[CONFSERVER-68844] RCE on Confluence Data Center via OGNL Injection - CVE-2021-39114 - Create and track feature requests for Atlassian products.

Type: Public Security Vulnerability
Resolution: Fixed
Priority: Low
Fix Version/s: 6.13.23, 7.4.11, 7.11.6, 7.12.5, 7.13.0
Affects Version/s: 7.12.4
Component/s: None
Labels:

CVSS Score:
8.8
CVSS Severity:
High
CVE ID:
CVE-2021-39114

A user with a valid account on a Confluence Server or Data Center instance is able to execute arbitrary Java code or run arbitrary system commands by injecting an OGNL payload.

The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.

Affected versions:

* version < 6.13.23
* 6.14.0 ≤ version < 7.4.11
* 7.5.0 ≤ version < 7.11.6
* 7.12.0 ≤ version < 7.12.5

Fixed versions:

* 6.13.23
* 7.4.11
* 7.11.6
* 7.12.5
* 7.13.0

relates to

CONFSERVER-67940 Confluence Server Webwork OGNL injection - CVE-2021-26084

Published

mentioned in: Page Failed to load; Page Failed to load

Cathy S made changes - 01/Jun/2022 2:34 AM

Remote Link

New: This issue links to "Page (Confluence)" [ 647675 ]

David Black made changes - 05/Apr/2022 3:55 AM

Link

New: This issue relates to ~~CONFSERVER-67940~~ [ ~~CONFSERVER-67940~~ ]

Cathy S made changes - 22/Mar/2022 4:56 PM

Remote Link

New: This issue links to "Page (Confluence)" [ 628990 ]

Security Metrics Bot made changes - 13/Feb/2022 8:28 PM

CVE ID

New: CVE-2021-39114

Jamal Hopwood 🐙 made changes - 09/Feb/2022 12:54 AM

Resolution		New: Fixed [ 1 ]
Status	Original: Draft [ 12872 ]	New: Published [ 12873 ]

Jamal Hopwood 🐙 made changes - 09/Feb/2022 12:54 AM

Security

Original: Atlassian Staff [ 10750 ]

Jamal Hopwood 🐙 made changes - 09/Feb/2022 12:53 AM

Labels

Original: advisory advisory-to-release dont-import security

New: advisory advisory-released dont-import security

Jamal Hopwood 🐙 made changes - 09/Feb/2022 12:52 AM

Assignee

New: Jamal Hopwood 🐙 [ 8720c7add7cc ]

Jamal Hopwood 🐙 made changes - 09/Feb/2022 12:47 AM

Summary

Original: RCE on Confluence Data Center via OGNL Injection

New: RCE on Confluence Data Center via OGNL Injection - CVE-2021-39114

Jamal Hopwood 🐙 made changes - 09/Feb/2022 12:44 AM

Description

Original: A user with a valid account on a Confluence Server or Data Center instance is able to execute arbitrary Java code or run arbitrary system commands by injecting an OGNL payload.

Affected versions:
* Before version 6.13.23

;version

New: A user with a valid account on a Confluence Server or Data Center instance is able to execute arbitrary Java code or run arbitrary system commands by injecting an OGNL payload.

The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.

*Affected versions:*

* version < 6.13.23
* 6.14.0 ≤ version < 7.4.11
* 7.5.0 ≤ version < 7.11.6
* 7.12.0 ≤ version < 7.12.5

*Fixed versions:*

* 6.13.23
* 7.4.11
* 7.11.6
* 7.12.5
* 7.13.0

Assignee:: Jamal Hopwood 🐙

Reporter:: Security Metrics Bot

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Created:: 27/Aug/2021 3:55 AM

Updated:: 01/Jun/2022 2:34 AM

Resolved:: 09/Feb/2022 12:54 AM

Confluence Data Center

Details

Description

Attachments

Issue Links

Forms

Activity

[CONFSERVER-68844] RCE on Confluence Data Center via OGNL Injection - CVE-2021-39114

People

Dates