CVE-2024-21677

EPSS 1.96%
Veröffentlicht 19.03.2024 17:15:09
Zuletzt bearbeitet 13.03.2025 18:15:37
Quelle security@atlassian.com
CVE-Watchlists
Login
Unerledigt
Login

This High severity Path Traversal vulnerability was introduced in version 6.13.0 of Confluence Data Center. This Path Traversal vulnerability, with a CVSS Score of 8.3, allows an unauthenticated attacker to exploit an undefinable vulnerability which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires user interaction.

Atlassian recommends that Confluence Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Data Center Atlassian recommends that Confluence Data Center customers upgrade to the latest version and that Confluence Server customers upgrade to the latest 8.5.x LTS version.

If you are unable to do so, upgrade your instance to one of the specified supported fixed versions See the release notes https://confluence.atlassian.com/doc/confluence-release-notes-327.html

You can download the latest version of Confluence Data Center and Server from the download center https://www.atlassian.com/software/confluence/download-archives. 

This vulnerability was reported via our Bug Bounty program.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Atlassian ≫ Confluence Data Center Version >= 6.13.0 < 7.19.20

Atlassian ≫ Confluence Data Center Version >= 7.20.0 < 8.5.7

Atlassian ≫ Confluence Data Center Version >= 8.6.0 < 8.8.1

Atlassian ≫ Confluence Server Version >= 6.13.0 < 7.19.20

Atlassian ≫ Confluence Server Version >= 7.20.0 < 8.5.7

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	1.96%	0.829

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
security@atlassian.com	8.3	1.6	6	CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

https://confluence.atlassian.com/pages/viewpage.action?pageId=1369444862

Vendor Advisory

https://jira.atlassian.com/browse/CONFSERVER-94604

Vendor Advisory

Issue Tracking

https://nvd.nist.gov/vuln/detail/CVE-2024-21677

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-21677

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-21677

EUVD