First published: Tue Apr 05 2022(Updated: )
Affected versions of Atlassian Confluence Server and Data Center allow users with a valid account on a Confluence Data Center instance to execute arbitrary Java code or run arbitrary system commands by injecting an OGNL payload. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.
Credit: security@atlassian.com
Affected Software | Affected Version | How to fix |
---|---|---|
Atlassian Confluence Data Center | <6.13.23 | |
Atlassian Confluence Data Center | >=6.14.0<7.4.11 | |
Atlassian Confluence Data Center | >=7.5.0<7.11.6 | |
Atlassian Confluence Data Center | >=7.12.0<7.12.5 | |
Atlassian Confluence Server | <6.13.23 | |
Atlassian Confluence Server | >=6.14.0<7.4.11 | |
Atlassian Confluence Server | >=7.5.0<7.11.6 | |
Atlassian Confluence Server | >=7.12.0<7.12.5 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID for this vulnerability is CVE-2021-39114.
The severity level of CVE-2021-39114 is high with a score of 8.8.
Versions before 6.13.23 and between 6.14.0 to 7.4.11 for Confluence Server, and versions before 6.13.23 and between 6.14.0 to 7.12.5 for Confluence Data Center are affected.
An attacker can exploit this vulnerability by injecting an OGNL payload to execute arbitrary Java code or run arbitrary system commands.
Yes, Atlassian has released fixed versions of Confluence Server and Data Center to address this vulnerability.