CVE-2024-21690
📋 TL;DR
This high-severity vulnerability in Confluence Data Center and Server allows unauthenticated attackers to execute reflected XSS attacks and CSRF attacks. It affects users running vulnerable versions of Confluence, potentially compromising user sessions and forcing unauthorized actions.
💻 Affected Systems
- Confluence Data Center
- Confluence Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attacker steals authenticated user sessions, performs unauthorized administrative actions, and compromises sensitive data through XSS payloads.
Likely Case
Session hijacking, unauthorized content modification, and data exfiltration through crafted malicious links.
If Mitigated
Limited impact with proper web application firewalls, content security policies, and user awareness training.
🎯 Exploit Status
Combined XSS+CSRF attack requires user interaction but is straightforward to execute.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.19.26+, 8.5.14+, 9.0.1+
Vendor Advisory: https://confluence.atlassian.com/pages/viewpage.action?pageId=1431535667
Restart Required: Yes
Instructions:
1. Backup your Confluence instance. 2. Download patched version from Atlassian download center. 3. Stop Confluence service. 4. Install update. 5. Restart Confluence service. 6. Verify version.
🔧 Temporary Workarounds
Web Application Firewall
allDeploy WAF with XSS and CSRF protection rules
Content Security Policy
allImplement strict CSP headers to mitigate XSS impact
🧯 If You Can't Patch
- Implement network segmentation to restrict Confluence access
- Enable additional authentication factors and session timeouts
🔍 How to Verify
Check if Vulnerable:
Check Confluence version via Admin > System Information or via REST APICheck Version:
curl -k https://confluence-instance/rest/api/application-properties | grep versionVerify Fix Applied:
Verify version is 7.19.26+, 8.5.14+, or 9.0.1+📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests with script tags
- Requests with suspicious parameters
Network Indicators:
- HTTP requests containing JavaScript payloads
- CSRF token validation failures
SIEM Query:
source="confluence.log" AND ("<script" OR "javascript:" OR "onerror=" OR "onload=")