Atlassian has released security patches to address a critical vulnerability (CVE-2021-26084) in their Confluence Server and Data Center products.
Successful exploitation of this vulnerability may allow an authenticated attacker and in some cases, an unauthenticated attacker, to execute arbitrary code on affected instances.
The following versions are affected:
- Versions before 6.13.23
- Versions from 6.14.0 and before 7.4.11 (v7.4.11 is the patched version)
- Versions from 7.5.0 and before 7.11.6 (v7.11.6 is the patched version)
- Versions from 7.12.0 and before 7.12.5 (v7.12.5 is the patched version)
Administrators and users who are using affected versions of the products are advised to upgrade to the latest versions immediately.
Administrators and users who are unable to upgrade immediately can mitigate the issue by running scripts based on the operating systems that their products are hosted on. The scripts and more information about the vulnerability can be found in Atlassian's security advisory here: https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html