OGNL double evaluation in atlassian-xwork

2013-08-03T08:00:28
ID ATLASSIAN:CONFSERVER-30221
Type atlassian
Reporter vosipov
Modified 2017-02-17T04:35:12

Description

We have fixed a vulnerability in our version of Xwork. In specific circumstances, attackers can use this vulnerability to execute Java code of their choice on systems that use these frameworks. The attacker needs to be able to access the Confluence web interface. A valid user account is not required to exploit this vulnerability.

The vulnerability affects all versions of Confluence up to and including 5.1.4.

No other Atlassian products are affected.

For more information on this issue, including full instructions on patches and workarounds, please see the security advisory [here|https://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+2013-08-05].

Our thanks to Reginaldo Silva who reported this vulnerability.