Quick note about CVE-2024-21683 - Authenticated Remote Code Execution in Atlassian Confluence
Just a quick note so I wont describe it in detail
About the vulnerability
This is an authenticated remote code execution vulnerability in Atlassian Confluence https://nvd.nist.gov/vuln/detail/CVE-2024-21683
Analyze
Quickly I downloaded 2 versions to diff and caught the change:
in RhinoLanguageParser
, it changed Context.initStandardObjects
into Context.initSafeStandardObjects
.
Googled a bit, I knew that RhinoLanguageParser
used with initStandardObjects
can lead to remote code execution if we can control the variable script
in this call (kind of ScriptEngine) :
cx.evaluateString(scope, script, "ParserScript", 0, (Object)null);
After tracing, I found the source → sink:
com.atlassian.confluence.ext.code.config.ConfigureNewcodeAction#addLanguage
com.atlassian.confluence.ext.code.languages.impl.RegisteredLanguageInstallerImpl#installLanguage
com.atlassian.confluence.ext.code.languages.impl.RhinoLanguageParser#parseRegisteredLanguage
com.atlassian.confluence.ext.code.languages.impl.RhinoLanguageParser#parseLanguage
With the script
variable can be controlled
POC
This is my quick POC, I will let my readers do it by themselves.