CVE-2021-26085 vulnerability in Atlassian Products
Published on August 3, 2021
Affected versions of Atlassian Confluence Server allow remote attackers to view restricted resources via a Pre-Authorization Arbitrary File Read vulnerability in the /s/ endpoint. The affected versions are before version 7.4.10, and from version 7.5.0 before 7.12.3.
Known Exploited Vulnerability
This Atlassian Confluence Server Pre-Authorization Arbitrary File Read Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. Affected versions of Atlassian Confluence Server allow remote attackers to view restricted resources via a pre-authorization arbitrary file read vulnerability in the /s/ endpoint.
The following remediation steps are recommended / required by April 18, 2022: Apply updates per vendor instructions.
Vulnerability Analysis
CVE-2021-26085 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. It has the highest possible exploitability rating (3.9). The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a small impact on integrity and availability.
What is an AuthZ Vulnerability?
The software does not perform an authorization check when an actor attempts to access a resource or perform an action.
CVE-2021-26085 has been classified to as an AuthZ vulnerability or weakness.
Products Associated with CVE-2021-26085
You can be notified by stack.watch whenever vulnerabilities like CVE-2021-26085 are published in these products:
What versions are vulnerable to CVE-2021-26085?
-
Atlassian Confluence Server
Fixed in Version 7.4.10
-
Atlassian Confluence Server
Version 7.5.0
Fixed in Version 7.12.3
-
Atlassian Confluence Data Center
Version 7.5.0
Fixed in Version 7.12.3
-
Atlassian Confluence Data Center
Fixed in Version 7.4.10