SID 1:63599

Report a false positive

Rule Category

SERVER-WEBAPP -- Snort has detected traffic exploiting vulnerabilities in web based applications on servers.

Alert Message

SERVER-WEBAPP Atlassian Confluence Server remote code execution attempt

Rule Explanation

This rule looks for language files uploaded to Confluence Data Center or servers that contain arbitrary Java code.

What To Look For

This rule fires on attempts to upload and execute arbitrary Java code against Confluence Data Center and Server instances.

Known Usage

Public information/Proof of Concept available

False Positives

No known false positives

Contributors

Cisco Talos Intelligence Group

Rule Groups

Rule Categories::Server::Web Applications

MITRE::ATT&CK Framework::Enterprise::Initial Access::Exploit Public-Facing Application

CVE

CVE-2024-21683

Additional Links

confluence.atlassian.com/security/security-bulletin-may-21-2024-1387867145.html

Rule Vulnerability

Local File Inclusion

Local File Inclusion (LFI) attackers attempt to trick the web server into executing a file local to its own file system. The attacker might have saved the file there in another way first, or the target file could be a local executable that should not be accessible to the web server otherwise. A successful LFI can lead to data leaks or remote code execution. Avoid dynamic inclusion of user input files, or whitelist files that may be included.

CVE Additional Information

This product uses data from the NVD API but is not endorsed or certified by the NVD.
CVE-2024-21683
 Loading description