Atlassian released security patches to fix a critical flaw in Confluence

Atlassian released patches to fix a critical flaw, tracked as CVE-2021-26084, affecting the Confluence enterprise collaboration product.

Atlassian released security patches to address a critical vulnerability, tracked as CVE-2021-26084, affecting the Confluence enterprise collaboration product.

The flaw is an OGNL injection issue that can be exploited by an authenticated attacker to execute arbitrary code on affected Confluence Server and Data Center instances.

“An OGNL injection vulnerability exists that would allow an authenticated user, and in some instances unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance. ” reads the advisory published by the company.

The issue was discovered by Benny Jacob (SnowyOwl) through the Atlassian public bug bounty program, the vulnerability received a CVSS score of 9.8.

Affected versions are:

• version < 6.13.23
• 6.14.0 ≤ version < 7.4.11
• 7.5.0 ≤ version < 7.11.5
• 7.12.0 ≤ version < 7.12.5

Fixed versions:

• 6.13.23
• 7.4.11
• 7.11.6
• 7.12.5
• 7.13.0

The company has fixed the flaw with the release of versions 6.13.23, 7.4.11, 7.11.6, 7.12.5 and 7.13.0.

Organizations should install the security patches as soon as possible.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Atlassian Confluence)

[adrotate banner=”5″]

[adrotate banner=”13″]