CVE-2024-21677 Observation Footprint

CVE-2024-21677 Details

This High severity Path Traversal vulnerability was introduced in version 6.13.0 of Confluence Data Center.

This Path Traversal vulnerability, with a CVSS Score of 8.3, allows an unauthenticated attacker to exploit an undefinable vulnerability which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires user interaction.

Atlassian recommends that Confluence Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:
Data Center

Atlassian recommends that Confluence Data Center customers upgrade to the latest version. If you are unable to do so, upgrade your instance to one of the specified supported fixed versions:
||Affected versions||Fixed versions||
|8.8.0|8.8.1 recommended|
|from 8.7.0 to 8.7.2|8.8.1 recommended|
|from 8.6.0 to 8.6.2|8.8.1 recommended|
|from 8.5.0 to 8.5.6 LTS|8.8.1 recommended or 8.5.7 LTS|
|from 8.4.0 to 8.4.5|8.8.1 recommended or 8.5.7 LTS|
|from 8.3.0 to 8.3.4|8.8.1 recommended or 8.5.7 LTS|
|from 8.2.0 to 8.2.3|8.8.1 recommended or 8.5.7 LTS|
|from 8.1.0 to 8.1.4|8.8.1 recommended or 8.5.7 LTS|
|from 8.0.0 to 8.0.4|8.8.1 recommended or 8.5.7 LTS|
|from 7.20.0 to 7.20.3|8.8.1 recommended or 8.5.7 LTS|
|from 7.19.0 to 7.19.19 LTS|8.8.1 recommended or 8.5.7 LTS or 7.19.20 LTS|
|from 7.18.0 to 7.18.3|8.8.1 recommended or 8.5.7 LTS or 7.19.20 LTS|
|from 7.17.0 to 7.17.5|8.8.1 recommended or 8.5.7 LTS or 7.19.20 LTS|
|Any earlier versions|8.8.1 recommended or 8.5.7 LTS or 7.19.20 LTS|
Server

{color:#172b4d}Atlassian recommends that Confluence Server customers upgrade to the latest 8.5.x LTS version. If you are unable to do so, upgrade your instance to one of the specified supported fixed versions:{color}
||Affected versions||Fixed versions||
|from 8.5.0 to 8.5.6 LTS|8.5.7 LTS recommended|
|from 8.4.0 to 8.4.5|8.5.7 LTS recommended|
|from 8.3.0 to 8.3.4|8.5.7 LTS recommended|
|from 8.2.0 to 8.2.3|8.5.7 LTS recommended|
|from 8.1.0 to 8.1.4|8.5.7 LTS recommended|
|from 8.0.0 to 8.0.4|8.5.7 LTS recommended|
|from 7.20.0 to 7.20.3|8.5.7 LTS recommended|
|from 7.19.0 to 7.19.19 LTS|8.5.7 LTS recommended or 7.19.20 LTS|
|from 7.18.0 to 7.18.3|8.5.7 LTS recommended or 7.19.20 LTS|
|from 7.17.0 to 7.17.5|8.5.7 LTS recommended or 7.19.20 LTS|
|Any earlier versions|8.5.7 LTS recommended or 7.19.20 LTS|

See the release notes ([https://confluence.atlassian.com/doc/confluence-release-notes-327.html]). You can download the latest version of Confluence Data Center and Server from the download center ([https://www.atlassian.com/software/confluence/download-archives]).

This vulnerability was reported via our Bug Bounty program.

View at NVD

Products affected by CVE-2024-21677

Confluence Server	6.13.0
Confluence Server	6.13.10
Confluence Server	6.13.21
Confluence Server	6.13.23
Confluence Server	6.13.4

CVE-2024-21677 Global Footprint

Top 10 Identified Countries

Country	Observations	Percentage
US	320	22.39%
CN	196	13.72%
DE	122	8.54%
RU	107	7.49%
AU	53	3.71%
FR	46	3.22%
JP	46	3.22%
CA	40	2.80%
IN	38	2.66%
GB	35	2.45%

Is CVE-2024-21677 part of your extended attack surface? Bitsight helps security leaders rapidly identify exposure and detect threats in order to prioritize, communicate, and mitigate risk.

View interactive product tours

CVE-2024-21677 Industry Footprint

Top 10 Identified Industries

*Service provider organizations (typically Technology and Telecommunications) are disproportionally represented in the results given their upstream ownership of end-user infrastructure. See our FAQs.

Industry*	Observations	Percentage
Technology	999	89.76%
Telecommunications	86	7.73%
Manufacturing	8	0.72%
Education	8	0.72%
Government/Politics	7	0.63%
Business Services	3	0.27%
Finance	1	0.09%
Retail	1	0.09%

Bitsight Data Discovery and Continuous Threat Scanning

Bitsight, the leading provider in Cyber Risk Management, introduced the next-generation internet scanner Bitsight Groma in May 2024. This technology continuously scans the entire internet to discover assets, collect asset attribution evidence, and identify an ever-growing set of security observations, such as vulnerabilities and misconfigurations. Groma’s scanning activities presently encompass: 

40 million-plus monitored organizations
250 million-plus host names
4 billion-plus routable IPv4 and IPv6 addresses

Greynoise’s recent study testifies the speed of Bitsight Groma.

Learn more about Bitsight Groma

How we use Bitsight Groma data

Empower Security Research

Bitsight TRACE team investigates security incidents and identifies vulnerabilities and threats.

View latest security research

Feed Bitsight Products

Along with our mapping technology, Graph of Internet Assets (GIA), to enable best-in-class cyber risk intelligence solutions.

Exposure Management

Third-Party Risk Management

Cyber Threat Intelligence

See Your External Attack Surface

See what you’re up against across the expanding attack surface. Prioritize what matters most. And mitigate where you’re most vulnerable.

External Attack Surface Management

Your attack surface is expanding—know exactly how it looks

Reducing exposure starts with knowing exactly how your external attack surface stands—from your overall standing to each digital and cloud asset around the world. Bitsight's custom report gives you the insights you need to see your entire external attack surface.

Get a free attack surface report