We have fixed a vulnerability in our version of Xwork. In specific circumstances, attackers can use this vulnerability to execute Java code of their choice on systems that use these frameworks. The attacker needs to be able to access the Confluence web interface. A valid user account is not required to exploit this vulnerability.
The vulnerability affects all versions of Confluence up to and including 5.1.4.
No other Atlassian products are affected.
For more information on this issue, including full instructions on patches and workarounds, please see the security advisory here.
Our thanks to Reginaldo Silva who reported this vulnerability.