CVE-2024-21683

HIGH EXPLOITED NUCLEI

Atlassian Confluence Data Center and Server - Remote Code Execution

Title source: nuclei
STIX 2.1

Exploitation Summary

CVE-2024-21683 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 6 public exploits from researchers including W01fh4cker, absholi7ly, phucrio, including a Metasploit module exploits/multi/http/atlassian_confluence_rce_cve_2024_21683. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2024-21683, an authenticated RCE vulnerability in Atlassian Confluence. The exploit leverages an authenticated session to upload a malicious JavaScript file, which executes arbitrary commands via Java's ProcessBuilder.

Description

This High severity RCE (Remote Code Execution) vulnerability was introduced in version 5.2 of Confluence Data Center and Server. This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 7.2, allows an authenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction.  Atlassian recommends that Confluence Data Center and Server customers upgrade to latest version. If you are unable to do so, upgrade your instance to one of the specified supported fixed versions. See the release notes https://confluence.atlassian.com/doc/confluence-release-notes-327.html You can download the latest version of Confluence Data Center and Server from the download center https://www.atlassian.com/software/confluence/download-archives. This vulnerability was found internally.

Exploits (6)

nomisec WORKING POC 127 stars
by W01fh4cker · remote-auth
https://github.com/W01fh4cker/CVE-2024-21683-RCE

This repository contains a functional exploit for CVE-2024-21683, an authenticated RCE vulnerability in Atlassian Confluence. The exploit leverages an authenticated session to upload a malicious JavaScript file, which executes arbitrary commands via Java's ProcessBuilder.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Atlassian Confluence
Auth required
Prerequisites: Valid administrator credentials · Access to the target Confluence instance
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 11 stars
by absholi7ly · poc
https://github.com/absholi7ly/-CVE-2024-21683-RCE-in-Confluence-Data-Center-and-Server

This repository provides a functional proof-of-concept exploit for CVE-2024-21683, demonstrating remote code execution (RCE) in Confluence Data Center and Server via a malicious JavaScript file upload. The exploit leverages a vulnerability in the language upload functionality to execute arbitrary commands (e.g., launching calc.exe).

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Confluence Data Center and Server
Auth required
Prerequisites: Valid session cookies (atl_token) · Access to the admin interface
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 1 stars
by phucrio · remote-auth
https://github.com/phucrio/CVE-2024-21683-RCE

This repository contains a functional exploit for CVE-2024-21683, demonstrating RCE via a crafted JavaScript file upload in a vulnerable web application. The PoC automates authentication, token retrieval, and payload delivery to execute arbitrary commands.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Unknown (likely a web application with plugin upload functionality)
Auth required
Prerequisites: Valid admin credentials · Network access to target · Vulnerable plugin upload endpoint
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 1 stars
by r00t7oo2jm · poc
https://github.com/r00t7oo2jm/-CVE-2024-21683-RCE-in-Confluence-Data-Center-and-Server

The repository provides multiple functional exploit methods for CVE-2024-21683, an RCE vulnerability in Confluence Data Center and Server. It includes detailed steps for exploiting the `/rest/api/user/bulk` endpoint, a Python script for injecting malicious code via the `/rest/api/content` endpoint, and a reverse shell payload via file upload.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Confluence Data Center and Server (versions 7.19.0-7.19.21, 8.0.0-8.9.0, etc.)
No auth needed
Prerequisites: Network access to the vulnerable Confluence server · Ability to send HTTP requests to the target
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by r3db34rdh4x · poc
https://github.com/r3db34rdh4x/cve-2024-21683-rce

This repository contains a functional exploit for CVE-2024-21683, an RCE vulnerability in Atlassian Confluence Server and Data Center. The exploit leverages an authenticated file upload flaw in the 'Add New Language' feature to execute arbitrary JavaScript code on the server.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Atlassian Confluence Server and Data Center (versions 5.2 and later)
Auth required
Prerequisites: Valid admin credentials for Confluence · Access to the 'Add New Language' feature
devstral-2 · analyzed Feb 19, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Ankita Sawlani, Huong Kieu, W01fh4cker, remmons-r7 · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/atlassian_confluence_rce_cve_2024_21683.rb

This Metasploit module exploits CVE-2024-21683, an authenticated RCE vulnerability in Atlassian Confluence. It authenticates as an administrator, elevates privileges, and leverages the Rhino script engine to execute arbitrary commands via tainted file uploads.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Atlassian Confluence < 7.17, 7.17.0-7.17.5, 7.18.0-7.18.3, 7.19.0-7.19.21, 7.20.0-7.20.3, 8.0.0-8.0.4, 8.1.0-8.1.4, 8.2.0-8.2.3, 8.3.0-8.3.4, 8.4.0-8.4.5, 8.5.0-8.5.8, 8.6.0-8.6.2, 8.7.0-8.7.2, 8.8.0-8.8.1, 8.9.0
Auth required
Prerequisites: Valid administrator credentials · Network access to Confluence instance (default port 8090) · Vulnerable Confluence version
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Atlassian Confluence Data Center and Server - Remote Code Execution
HIGHVERIFIEDby pdresearch
FOFA: app="ATLASSIAN-Confluence"

References (2)

Core 2

Scores

CVSS v3 8.8
EPSS 0.9405
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

VulnCheck KEV 2024-05-23
CWE
CWE-94
Status published
Products (18)
atlassian/confluence_data_center 8.7.1
atlassian/confluence_data_center 8.7.2
atlassian/confluence_data_center 8.8.0
atlassian/confluence_data_center 8.8.1
atlassian/confluence_data_center 7.19.0 - 7.19.24
atlassian/confluence_data_center 7.20.0 - 7.20.3
atlassian/confluence_server 8.7.1
atlassian/confluence_server 8.7.2
atlassian/confluence_server 8.8.0
atlassian/confluence_server 8.8.1
... and 8 more
Published May 21, 2024
Tracked Since Feb 18, 2026