CVE-2021-26084
Atlassian Confluence Server and Data Center Object-Graph Navigation Language (OGNL) Injection Vulnerability
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
27Exploited in Wild
YesDecision
Descriptions
In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.
En las versiones afectadas de Confluence Server y Data Center, se presenta una vulnerabilidad de inyección OGNL que permitiría a un usuario no autenticado ejecutar código arbitrario en una instancia de Confluence Server o Data Center. Las versiones afectadas son las versiones anteriores a 6.13.23, desde versiones 6.14.0 anteriores a 7.4.11, desde versiones 7.5.0 anteriores a 7.11.6 y desde versiones 7.12.0 anteriores a 7.12.5.
Atlassian Confluence Server and Data Server contain an Object-Graph Navigation Language (OGNL) injection vulnerability that may allow an unauthenticated attacker to execute code.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-01-25 CVE Reserved
- 2021-08-30 CVE Published
- 2021-09-01 First Exploit
- 2021-11-03 Exploited in Wild
- 2021-11-17 KEV Due Date
- 2024-09-17 CVE Updated
- 2024-11-16 EPSS Updated
CWE
- CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
CAPEC
References (33)
| URL | Date | SRC |
|---|---|---|
| https://jira.atlassian.com/browse/CONFSERVER-67940 | 2021-08-25 |
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Atlassian Search vendor "Atlassian" | Confluence Data Center Search vendor "Atlassian" for product "Confluence Data Center" | < 6.13.23 Search vendor "Atlassian" for product "Confluence Data Center" and version " < 6.13.23" | - |
Affected
| ||||||
| Atlassian Search vendor "Atlassian" | Confluence Data Center Search vendor "Atlassian" for product "Confluence Data Center" | >= 6.14.0 < 7.4.11 Search vendor "Atlassian" for product "Confluence Data Center" and version " >= 6.14.0 < 7.4.11" | - |
Affected
| ||||||
| Atlassian Search vendor "Atlassian" | Confluence Data Center Search vendor "Atlassian" for product "Confluence Data Center" | >= 7.5.0 < 7.11.6 Search vendor "Atlassian" for product "Confluence Data Center" and version " >= 7.5.0 < 7.11.6" | - |
Affected
| ||||||
| Atlassian Search vendor "Atlassian" | Confluence Data Center Search vendor "Atlassian" for product "Confluence Data Center" | >= 7.12.0 < 7.12.5 Search vendor "Atlassian" for product "Confluence Data Center" and version " >= 7.12.0 < 7.12.5" | - |
Affected
| ||||||
| Atlassian Search vendor "Atlassian" | Confluence Server Search vendor "Atlassian" for product "Confluence Server" | < 6.13.23 Search vendor "Atlassian" for product "Confluence Server" and version " < 6.13.23" | - |
Affected
| ||||||
| Atlassian Search vendor "Atlassian" | Confluence Server Search vendor "Atlassian" for product "Confluence Server" | >= 6.14.0 < 7.4.11 Search vendor "Atlassian" for product "Confluence Server" and version " >= 6.14.0 < 7.4.11" | - |
Affected
| ||||||
| Atlassian Search vendor "Atlassian" | Confluence Server Search vendor "Atlassian" for product "Confluence Server" | >= 7.5.0 < 7.11.6 Search vendor "Atlassian" for product "Confluence Server" and version " >= 7.5.0 < 7.11.6" | - |
Affected
| ||||||
| Atlassian Search vendor "Atlassian" | Confluence Server Search vendor "Atlassian" for product "Confluence Server" | >= 7.12.0 < 7.12.5 Search vendor "Atlassian" for product "Confluence Server" and version " >= 7.12.0 < 7.12.5" | - |
Affected
| ||||||