What is CVE-2021-26084?

CVE-2021-26084 is a vulnerability in Atlassian Confluence Server and Data Center that allows an unauthenticated attacker to execute arbitrary code.

How severe is CVE-2021-26084?

CVE-2021-26084 has a severity score of 9.8, which is considered critical.

Which versions of Confluence Server and Data Center are affected by CVE-2021-26084?

Versions before 6.13.23 and from 6.14.0 to 7.4.11 of Confluence Server and Data Center are affected by CVE-2021-26084.

How can an attacker exploit CVE-2021-26084?

An attacker can exploit CVE-2021-26084 by injecting malicious Object-Graph Navigation Language (OGNL) code.

Is there a fix for CVE-2021-26084?

Yes, updating Confluence Server and Data Center to version 7.4.11 or later will fix the vulnerability.

Vulnerability/
CVE-2021-26084

Exploited

critical

9.8

CWE

917

30/8/2021

17/9/2024

CVE-2021-26084: Atlassian Confluence Server and Data Center Object-Graph Navigation Language (OGNL) Injection Vulnerability

First published: Mon Aug 30 2021(Updated: )

Atlassian Confluence Server and Data Server contain an Object-Graph Navigation Language (OGNL) injection vulnerability that may allow an unauthenticated attacker to execute code.

Credit: security@atlassian.com security@atlassian.com security@atlassian.com

Affected Software	Affected Version	How to fix
Atlassian Confluence Data Center	<6.13.23
Atlassian Confluence Data Center	>=6.14.0<7.4.11
Atlassian Confluence Data Center	>=7.5.0<7.11.6
Atlassian Confluence Data Center	>=7.12.0<7.12.5
Atlassian Confluence Server	<6.13.23
Atlassian Confluence Server	>=6.14.0<7.4.11
Atlassian Confluence Server	>=7.5.0<7.11.6
Atlassian Confluence Server	>=7.12.0<7.12.5
Atlassian Confluence Server and Data Center
	<6.13.23
	>=6.14.0<7.4.11
	>=7.5.0<7.11.6
	>=7.12.0<7.12.5
	<6.13.23
	>=6.14.0<7.4.11
	>=7.5.0<7.11.6
	>=7.12.0<7.12.5

Remedy

https://jira.atlassian.com/browse/CONFSERVER-67940

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2021-26084?
CVE-2021-26084 is a vulnerability in Atlassian Confluence Server and Data Center that allows an unauthenticated attacker to execute arbitrary code.
How severe is CVE-2021-26084?
CVE-2021-26084 has a severity score of 9.8, which is considered critical.
Which versions of Confluence Server and Data Center are affected by CVE-2021-26084?
Versions before 6.13.23 and from 6.14.0 to 7.4.11 of Confluence Server and Data Center are affected by CVE-2021-26084.
How can an attacker exploit CVE-2021-26084?
An attacker can exploit CVE-2021-26084 by injecting malicious Object-Graph Navigation Language (OGNL) code.
Is there a fix for CVE-2021-26084?
Yes, updating Confluence Server and Data Center to version 7.4.11 or later will fix the vulnerability.

collector/nvd-api
collector/nvd-index
agent/author
agent/type
agent/softwarecombine
agent/severity
agent/weakness
agent/remedy
agent/title
agent/description
collector/mitre-cve
source/MITRE
agent/last-modified-date
agent/first-publish-date
agent/tags
agent/event
exploited/true
ransomware/true
collector/cisa-known-exploited
source/CISA
agent/software-canonical-lookup
collector/nvd-cve
source/NVD
agent/references
vendor/atlassian
canonical/atlassian confluence data center
version/atlassian confluence data center/6.14.0
version/atlassian confluence data center/7.5.0
version/atlassian confluence data center/7.12.0
canonical/atlassian confluence server
version/atlassian confluence server/6.14.0
version/atlassian confluence server/7.5.0
version/atlassian confluence server/7.12.0
canonical/atlassian confluence server and data center