of Confluence Data Center and Server for Windows installations. This Security Misconfiguration vulnerability, with a CVSS Score of 6.4 allows an authenticated attacker of the Windows host to read sensitive information about the Confluence Data Center configuration which has high impact to confidentiality, high impact to integrity, high impact to availability, and no user interaction. Atlassian recommends that Confluence Data Center and Server customers upgrade to the latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: * Confluence Data Center and Server 7.19: Upgrade to a release greater than or equal to 7.19.18 * Confluence Data Center and Server 8.5: Upgrade to a release greater than or equal to 8.5.5 * Confluence Data Center and Server 8.7: Upgrade to a release greater than or equal to 8.7.2 * Confluence Data Center and Server 8.8: Upgrade to a release greater than or equal to 8.8.0 See the release notes (https://confluence.atlassian.com/conf88/confluence-release-notes-1354501008.html ). You can download the latest version of Confluence Data Center and Server from the download center (https://www.atlassian.com/software/confluence/download-archives ). This vulnerability was reported via our Atlassian Bug Bounty Program by Chris Elliot.
Vulnerability Analysis
CVE-2024-21703 can be exploited with local system access, and requires user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.
Weakness Type
Incorrect Permission Assignment for Critical Resource
The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. When a resource is given a permissions setting that provides access to a wider range of actors than required, it could lead to the exposure of sensitive information, or the modification of that resource by unintended parties. This is especially dangerous when the resource is related to program configuration, execution or sensitive user data.
Products Associated with CVE-2024-21703
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2024-21703 are published in Atlassian Confluence:
Affected Versions
Atlassian Confluence Data Center:- Version 8.7.1 is affected.
- Version 8.8.0 to 8.8.1 is unaffected.
- Version 8.7.2 is unaffected.
- Version 8.5.5 to 8.5.17 is unaffected.
- Version 7.19.18 to 7.19.29 is unaffected.
- Version 8.5.5 to 8.5.17 is unaffected.
- Version 7.19.18 to 7.19.29 is unaffected.
- Version 7.19 and below 7.1918 is affected.
- Version 8.5 and below 8.5.5 is affected.
- Version 8.7 and below 8.7.2 is affected.
- Version 8.8 and below 8.8.0 is affected.
- Version 7.19 and below 7.19.18 is affected.
- Version 8.5 and below 8.5.5 is affected.
- Version 8.7 and below 8.7.2 is affected.
- Version 8.8 and below 8.8.0 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.