[CONFSERVER-68844] RCE on Confluence Data Center via OGNL Injection - CVE-2021-39114 - Create and track feature requests for Atlassian products.

XML

Word

Printable

Details

Type: Public Security Vulnerability
Status: Published (View Workflow)
Priority: Low
Resolution: Fixed
Affects Version/s: 7.12.4
Fix Version/s: 6.13.23, 7.4.11, 7.11.6, 7.12.5, 7.13.0
Component/s: None
Labels:

CVSS Score:
8.8
CVSS Severity:
High
CVE ID:
CVE-2021-39114

Description

A user with a valid account on a Confluence Server or Data Center instance is able to execute arbitrary Java code or run arbitrary system commands by injecting an OGNL payload.

The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.

Affected versions:

* version < 6.13.23
* 6.14.0 ≤ version < 7.4.11
* 7.5.0 ≤ version < 7.11.6
* 7.12.0 ≤ version < 7.12.5

Fixed versions:

* 6.13.23
* 7.4.11
* 7.11.6
* 7.12.5
* 7.13.0

Attachments

Issue Links

relates to

CONFSERVER-67940 Confluence Server Webwork OGNL injection - CVE-2021-26084

Published

mentioned in: Page Loading...; Page Loading...

Activity

People

Assignee:: Jamal Hopwood

Reporter:: Security Metrics Bot

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 27/Aug/2021 3:55 AM

Updated:: 01/Jun/2022 2:34 AM

Resolved:: 09/Feb/2022 12:54 AM