CVE-2021-26084

Warnung

Exploit

EPSS 94.44%
Veröffentlicht 30.08.2021 07:15:06
Zuletzt bearbeitet 24.10.2025 13:38:44
Quelle security@atlassian.com
CVE-Watchlists
Login
Unerledigt
Login

In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.

Betroffene Produkte Warnungen 1 Metriken 4 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Atlassian ≫ Confluence Data Center Version < 6.13.23

Atlassian ≫ Confluence Data Center Version >= 6.14.0 < 7.4.11

Atlassian ≫ Confluence Data Center Version >= 7.5.0 < 7.11.6

Atlassian ≫ Confluence Data Center Version >= 7.12.0 < 7.12.5

Atlassian ≫ Confluence Server Version < 6.13.23

Atlassian ≫ Confluence Server Version >= 6.14.0 < 7.4.11

Atlassian ≫ Confluence Server Version >= 7.5.0 < 7.11.6

Atlassian ≫ Confluence Server Version >= 7.12.0 < 7.12.5

03.11.2021: CISA Known Exploited Vulnerabilities (KEV) Catalog

Atlassian Confluence Server and Data Center Object-Graph Navigation Language (OGNL) Injection Vulnerability

Schwachstelle

Atlassian Confluence Server and Data Server contain an Object-Graph Navigation Language (OGNL) injection vulnerability that may allow an unauthenticated attacker to execute code.

Beschreibung

Apply updates per vendor instructions.

Erforderliche Maßnahmen

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	94.44%	1

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	7.5	10	6.4	AV:N/AC:L/Au:N/C:P/I:P/A:P
134c704f-9b21-4f2e-91b3-4a467353bcc0	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.

http://packetstormsecurity.com/files/167449/Atlassian-Confluence-Namespace-OGNL-Injection.html

Third Party Advisory

Exploit

VDB Entry

https://jira.atlassian.com/browse/CONFSERVER-67940

Patch

Vendor Advisory

Issue Tracking

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-26084

US Government Resource

https://nvd.nist.gov/vuln/detail/CVE-2021-26084

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-26084

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-26084

EUVD