CVE-2024-21690:
Confluence Server Análisis y mitigación de vulnerabilidades
Vista general
A High severity Reflected XSS and CSRF (Cross-Site Request Forgery) vulnerability (CVE-2024-21690) was discovered in Confluence Data Center and Server. The vulnerability was introduced in multiple versions including 7.19.0, 7.20.0, 8.0.0 through 8.9.0. This security issue was reported through Atlassian's Bug Bounty program and was disclosed on August 20, 2024 (Atlassian Bulletin).
Técnicas
The vulnerability has been assigned a CVSS v3.0 score of 7.1 (High) with the vector string CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N. This indicates that the vulnerability can be exploited remotely, requires low attack complexity, needs no privileges, but does require user interaction. The vulnerability allows an unauthenticated attacker to execute arbitrary HTML or JavaScript code on a victim's browser and force an end user to execute unwanted actions on a web application in which they're currently authenticated (ASEC Advisory).
Impacto
The vulnerability has a high impact on confidentiality, low impact on integrity, and no impact on availability. It enables attackers to execute arbitrary HTML or JavaScript code in the victim's browser and can force end users to execute unwanted actions in web applications where they are authenticated (Atlassian Bulletin).
Mitigación y soluciones alternativas
Atlassian recommends that Confluence Data Center and Server customers upgrade to the latest version. For those unable to do so, specific fixed versions are provided: Confluence Data Center and Server 7.19 should upgrade to version 7.19.26 or higher, version 8.5 should upgrade to 8.5.14 or higher, and version 9.0 should upgrade to 9.0.1 or higher (Atlassian Bulletin).
Recursos adicionales
Fuente: Este informe se generó utilizando IA
Relacionado Confluence Server Vulnerabilidades:
Evaluación gratuita de vulnerabilidades
Compare su postura de seguridad en la nube
Evalúe sus prácticas de seguridad en la nube en 9 dominios de seguridad para comparar su nivel de riesgo e identificar brechas en sus defensas.
Recursos adicionales de Wiz
Obtén una demostración personalizada
¿Listo para ver a Wiz en acción?
"La mejor experiencia de usuario que he visto en mi vida, proporciona una visibilidad completa de las cargas de trabajo en la nube."
"Wiz proporciona un panel único para ver lo que ocurre en nuestros entornos en la nube."
"Sabemos que si Wiz identifica algo como crítico, en realidad lo es."