Summary | RCE vulnerabilities in User Profile Configuration of User Profiles for Confluence |
|---|---|
Advisory Release Date | 27 October 2021 |
Product | User Profiles for Confluence |
Affected User Profiles for Confluence Versions | all version until version 3.3.12 |
Fixed User Profiles for Confluence Version | 3.3.13 |
Problem
We were able to identify some security vulnerabilities in our User Profiles for Confluence app.
These are RCE (Remote Code Execution) vulnerabilities related to titles of user profile elements.
The vulnerabilities have been rated as P1 (Critical) according to the scale published under the Bugcrowd’s Vulnerability Rating Taxonomy (VRT).
All user Profiles for Confluence versions until 3.3.12 are affected.
Solution
If you are using the User Profiles for Confluence app in one of the affected versions until 3.3.12, please immediately update to User Profiles for Confluence 3.3.13.
Root Cause
The vulnerabilities were caused due to a previously discovered OGNL injection vulnerability. For more details about this please have a look at the issue itself at CVE-2021-26084 or at the news Atlassian Confluence flaw actively exploited to install cryptominers.