CVE-2024-21674: Confluence Data Center RCE Vulnerability

CVE-2024-21674 Overview

CVE-2024-21674 is a Remote Code Execution (RCE) vulnerability in Atlassian Confluence Data Center and Server. The flaw was introduced in version 7.13.0 and affects multiple subsequent releases. Atlassian disclosed the issue in its January 16, 2024 security bulletin.

An unauthenticated attacker can exploit this vulnerability over the network without user interaction. The weakness is categorized as Improper Control of Generation of Code [CWE-94]. Successful exploitation exposes assets in the environment with high impact to confidentiality. The current EPSS probability stands at 1.77% (75th percentile), indicating elevated attacker interest.

Critical Impact
An unauthenticated remote attacker can reach internal Confluence assets and trigger code generation paths that compromise confidentiality of hosted data.

Affected Products

Atlassian Confluence Data Center (versions from 7.13.0 up to fixed releases)
Atlassian Confluence Server (versions from 7.13.0 up to fixed releases)
Confluence 7.19.x prior to 7.19.18, 8.5.x prior to 8.5.5, and 8.7.x prior to 8.7.2

Discovery Timeline

2024-01-16 - Atlassian publishes security bulletin disclosing CVE-2024-21674
2024-01-16 - CVE-2024-21674 published to NVD
2026-06-17 - Last updated in NVD database

Technical Details for CVE-2024-21674

Vulnerability Analysis

The vulnerability resides in Confluence Data Center and Server code paths introduced in version 7.13.0. It is classified under [CWE-94], Improper Control of Generation of Code, which covers cases where user-influenced input reaches a code generation or interpretation routine. An unauthenticated attacker can send crafted network requests to a vulnerable Confluence instance and cause the application to expose protected assets.

Atlassian's advisory describes the impact as high to confidentiality, with no impact to integrity or availability in the rated vector. The scope is changed, meaning exploitation affects resources beyond the originally vulnerable component. Because Confluence is commonly deployed as an internal knowledge base, exposed assets may include corporate documentation, credentials embedded in pages, and attachments.

Root Cause

The root cause is improper control over code generation logic added in Confluence 7.13.0. Untrusted input reaches a path that influences how the application generates or evaluates code, allowing an attacker to manipulate execution context without authentication. Atlassian has not published low-level technical details, and no public proof-of-concept has been verified.

Attack Vector

The attack is delivered over the network against the Confluence HTTP interface. No authentication, privileges, or user interaction are required. An attacker scans for exposed Confluence instances, identifies vulnerable versions through banner or response fingerprinting, and submits crafted requests to trigger the code generation flaw.

No verified exploit code is publicly available for this issue. Refer to the Atlassian Security Bulletin January 2024 and the tracking issue CONFSERVER-94066 for vendor-supplied detail.

Detection Methods for CVE-2024-21674

Indicators of Compromise

Unexpected outbound connections from the Confluence application server to attacker-controlled hosts following inbound HTTP requests.
Anomalous access to Confluence pages, spaces, or attachments by sessions that lack a prior authentication event.
Confluence application logs showing repeated requests to uncommon endpoints from a single source IP.

Detection Strategies

Inventory all Confluence Data Center and Server instances and compare deployed versions against the fixed releases 7.19.18, 8.5.5, and 8.7.2.
Inspect reverse proxy and web application firewall logs for unauthenticated requests targeting Confluence endpoints with abnormal parameters.
Correlate Confluence access logs with endpoint telemetry to identify post-exploitation activity such as new processes spawned by the Confluence JVM.

Monitoring Recommendations

Enable verbose access logging on Confluence and forward logs to a centralized analytics platform for long-term retention.
Alert on Java process spawns of shells, scripting interpreters, or network utilities from the Confluence service account.
Monitor for newly created administrative accounts or unexpected modifications to Confluence configuration files.

How to Mitigate CVE-2024-21674

Immediate Actions Required

Upgrade Confluence Data Center and Server to the latest available release as recommended by Atlassian.
If immediate upgrade is not possible, move to one of the supported fixed versions: 7.19.18+, 8.5.5+, or 8.7.2+.
Restrict network access to Confluence instances by placing them behind a VPN or IP allow list while patching is scheduled.
Rotate any credentials, API tokens, or secrets that may have been stored within Confluence pages or attachments on exposed systems.

Patch Information

Atlassian released fixed versions on January 16, 2024. Customers should upgrade Confluence Data Center and Server 7.19 to 7.19.18 or higher, 8.5 to 8.5.5 or higher, and 8.7 to 8.7.2 or higher. The fixes are documented in the Atlassian Security Bulletin January 2024 and tracked in CONFSERVER-94066. Download the latest version from the Atlassian Confluence download archives.

Workarounds

Atlassian does not publish a configuration-based workaround; upgrading is the only fully supported remediation.
Limit network exposure of the Confluence application to trusted networks and authenticated proxy gateways until patching completes.
Enforce web application firewall rules that block unauthenticated access to non-public Confluence endpoints.

bash

# Example: restrict Confluence access at the reverse proxy until patched
# nginx snippet allowing only the corporate VPN CIDR
location / {
    allow 10.0.0.0/8;
    deny all;
    proxy_pass http://confluence_backend;
}