WEB APPLICATION VULNERABILITIES Standard & Premium

Unauthenticated OGNL injection in Confluence Server and Data Center

Description

An OGNL injection vulnerability exists that allows an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance.

Affected versions:

version < 6.13.23
6.14.0 = version < 7.4.11
7.5.0 = version < 7.11.5
7.12.0 = version < 7.12.5

Remediation

Upgrade to the latest version of Confluence.
Fixed versions:

6.13.23

7.4.11

7.11.6

7.12.5

7.13.0

References

Confluence Server Webwork OGNL injection - CVE-2021-26084

Related Vulnerabilities

WordPress Plugin WP-Filebase Download Manager Remote Code Execution (0.3.0.03)

elFinder RCE (CVE-2021-32682)

WordPress Plugin Zingiri Web Shop 'ajax_save_name.php' Remote Code Execution (2.2.3)

WordPress Plugin WP-Live Chat by 3CX Remote Code Execution (7.0.01)

Oracle ADF Faces 'Miracle' RCE (CVE-2022-21445)

Severity

High

Classification

CVE-2021-26084 CWE-917 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags