CVE-2021-39114 — Code Injection in Atlassian Confluence Data Center

CWE-94 — Code Injection CWE-74 — Injection4 documents4 sources

Severity

8.8HIGHNVD

EPSS

0.4%

top 41.69%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Atlassian Confluence Data Center Atlassian Confluence Server

Timeline

PublishedApr 5

Latest updateApr 6

Description

Affected versions of Atlassian Confluence Server and Data Center allow users with a valid account on a Confluence Data Center instance to execute arbitrary Java code or run arbitrary system commands by injecting an OGNL payload. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages4 packages

▶CVEListV5atlassian/confluence_data_centerunspecified — 6.13.23+6

▶NVDatlassian/confluence_data_center6.14.0 — 7.4.11+3

▶CVEListV5atlassian/confluence_serverunspecified — 6.13.23+6

▶NVDatlassian/confluence_server6.14.0 — 7.4.11+3

🔴Vulnerability Details

GHSA

GHSA-2grp-34h8-p48c: Affected versions of Atlassian Confluence Server and Data Center allow users with a valid account on a Confluence Data Center instance to execute arbi↗2022-04-06

▶

OSV

CVE-2021-39114: Affected versions of Atlassian Confluence Server and Data Center allow users with a valid account on a Confluence Data Center instance to execute arbi↗2022-04-05

▶

CVEList

CVE-2021-39114: Affected versions of Atlassian Confluence Server and Data Center allow users with a valid account on a Confluence Data Center instance to execute arbi↗2022-04-05

▶