Please share the following information with your teams.
Information Security has noticed a recent critical vulnerability (CVE-2021-26084) for confluence servers and Data center exploited in the wild. An unauthenticated, remote attacker could exploit this flaw by sending a specially crafted request to vulnerable endpoints on the Confluence Server or Data Center instance.
CVSS Score: (Critical) 9.8
The vulnerability permits the injection of OGNL code and thus execution of arbitrary code on computers with Confluence Server or Confluence Data Center installed. In some cases, even a user who is not authenticated can exploit the vulnerability.
Affected Versions :- All 4.x.x versions, All 5.x.x versions, All 6.0.x versions, All 6.1.x versions, All 6.2.x versions, All 6.3.x versions, All 6.4.x versions, All 6.5.x versions, All 6.6.x versions , All 6.7.x versions, All 6.8.x versions, All 6.9.x versions, All 6.10.x versions, All 6.11.x versions, All 6.12.x versions, All 6.13.x versions before 6.13.23, All 6.14.x versions , All 6.15.x versions, All 7.0.x versions, All 7.1.x versions, All 7.2.x versions, All 7.3.x versions, All 7.4.x versions before 7.4.11, All 7.5.x versions, All 7.6.x versions, All 7.7.x versions, All 7.8.x versions, All 7.9.x versions, All 7.10.x versions, All 7.11.x versions before 7.11.6, All 7.12.x versions before 7.12.5.
Confluence Cloud is not affected
A remote attacker could exploit this vulnerability to take control of an affected system.
Atlassian has released patches for CVE-2021-26084
Update to the fixed versions 6.13.23, 7.4.11, 7.11.6, 7.12.5, 7.13.0.
UIT Client Services at firstname.lastname@example.org or 416 736 5800