What is CVE-2021-26084?

CVE-2021-26084 is a critical vulnerability affecting Confluence Server and Data Center instances, with a severity score of 9.8 out of 10. It is essential for organizations to address this vulnerability promptly to protect their systems and data from potential exploitation.

Who is impacted by CVE-2021-26084?

Specifically, it impacts instances with the following version ranges: before version 6.13.23, from version 6.14.0 to 7.4.10, from version 7.5.0 to 7.11.5, and from version 7.12.0 to 7.12.4. This critical vulnerability allows unauthenticated attackers to execute arbitrary code on affected systems, posing a significant risk to organizations using these versions of Confluence Server and Data Center.

What should I do if I’m affected?

If you're affected by the CVE-2021-26084 vulnerability, it's crucial to take immediate action to protect your systems. First, check your Confluence Server or Data Center version to see if it falls within the affected range. If so, upgrade to a fixed version 6.13.23, 7.4.11, 7.11.6, 7.12.5, or 7.13.0 as soon as possible. If upgrading isn't an option, follow the mitigation steps provided in the Confluence Security Advisory.

Is this in CISA’s Known Exploited Vulnerabilities Catalog?

The CVE-2021-26084 vulnerability is indeed listed in CISA's Known Exploited Vulnerabilities Catalog. Named Atlassian Confluence Server and Data Center Object-Graph Navigation Language (OGNL) Injection Vulnerability, it was added on November 3, 2021, with a due date of November 17, 2021. T

Weakness Enumeration

The weakness enumeration for this vulnerability is categorized as CWE-917, which involves improper neutralization of special elements in expression language statements.

Learn More

For a comprehensive understanding of its description, severity, technical details, and affected software configurations, refer to the NVD page.

• Confluence Security Advisory

• CISA Binding Operational Directive 22-01

• CISA Known Exploited Vulnerabilities Catalog