This exploit is only intended to facilitate demonstrations of the vulnerability by researchers. An OGNL injection vulnerability exists that would allow an authenticated user and in some instances unauthenticated user to execute arbitrary code on a Confluence Server or Data Center instance.If you are unable to upgrade Confluence immediately, then as a temporary workaround, you can mitigate the issue by running the script below for the Operating System that Confluence is hosted on.CVE-2021-26084 - Confluence Server Webwork OGNL injection If you are running 7.12.x versions and cannot upgrade to 7.13.0 (LTS) then upgrade to version 7.12.5. If you are running 7.11.x versions and cannot upgrade to 7.13.0 (LTS) then upgrade to version 7.11.6. If you are running 7.4.x versions and cannot upgrade to 7.13.0 (LTS) then upgrade to version 7.4.11. If you are running 6.13.x versions and cannot upgrade to 7.13.0 (LTS) then upgrade to version 6.13.23. If you are running an affected version upgrade to version 7.13.0 (LTS) or higher. You can download the latest version from the download centre. For a full description of the latest version, see the Confluence Server and Data Center Release Notes. Released versions 6.13.23, 7.4.11, 7.11.6, 7.12.5, and 7.13.0 which contain a fix for this issue.Ītlassian recommends that you upgrade to the latest Long Term Support release. We have taken the following steps to address this issue: The issue was discovered by Benny Jacob (SnowyOwl) via the Atlassian public bug bounty program. DescriptionĪn OGNL injection vulnerability exists that would allow an unauthenticated user to execute arbitrary code on a Confluence Server or Data Center instance.Īll versions of Confluence Server and Data Center prior to the fixed versions listed above are affected by this vulnerability. This is our assessment and you should evaluate its applicability to your own IT environment. This vulnerability is being actively exploited in the wild.Īffected servers should be patched immediately.Ītlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low. Confluence Server and Data Center versions before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5 are affected by this vulnerability. This advisory discloses a critical severity security vulnerability.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |