RCE – Confluence (CVE-2024-21683) with public exploits on GitHub. Authentication is required. Both Confluence Data Center and Confluence Server are vulnerable.
🔻 Version 8.5.9 LTS, which fixes the vulnerability, was released on May 9.
🔻 On May 23, after the description of the vulnerability in NVD and the Atlassian ticket became public, researcher Huong Kieu studied the patch, described the vulnerability and reported that he was able to make a PoC. On the same day, exploits for this vulnerability appeared on GitHub.
Atlassian likely held back information about fixing this vulnerability so that more organizations could update before active exploitation began. However, they didn’t quite succeed. Apparently they accidentally published the ticket on May 15th, and then hid it until May 23rd. But the vulnerability search engine Vulners remembered it. 😉 So information about the vulnerability was available all this time.