We have identified and fixed a vulnerability in Confluence which allowed unauthenticated users to commit actions on behalf of any other authorised user. In order to exploit this vulnerability, an attacker requires access to Confluence web interface.

      The vulnerability affects all supported versions of Confluence up to and including 5.4.

      Versions 5.3.4, 5.4 and 5.4.1 are not vulnerable but require patches for compatibility purposes in order to be able to connect to patched or upgraded versions of JIRA and other Atlassian products. You do not need to patch these versions if you are not using Application Links with Trusted Applications authentication configured. Version 5.4.2 is not vulnerable but contains a bug CONF-32397.

      This issue has been fixed in 5.4.3.

      For more information, see our security advisory.

        1. confluence-40-patch.zip
          4.52 MB
        2. confluence-41-patch.zip
          4.53 MB
        3. confluence-42-patch.zip
          3.52 MB
        4. confluence-43-patch.zip
          3.51 MB
        5. confluence-50-patch.zip
          3.54 MB
        6. confluence-51-patch.zip
          3.54 MB
        7. confluence-52-patch.zip
          3.59 MB
        8. confluence-53-patch.zip
          3.59 MB
        9. confluence-54-patch.zip
          3.60 MB

          Form Name

            [CONFSERVER-31628] Privilege escalation

            Tri Lai added a comment - - edited

            @Ralph If you follows the link to the same issue on JIRA, there's some reasonable explanation there, and yes, I think they are vulnerable.
            The link is here https://jira.atlassian.com/browse/JRA-35797

            Tri Lai added a comment - - edited @Ralph If you follows the link to the same issue on JIRA, there's some reasonable explanation there, and yes, I think they are vulnerable. The link is here https://jira.atlassian.com/browse/JRA-35797

            [...] an attacker requires access to Confluence web interface.

            Are Confluence (and Jira) with disabled anonymous access vulnerable?

            Ralph Böhmert added a comment - [...] an attacker requires access to Confluence web interface. Are Confluence (and Jira) with disabled anonymous access vulnerable?

            MattS added a comment - - edited

            https://confluence.atlassian.com/display/Support/Atlassian+Support+End+of+Life+Policy shows all the supported versions. Confluence 3.5.4 is not supported so won't get a patch I believe, based on that page.

            My concern is whether I can use a patch for x.y.10 on the x.y.5 version of all the products. I suspect it will work but just hasn't been tested

            MattS added a comment - - edited https://confluence.atlassian.com/display/Support/Atlassian+Support+End+of+Life+Policy shows all the supported versions. Confluence 3.5.4 is not supported so won't get a patch I believe, based on that page. My concern is whether I can use a patch for x.y.10 on the x.y.5 version of all the products. I suspect it will work but just hasn't been tested

            Can you confirm whether Confluence 3.5.4 is also vulnerable?
            The advisory mentions "The vulnerability affects all supported versions of Confluence up to and including 5.4.", but it's unclear to me whether 3.5.4 is a supported version and thus, whether it's affected (I guess it is, but I'd like to know for sure).

            Wolfram Schlich added a comment - Can you confirm whether Confluence 3.5.4 is also vulnerable? The advisory mentions "The vulnerability affects all supported versions of Confluence up to and including 5.4.", but it's unclear to me whether 3.5.4 is a supported version and thus, whether it's affected (I guess it is, but I'd like to know for sure).

              Unassigned Unassigned
              rbattaglin Renan Battaglin
              Affected customers:
              0 This affects my team
              Watchers:
              11 Start watching this issue

                Created:
                Updated:
                Resolved: