Atlassian Confluence Data Center vulnerabilities
59 known vulnerabilities affecting atlassian/confluence_data_center.
Total CVEs
59
CISA KEV
6
actively exploited
Public exploits
9
Exploited in wild
6
Severity breakdown
CRITICAL6HIGH37MEDIUM15LOW1
Vulnerabilities
Page 3 of 3
CVE-2021-39114HIGHCVSS 8.8fixed in 6.13.23≥ 6.14.0, < 7.4.11+9 more2022-04-05
CVE-2021-39114 [HIGH] CWE-94 CVE-2021-39114: Affected versions of Atlassian Confluence Server and Data Center allow users with a valid account on
Affected versions of Atlassian Confluence Server and Data Center allow users with a valid account on a Confluence Data Center instance to execute arbitrary Java code or run arbitrary system commands by injecting an OGNL payload. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and fr
nvd
CVE-2021-43940HIGHCVSS 7.8fixed in 7.4.10≥ 7.5.0, < 7.12.3+3 more2022-02-15
CVE-2021-43940 [HIGH] CWE-427 CVE-2021-43940: Affected versions of Atlassian Confluence Server and Data Center allow authenticated local attackers
Affected versions of Atlassian Confluence Server and Data Center allow authenticated local attackers to achieve elevated privileges on the local system via a DLL Hijacking vulnerability in the Confluence installer. This vulnerability only affects installations of Confluence Server and Data Center on Windows. The affected versions are before version 7.
nvd
CVE-2021-26084CRITICALCVSS 9.8KEVPoCfixed in 6.13.23≥ 6.14.0, < 7.4.11+9 more2021-08-30
CVE-2021-26084 [CRITICAL] CWE-917 CVE-2021-26084: In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists th
In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from vers
nvd
CVE-2021-26085MEDIUMCVSS 5.3KEVPoCfixed in 7.4.10≥ 7.5.0, < 7.12.3+3 more2021-08-03
CVE-2021-26085 [MEDIUM] CWE-425 CVE-2021-26085: Affected versions of Atlassian Confluence Server allow remote attackers to view restricted resources
Affected versions of Atlassian Confluence Server allow remote attackers to view restricted resources via a Pre-Authorization Arbitrary File Read vulnerability in the /s/ endpoint. The affected versions are before version 7.4.10, and from version 7.5.0 before 7.12.3.
nvd
CVE-2020-29444MEDIUMCVSS 5.4fixed in 7.11.02021-05-07
CVE-2020-29444 [MEDIUM] CWE-79 CVE-2020-29444: Affected versions of Team Calendar in Confluence Server before 7.11.0 allow attackers to inject arbi
Affected versions of Team Calendar in Confluence Server before 7.11.0 allow attackers to inject arbitrary HTML or Javascript via a Cross Site Scripting Vulnerability in admin global setting parameters.
nvd
CVE-2021-26072MEDIUMCVSS 4.3PoCfixed in 5.8.6≥ unspecified, < 5.8.62021-04-01
CVE-2021-26072 [MEDIUM] CWE-918 CVE-2021-26072: The WidgetConnector plugin in Confluence Server and Confluence Data Center before version 5.8.6 allo
The WidgetConnector plugin in Confluence Server and Confluence Data Center before version 5.8.6 allowed remote attackers to manipulate the content of internal network resources via a blind Server-Side Request Forgery (SSRF) vulnerability.
nvd
CVE-2020-29448MEDIUMCVSS 5.3fixed in 6.13.18≥ 6.14.0, < 7.4.6+6 more2021-02-22
CVE-2020-29448 [MEDIUM] CVE-2020-29448: The ConfluenceResourceDownloadRewriteRule class in Confluence Server and Confluence Data Center befo
The ConfluenceResourceDownloadRewriteRule class in Confluence Server and Confluence Data Center before version 6.13.18, from 6.14.0 before 7.4.6, and from 7.5.0 before 7.8.3 allowed unauthenticated remote attackers to read arbitrary files within WEB-INF and META-INF directories via an incorrect path access check.
nvd
CVE-2020-29450MEDIUMCVSS 6.5fixed in 7.2.02021-01-19
CVE-2020-29450 [MEDIUM] CWE-434 CVE-2020-29450: Affected versions of Atlassian Confluence Server and Data Center allow remote attackers to impact th
Affected versions of Atlassian Confluence Server and Data Center allow remote attackers to impact the application's availability via a Denial of Service (DoS) vulnerability in the avatar upload feature. The affected versions are before version 7.2.0.
nvd
CVE-2020-14175MEDIUMCVSS 5.4fixed in 7.4.2≥ 7.5.0, < 7.5.22020-07-24
CVE-2020-14175 [MEDIUM] CWE-79 CVE-2020-14175: Affected versions of Atlassian Confluence Server and Data Center allow remote attackers to inject ar
Affected versions of Atlassian Confluence Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in user macro parameters. The affected versions are before version 7.4.2, and from version 7.5.0 before 7.5.2.
nvd
CVE-2020-4027MEDIUMCVSS 4.7≥ unspecified, < 7.4.5≥ 7.5.0, < unspecified+1 more2020-07-01
CVE-2020-4027 [MEDIUM] CWE-74 CVE-2020-4027: Affected versions of Atlassian Confluence Server and Data Center allowed remote attackers with syste
Affected versions of Atlassian Confluence Server and Data Center allowed remote attackers with system administration permissions to bypass velocity template injection mitigations via an injection vulnerability in custom user macros. The affected versions are before version 7.4.5, and from version 7.5.0 before 7.5.1.
