CVE-2020-4027

2020-07-0101:35:29

atlassian

www.cve.org

AI Score

4.9

Confidence

High

EPSS

0.001

Percentile

43.2%

JSON

Affected versions of Atlassian Confluence Server and Data Center allowed remote attackers with system administration permissions to bypass velocity template injection mitigations via an injection vulnerability in custom user macros. The affected versions are before version 7.4.5, and from version 7.5.0 before 7.5.1.

CNA Affected

[
  {
    "product": "Confluence Server",
    "vendor": "Atlassian",
    "versions": [
      {
        "lessThan": "7.4.5",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      },
      {
        "lessThan": "unspecified",
        "status": "affected",
        "version": "7.5.0",
        "versionType": "custom"
      },
      {
        "lessThan": "7.5.1",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  },
  {
    "product": "Confluence Data Center",
    "vendor": "Atlassian",
    "versions": [
      {
        "lessThan": "7.4.5",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      },
      {
        "lessThan": "unspecified",
        "status": "affected",
        "version": "7.5.0",
        "versionType": "custom"
      },
      {
        "lessThan": "7.5.1",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]

References

jira.atlassian.com/browse/CONFSERVER-59898