⚠ Actively exploited in ransomware campaigns

This vulnerability is on the CISA Known Exploited Vulnerabilities list and has been used in known ransomware attacks. CISA required action: Apply updates per vendor instructions.. Due date: 2021-11-17.

CVE-2021-26084 — Expression Language Injection in Atlassian Confluence Data Center

CWE-917 — Expression Language Injection CWE-74 — Injection29 documents14 sources

Severity

9.8CRITICALNVD

EPSS

94.4%

top < 0.01%

CISA KEV

KEVRansomware

Added 2021-11-03

Due 2021-11-17

Exploit

Exploited in wild

Active exploitation observed

Affected products

Atlassian Confluence Data Center Atlassian Confluence Server

Timeline

PublishedAug 30

KEV addedNov 3

KEV dueNov 17

Latest updateDec 21

CISA Required Action: Apply updates per vendor instructions.

Description

In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages4 packages

▶CVEListV5atlassian/confluence_data_centerunspecified — 6.13.23+6

▶NVDatlassian/confluence_data_center6.14.0 — 7.4.11+3

▶CVEListV5atlassian/confluence_serverunspecified — 6.13.23+6

▶NVDatlassian/confluence_server6.14.0 — 7.4.11+3

Patches

Patch: jira.atlassian.com ↗Patch: jira.atlassian.com ↗

🔴Vulnerability Details

Project0

2022 0-day In-the-Wild Exploitation…so far - Project Zero↗2022-06-01

▶

GHSA

GHSA-855c-xp53-5fp2: In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an authenticated user, and in some↗2022-05-24

▶

CVEList

CVE-2021-26084: In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to exec↗2021-08-30

▶

VulnCheck

Atlassian Confluence Server and Data Center Object-Graph Navigation Language (OGNL) Injection Vulnerability↗2021

▶

💥Exploits & PoCs

Exploit-DB

Confluence Server 7.12.4 - 'OGNL injection' Remote Code Execution (RCE) (Unauthenticated)↗2021-09-01

▶

Nuclei

Confluence Server - Remote Code Execution

▶

📋Vendor Advisories

CISA

Atlassian Confluence Server and Data Center Object-Graph Navigation Language (OGNL) Injection Vulnerability↗2021-11-03

▶

🕵️Threat Intelligence

Unit42

Network Security Trends: August-October 2021↗2021-12-21

▶

Fortinet

Recent Attack Uses Vulnerability on Confluence Server | FortiGuard Labs↗2021-10-21

▶

Trendmicro

Tracking CVE-2021-26084 and Other Server-Based Vulnerability Exploits via Trend Micro Cloud One and Trend Micro Vision One↗2021-10-18

▶

Trendmicro

Tracking CVE-2021-26084 and Other Server-Based Vulnerability Exploits via Trend Micro Cloud One and Trend Micro Vision One↗2021-10-18

▶

Trendmicro

Tracking CVE-2021-26084 and Other Server-Based Vulnerability Exploits via Trend Micro Cloud One and Trend Micro Vision One↗2021-10-18

▶

💬Community

HackerOne

RCE in ███ [CVE-2021-26084]↗2023-12-21

▶

HackerOne

RCE on ███████ [CVE-2021-26084]↗2023-12-21

▶