CVE-2024-21672: Confluence Data Center RCE Vulnerability

CVE-2024-21672 Overview

CVE-2024-21672 is a Remote Code Execution (RCE) vulnerability affecting Atlassian Confluence Data Center and Server. This vulnerability was introduced in version 2.1.0 and allows an unauthenticated attacker to remotely expose assets in your environment susceptible to exploitation. The vulnerability has high impact to confidentiality, integrity, and availability, though it requires user interaction for successful exploitation.

This RCE vulnerability is classified under CWE-94 (Improper Control of Generation of Code / Code Injection), indicating that the flaw stems from improper handling or generation of code within the Confluence application. Organizations running vulnerable versions of Confluence should treat this as a priority remediation item given the potential for complete system compromise.

Critical Impact

Unauthenticated attackers can achieve remote code execution on vulnerable Confluence instances, potentially leading to complete system compromise, data exfiltration, and lateral movement within the network.

Affected Products

• Atlassian Confluence Data Center versions 2.1.0 through 7.19.17, 8.0.0 through 8.5.4, and 8.6.0 through 8.7.1
• Atlassian Confluence Server versions 2.1.0 through 7.19.17, 8.0.0 through 8.5.4, and 8.6.0 through 8.7.1

Discovery Timeline

• January 16, 2024 - CVE-2024-21672 published to NVD
• June 2, 2025 - Last updated in NVD database

Technical Details for CVE-2024-21672

Vulnerability Analysis

This Remote Code Execution vulnerability in Atlassian Confluence stems from improper control of code generation (CWE-94), which allows attackers to inject and execute arbitrary code on the server. The vulnerability is network-accessible and does not require authentication, though successful exploitation depends on user interaction.

The attack can be initiated remotely over the network, making internet-facing Confluence instances particularly at risk. Upon successful exploitation, an attacker can achieve complete control over the affected Confluence server, enabling them to access sensitive corporate knowledge base content, pivot to other internal systems, deploy malware or ransomware, and exfiltrate confidential data stored within Confluence spaces.

Root Cause

The vulnerability is rooted in CWE-94: Improper Control of Generation of Code, commonly known as Code Injection. This weakness occurs when the software constructs all or part of a code segment using externally-influenced input from an upstream component, but does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

In the context of Confluence, this likely manifests in a component that dynamically generates or evaluates code based on user-supplied input without proper sanitization or validation, allowing malicious payloads to be executed in the server context.

Attack Vector

The attack vector for CVE-2024-21672 is network-based, meaning attackers can exploit this vulnerability remotely without requiring local access to the target system. The exploitation scenario involves the following characteristics:

• Network Accessible: The vulnerability can be triggered over the network, making internet-exposed Confluence instances prime targets
• No Authentication Required: Attackers do not need valid credentials to initiate the attack
• User Interaction Required: Successful exploitation requires some form of user interaction, which could involve tricking an authenticated user into clicking a malicious link or viewing attacker-controlled content
• Scope Change: The vulnerability has the potential to affect resources beyond the vulnerable component itself

Attackers may craft specially designed requests or content that, when processed by Confluence in conjunction with user interaction, results in arbitrary code execution on the underlying server with the privileges of the Confluence application.

Detection Methods for CVE-2024-21672

Indicators of Compromise

• Unexpected outbound network connections from Confluence servers to unknown external hosts
• Anomalous process spawning from Confluence Java processes, particularly shell processes or scripting interpreters
• Unusual file system modifications in Confluence installation directories or system temporary folders
• Authentication anomalies or session hijacking indicators in Confluence access logs

Detection Strategies

• Deploy web application firewall (WAF) rules to inspect and filter potentially malicious requests targeting Confluence endpoints
• Monitor Confluence application logs for unusual request patterns, error messages, or code injection indicators
• Implement network segmentation and monitor traffic between Confluence servers and other network segments for lateral movement attempts
• Enable and review Java process monitoring for the Confluence application to detect anomalous child process creation

Monitoring Recommendations

• Configure SIEM alerts for suspicious Confluence server activity including unexpected process execution and file modifications
• Monitor for unusual authentication patterns that could indicate exploitation attempts requiring user interaction
• Implement file integrity monitoring on Confluence installation directories and configuration files
• Review Confluence audit logs regularly for signs of unauthorized access or privilege escalation following potential exploitation

How to Mitigate CVE-2024-21672

Immediate Actions Required

• Identify all Confluence Data Center and Server instances in your environment and verify their current version numbers
• Prioritize patching for internet-facing Confluence instances as they are most susceptible to remote exploitation
• Review network access controls and consider temporarily restricting external access to Confluence until patches are applied
• Enable enhanced logging and monitoring on Confluence servers to detect potential exploitation attempts

Patch Information

Atlassian recommends upgrading to the latest version of Confluence Data Center and Server. If immediate upgrade to the latest version is not possible, upgrade to one of the following fixed versions:

• Confluence Data Center and Server 7.19: Upgrade to release 7.19.18 or any higher 7.19.x release
• Confluence Data Center and Server 8.5: Upgrade to release 8.5.5 or any higher 8.5.x release
• Confluence Data Center and Server 8.7: Upgrade to release 8.7.2 or any higher release

For detailed release information, refer to the Atlassian Confluence Release Notes. Downloads are available from the Atlassian Download Center. Additional details can be found in the Atlassian Security Bulletin January 2024 and the Atlassian JIRA Issue CONFSERVER-94064.

Workarounds

• Restrict network access to Confluence instances using firewall rules to limit exposure to trusted IP ranges only
• Place Confluence behind a reverse proxy or WAF with strict request filtering and inspection capabilities
• Disable or restrict access to Confluence features that may be involved in the vulnerability until patching is complete
• Implement additional authentication layers such as VPN requirements for accessing Confluence instances

# Example: Restrict Confluence access to internal networks using iptables
# Allow access from trusted internal subnet only
iptables -A INPUT -p tcp --dport 8090 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 8090 -j DROP

# For cloud deployments, configure security groups to restrict access
# Example AWS CLI command to update security group
aws ec2 authorize-security-group-ingress \
    --group-id sg-xxxxxxxx \
    --protocol tcp \
    --port 8090 \
    --cidr 10.0.0.0/8