Atlassian warns of critical Confluence flaw


Atlassian has warned users of its Confluence Server that they need to patch the product to remedy a Critical-rated flaw.

The company’s not saying a lot about CVE-2021-26084, besides describing it as a “Confluence Server Webwork OGNL injection vulnerability … that would allow an authenticated user, and in some instances unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance.”

The bug scores 9.8 on the ten-point Common Vulnerability Scoring System.

Atlassian has released fixed versions of the product – namely versions 6.13.23, 7.4.11, 7.11.6, 7.12.5, and 7.13.0 – but the company’s advisory suggests upgrading to the latest long-term service release.

Read more…