PT-2021-15419 · Atlassian · Confluence
Kai Zhao
·
Published
2021-12-02
·
Updated
2026-05-06
·
CVE-2021-23259
CVSS v3.1
7.2
High
| Vector | AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Atlassian Confluence versions prior to 7.4.11
Atlassian Confluence versions 7.3.0 through 7.3.6
Atlassian Confluence versions 7.0.0 through 7.0.14
Atlassian Confluence versions 6.13.0 through 6.15.9
Description
The issue allows authenticated users with Administrator or Developer roles to execute OS commands by Groovy Script, which uses Groovy lib to render a webpage. The groovy script does not have security restrictions, which will cause attackers to execute arbitrary commands remotely.
Recommendations
For versions prior to 7.4.11, update to version 7.4.11 or later.
For versions 7.3.0 through 7.3.6, update to version 7.3.7 or later.
For versions 7.0.0 through 7.0.14, update to version 7.0.15 or later.
For versions 6.13.0 through 6.15.9, update to version 6.15.10 or later.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Confluence