CVE-2021-39114

Affected versions of Atlassian Confluence Server and Data Center allow users with a valid account on a Confluence Data Center instance to execute arbitrary Java code or run arbitrary system commands by injecting an OGNL payload. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.
Code Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
atlassianCNA
---
---
CVEADP
---
---
CISA-ADPADP
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 53%
VendorProductVersion
atlassianconfluence_data_center
𝑥
< 6.13.23
atlassianconfluence_data_center
6.14.0 ≤
𝑥
< 7.4.11
atlassianconfluence_data_center
7.5.0 ≤
𝑥
< 7.11.6
atlassianconfluence_data_center
7.12.0 ≤
𝑥
< 7.12.5
atlassianconfluence_server
𝑥
< 6.13.23
atlassianconfluence_server
6.14.0 ≤
𝑥
< 7.4.11
atlassianconfluence_server
7.5.0 ≤
𝑥
< 7.11.6
atlassianconfluence_server
7.12.0 ≤
𝑥
< 7.12.5
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
confluence
xenial
needed
trusty
ignored
Common Weakness Enumeration
References
https://jira.atlassian.com/browse/CONFSERVER-68844
https://jira.atlassian.com/browse/CONFSERVER-68844