Confluence Post-Auth RCE - CVE-2024-21683
by W01fh4cker (credit to realalphaman_ for original research) · 2026-05-17
- Severity
- High
- CVE
- CVE-2024-21683
- Category
- web
- Affected product
- Atlassian Confluence Data Center and Server
- Affected versions
- All versions before the May 2024 security patch; exact range per Atlassian advisory
- Disclosed
- 2026-05-17
- Patch status
- unpatched
References
Archive entry
intelseclab/poc-archiveMetadata
| Field | Value |
|---|---|
| Date Added | 2026-05-17 |
| Last Updated | 2024-05-27 |
| Author / Researcher | W01fh4cker (credit to realalphaman_ for original research) |
| CVE / Advisory | CVE-2024-21683 |
| Category | web |
| Severity | High |
| CVSS Score | 8.3 (CVSSv3) |
| Status | Weaponized |
| Tags | RCE, Confluence, post-auth, Rhino, JavaScript, Java, deserialization, Metasploit, red-team |
| Related | N/A |
Affected Target
| Field | Value |
|---|---|
| Software / System | Atlassian Confluence Data Center and Server |
| Versions Affected | All versions before the May 2024 security patch; exact range per Atlassian advisory |
| Language / Platform | Java / Rhino JavaScript engine (RhinoLanguageParser) |
| Authentication Required | Yes (Confluence administrator account required) |
| Network Access Required | Yes |
Summary
CVE-2024-21683 is an authenticated Remote Code Execution vulnerability in Atlassian Confluence Data Center and Server affecting the “Add a New Language” feature in the Code Macro plugin. An authenticated Confluence administrator can upload a malicious .js file via the /admin/plugins/newcode/addlanguage.action endpoint, which is parsed by the RhinoLanguageParser (Mozilla Rhino JavaScript engine). Because Rhino can instantiate Java objects, the uploaded script can execute arbitrary Java code (e.g., new java.lang.ProcessBuilder(["calc.exe"]).start()), achieving RCE in the context of the Confluence server process. A Metasploit module is available.
Vulnerability Details
Root Cause
The Confluence Code Macro plugin’s “Add a New Language” feature allows administrators to upload a JavaScript file defining syntax highlighting rules. The file is processed by Mozilla Rhino (RhinoLanguageParser), which has full access to the Java runtime via its interoperability layer. There is no sandboxing or restriction on the Java classes that can be instantiated from Rhino scripts, allowing an attacker to call java.lang.ProcessBuilder or java.lang.Runtime.exec() directly from the uploaded script, resulting in OS command execution.
Attack Vector
- Authenticate to Confluence as an administrator account.
- Retrieve the
atlassian-token(CSRF token) from/admin/plugins/newcode/configure.action. - Perform the administrative authentication step via
/doauthenticate.action. - POST a malicious
.jsfile to/admin/plugins/newcode/addlanguage.actionusing thelanguageFilemultipart field withnewLanguageNameand the CSRF token.
Impact
Remote Code Execution as the Confluence server process user. While authentication is required (reducing the attack surface), Confluence administrators are common in enterprise environments and credentials may be obtained via phishing, credential stuffing, or other means. Full OS command execution allows data exfiltration, backdoor installation, and lateral movement.
Environment / Lab Setup
OS: Linux or Windows
Target: Atlassian Confluence Server (pre-May 2024 patch), e.g. via Atlassian Docker image
Attacker: Any system with Python 3 + requests + bs4
Tools: Python 3, requests, beautifulsoup4
Credentials: Confluence admin username and password
Setup Steps
| |
Proof of Concept
Step-by-Step Reproduction
Log in as admin - Authenticate to Confluence and retrieve CSRF token
1# Handled automatically by CVE-2024-21683.pyUpload malicious JS file - POST exploit.js via addlanguage.action
1python CVE-2024-21683.py -u http://target:8090 -au admin -ap admin -f exploit.js -n testVerify execution - Calculator (or other payload) executes on the server
Exploit Code
See
CVE-2024-21683.pyandexploit.jsin this folder.
| |
| |
Expected Output
Screenshots / Evidence
- Upstream repo includes a screenshot of successful exploitation (external CDN link).
Detection & Indicators of Compromise
POST /admin/plugins/newcode/addlanguage.action HTTP/1.1
SIEM / IDS Rule (example):
alert http any any -> any any (msg:"CVE-2024-21683 Confluence RCE - Malicious Language Upload"; content:"POST"; http_method; content:"/admin/plugins/newcode/addlanguage.action"; http_uri; content:"languageFile"; http_client_body; sid:9000013;)
Remediation
| Action | Detail |
|---|---|
| Patch | Apply Atlassian’s May 2024 security patch. Check the official advisory for exact fixed version numbers. |
| Workaround | Restrict access to /admin/ endpoints to trusted IP ranges only; apply the principle of least privilege to Confluence admin accounts; enable MFA for admin accounts. |
| Config Hardening | Disable the Code Macro plugin’s “Add a New Language” feature if not required; audit admin account list and revoke unnecessary privileges. |
References
- CVE-2024-21683 (NVD)
- realalphaman_ original research
- Source repo: https://github.com/W01fh4cker/CVE-2024-21683-RCE
Notes
Post-authentication RCE requiring Confluence admin credentials. The attack surface is reduced compared to unauthenticated CVEs but remains significant in enterprise environments where admin credentials may be compromised or shared. The exploit.js payload in this repo spawns calc.exe as a proof of concept; it can trivially be replaced with a reverse shell payload. A Metasploit module for this CVE is separately available. Stars: 128, Forks: 33. Language: Python. Topics: confluence, cve-2024-21683, redteam.
Auto-ingested from https://github.com/W01fh4cker/CVE-2024-21683-RCE on 2026-05-17.
| |