nvd
CVE-2019-20406HIGHCVSS 7.8≥ unspecified, < 7.0.5≥ 7.1.0, < unspecified+1 more2020-02-06
CVE-2019-20406 [HIGH] CWE-427 CVE-2019-20406: The usage of Tomcat in Confluence on the Microsoft Windows operating system before version 7.0.5, an
The usage of Tomcat in Confluence on the Microsoft Windows operating system before version 7.0.5, and from version 7.1.0 before version 7.1.1 allows local system attackers who have permission to write a DLL file in a directory in the global path environmental variable variable to inject code & escalate their privileges via a DLL hijacking vulnerabilit
nvd
CVE-2018-20239MEDIUMCVSS 5.4fixed in 6.15.22019-04-30
CVE-2018-20239 [MEDIUM] CWE-79 CVE-2018-20239: Application Links before version 5.0.11, from version 5.1.0 before 5.2.10, from version 5.3.0 before
Application Links before version 5.0.11, from version 5.1.0 before 5.2.10, from version 5.3.0 before 5.3.6, from version 5.4.0 before 5.4.12, and from version 6.0.0 before 6.0.4 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the applinkStartingUrl parameter. The product is used as a pl
nvd
CVE-2018-20237MEDIUMCVSS 6.5fixed in 6.13.1≥ 6.13.2, < 6.14.0+1 more2019-02-13
CVE-2018-20237 [MEDIUM] CWE-668 CVE-2018-20237: Atlassian Confluence Server and Data Center before version 6.13.1 allows an authenticated user to do
Atlassian Confluence Server and Data Center before version 6.13.1 allows an authenticated user to download a deleted page via the word export feature.
nvd
CVE-2024-22257HIGHCVSS 8.9
CVE-2024-22257 [HIGH] CVE-2024-22257: 8.9.0 to 8.9.2 8.8.0 to 8.8.1 8.7.1 to 8.7.2 8.6.0 to 8.6.2 8.5.0 to 8.5.10 (LTS) 8.4.0 to 8.4.5 8.3.0 to 8.3.4 8.2.0 to
CVE-2024-22257: 8.9.0 to 8.9.2 8.8.0 to 8.8.1 8.7.1 to 8.7.2 8.6.0 to 8.6.2 8.5.0 to 8.5.10 (LTS) 8.4.0 to 8.4.5 8.3.0 to 8.3.4 8.2.0 to
8.9.0 to 8.9.2 8.8.0 to 8.8.1 8.7.1 to 8.7.2 8.6.0 to 8.6.2 8.5.0 to 8.5.10 (LTS) 8.4.0 to 8.4.5 8.3.0 to 8.3.4 8.2.0 to 8.2.3 8.1.0 to 8.1.4 8.0.0 to 8.0.4 7.20.0 to 7.20.3 7.19.0 to 7.19.23 (LTS)
CVE:
atlassian
CVE-2024-22243HIGHCVSS 8.1
CVE-2024-22243 [HIGH] CVE-2024-22243: SSRF (Server-Side Request Forgery) org.springframework:spring-web Dependency in Confluence Data Center and Server
CVE-2024-22243: SSRF (Server-Side Request Forgery) org.springframework:spring-web Dependency in Confluence Data Center and Server
SSRF (Server-Side Request Forgery) org.springframework:spring-web Dependency in Confluence Data Center and Server
CVE: CVE-2024-22243
Affected products: Confluence Data Center
atlassian
CVE-2024-29131HIGHCVSS 2.0
CVE-2024-29131 [HIGH] CVE-2024-29131: DoS (Denial of Service) org.apache.commons:commons-configuration2 Dependency in Confluence Data Center and Server
CVE-2024-29131: DoS (Denial of Service) org.apache.commons:commons-configuration2 Dependency in Confluence Data Center and Server
DoS (Denial of Service) org.apache.commons:commons-configuration2 Dependency in Confluence Data Center and Server
CVE: CVE-2024-29131
Affected products: Confluence Data Center
atlassian
CVE-2024-22259HIGHCVSS 8.1
CVE-2024-22259 [HIGH] CVE-2024-22259: SSRF (Server-Side Request Forgery) org.springframework:spring-web Dependency in Confluence Data Center and Server
CVE-2024-22259: SSRF (Server-Side Request Forgery) org.springframework:spring-web Dependency in Confluence Data Center and Server
SSRF (Server-Side Request Forgery) org.springframework:spring-web Dependency in Confluence Data Center and Server
CVE: CVE-2024-22259
Affected products: Confluence Data Center
atlassian
CVE-2024-22262HIGHCVSS 8.1
CVE-2024-22262 [HIGH] CVE-2024-22262: SSRF (Server-Side Request Forgery) org.springframework:spring-web Dependency in Confluence Data Center and Server
CVE-2024-22262: SSRF (Server-Side Request Forgery) org.springframework:spring-web Dependency in Confluence Data Center and Server
SSRF (Server-Side Request Forgery) org.springframework:spring-web Dependency in Confluence Data Center and Server
CVE: CVE-2024-22262
Affected products: Confluence Data Center
atlassian
CVE-2024-29133MEDIUMCVSS 2.0
CVE-2024-29133 [MEDIUM] CVE-2024-29133: DoS (Denial of Service) org.apache.commons:commons-configuration2 Dependency in Confluence Data Center and Server
CVE-2024-29133: DoS (Denial of Service) org.apache.commons:commons-configuration2 Dependency in Confluence Data Center and Server
DoS (Denial of Service) org.apache.commons:commons-configuration2 Dependency in Confluence Data Center and Server
CVE: CVE-2024-29133
Affected products: Confluence Data Center
atlassian
← Previous3 / 3