CVE-2021-39114

Published: Apr 5, 2022Modified: Nov 21, 2024

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

Affected versions of Atlassian Confluence Server and Data Center allow users with a valid account on a Confluence Data Center instance to execute arbitrary Java code or run arbitrary system commands by injecting an OGNL payload. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.

Affected (8)

Products: Atlassian: Confluence Data Center, Confluence Server

Atlassian

2 products

Confluence Data Center

Confluence Server

Configuration A

8 vulnerable

Vulnerable Software	Affected Versions
Atlassian Confluence Data Center	Before 6.13.23
Atlassian Confluence Data Center	From 6.14.0 to 7.4.11
Atlassian Confluence Data Center	From 7.12.0 to 7.12.5
Atlassian Confluence Data Center	From 7.5.0 to 7.11.6
Atlassian Confluence Server	Before 6.13.23
Atlassian Confluence Server	From 6.14.0 to 7.4.11
Atlassian Confluence Server	From 7.12.0 to 7.12.5
Atlassian Confluence Server	From 7.5.0 to 7.11.6

Related CWEs

CWE-94

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References (2)

https://jira.atlassian.com/browse/CONFSERVER-68844

Source: security@atlassian.com

Issue TrackingThird Party Advisory

https://jira.atlassian.com/browse/CONFSERVER-68844

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingThird Party Advisory

Timeline

No history available yet.