{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2024-021.pdf"
    },
    "title": "Vulnerabilities in Atlassian Products",
    "serial_number": "2024-021",
    "publish_date": "21-02-2024 16:24:33",
    "description": "On February 20, 2024, Atlassian released a security advisory addressing a high severity vulnerability in Confluence Data Center and  Confluence Server that, if exploited, could allow an authenticated attacker to execute arbitrary HTML or JavaScript code on a victim's browser. The security advisory also addresses 10 other high severity vulnerabilities which have been fixed in new versions of several Atlassian products.<br>\n",
    "url_title": "2024-021",
    "content_markdown": "---\ntitle: 'Vulnerabilities in\u00a0Atlassian\u00a0Products'\nnumber: '2024-021'\nversion: '1.0'\noriginal_date: 'February 20, 2024'\ndate: 'February 21, 2024'\n---\n\n_History:_\n\n* _21/02/2024 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn February 20, 2024, Atlassian released a security advisory addressing a high severity vulnerability in Confluence Data Center and  Confluence Server that, if exploited, could allow an authenticated attacker to execute arbitrary HTML or JavaScript code on a victim's browser [1]. The security advisory also addresses 10 other high severity vulnerabilities which have been fixed in new versions of several Atlassian products [2].\n\n# Technical Details\n\nThe vulnerability `CVE-2024-21678`, with a CVSS score of 8.5, is a stored XSS vulnerability that allows an authenticated attacker to execute arbitrary HTML or JavaScript code on a victim's browser which has a high impact to confidentiality, low impact to integrity, no impact to availability, and requires no user interaction. [1].\n\nAmong the other 10 vulnerabilities [2], 9 of them allow an unauthenticated attacker to expose assets in the environment susceptible to exploitation which might have an impact to confidentiality, integrity, or availability, and requires no user interaction.\n\n# Affected Products\n\nThe vulnerability `CVE-2024-21678` affects the following versions of Confluence Data Center, and Confluence Server\n\n- from 8.7.0 to 8.7.1 (only Confluence Data Center)\n- from 8.6.0 to 8.6.1 (only Confluence Data Center)\n- from 8.5.0 to 8.5.4 LTS \n- from 8.4.0 to 8.4.5\n- from 8.3.0 to 8.3.4\n- from 8.2.0 to 8.2.3\n- from 8.1.0 to 8.1.4\n- from 8.0.0 to 8.0.4\n- from 7.20.0 to 7.20.3\n- from 7.19.0 to 7.19.17 LTS\n- from 7.18.0 to 7.18.3\n- from 7.17.0 to 7.17.5\n- Any earlier versions\n\nThe other 10 high severity vulnerabilities affect several products of Atlassian. A complete list can be found on the vendor's website [2].\n\n# Recommendations\n\nCERT-EU strongly recommends installing the latest version of Atlassian products as soon as possible.\n\n# References\n\n[1] <https://jira.atlassian.com/browse/CONFSERVER-94513>\n\n[2] <https://confluence.atlassian.com/security/security-bulletin-february-20-2024-1354501606.html>\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>21/02/2024 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On February 20, 2024, Atlassian released a security advisory addressing a high severity vulnerability in Confluence Data Center and Confluence Server that, if exploited, could allow an authenticated attacker to execute arbitrary HTML or JavaScript code on a victim's browser [1]. The security advisory also addresses 10 other high severity vulnerabilities which have been fixed in new versions of several Atlassian products [2].</p><h2 id=\"technical-details\">Technical Details</h2><p>The vulnerability <code>CVE-2024-21678</code>, with a CVSS score of 8.5, is a stored XSS vulnerability that allows an authenticated attacker to execute arbitrary HTML or JavaScript code on a victim's browser which has a high impact to confidentiality, low impact to integrity, no impact to availability, and requires no user interaction. [1].</p><p>Among the other 10 vulnerabilities [2], 9 of them allow an unauthenticated attacker to expose assets in the environment susceptible to exploitation which might have an impact to confidentiality, integrity, or availability, and requires no user interaction.</p><h2 id=\"affected-products\">Affected Products</h2><p>The vulnerability <code>CVE-2024-21678</code> affects the following versions of Confluence Data Center, and Confluence Server</p><ul><li>from 8.7.0 to 8.7.1 (only Confluence Data Center)</li><li>from 8.6.0 to 8.6.1 (only Confluence Data Center)</li><li>from 8.5.0 to 8.5.4 LTS </li><li>from 8.4.0 to 8.4.5</li><li>from 8.3.0 to 8.3.4</li><li>from 8.2.0 to 8.2.3</li><li>from 8.1.0 to 8.1.4</li><li>from 8.0.0 to 8.0.4</li><li>from 7.20.0 to 7.20.3</li><li>from 7.19.0 to 7.19.17 LTS</li><li>from 7.18.0 to 7.18.3</li><li>from 7.17.0 to 7.17.5</li><li>Any earlier versions</li></ul><p>The other 10 high severity vulnerabilities affect several products of Atlassian. A complete list can be found on the vendor's website [2].</p><h2 id=\"recommendations\">Recommendations</h2><p>CERT-EU strongly recommends installing the latest version of Atlassian products as soon as possible.</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://jira.atlassian.com/browse/CONFSERVER-94513\">https://jira.atlassian.com/browse/CONFSERVER-94513</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://confluence.atlassian.com/security/security-bulletin-february-20-2024-1354501606.html\">https://confluence.atlassian.com/security/security-bulletin-february-20-2024-1354501606.html</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}