For a full description of the latest version, see the Confluence Server and Data Center Release Notes. Released versions 6.13.23, 7.4.11, 7.11.6, 7.12.5, and 7.13.0 which contain a fix for this issue.Ītlassian recommends that you upgrade to the latest Long Term Support release. To check whether this is enabled go to COG > User Management > User Signup Options.Īll versions of Confluence Server and Data Center prior to the fixed versions listed above are affected by this vulnerability.Ītlassian has taken the following steps to address this issue: The vulnerable endpoints can be accessed by a non-administrator user or unauthenticated user if ‘ Allow people to sign up to create their account’ is enabled. This is Atlassian's own assessment and you should evaluate its applicability to your own IT environment.Īn OGNL injection vulnerability exists that would allow an authenticated user, and in some instances unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance.
Note that Confluence Cloud is not affected by the issue described in this announcement.ĬVE-2021-26084 - Confluence Server Webwork OGNL injection SeverityĪtlassian rates the severity level of this vulnerability as critical, according to the scale published in the Atlassian severity levels. The scale allows Atlassian to rank the severity as critical, high, moderate, or low. If you are running 7.12.x versions and cannot upgrade to 7.13.0 (LTS) then upgrade to version 7.12.5. If you are running 7.11.x versions and cannot upgrade to 7.13.0 (LTS) then upgrade to version 7.11.6. If you are running 7.4.x versions and cannot upgrade to 7.13.0 (LTS) then upgrade to version 7.4.11. If you are running 6.13.x versions and cannot upgrade to 7.13.0 (LTS) then upgrade to version 6.13.23.
Upgrade to version 7.13.0 (LTS) or higher.
0 kommentar(er)
