We have discovered and fixed a vulnerability in our fork of WebWork. Attackers can use this vulnerability to execute Java code of their choice on systems that use this framework. The attacker needs to have an account and be able to access the Confluence web interface.

      All versions of Confluence up to and including 5.6 are affected by this vulnerability.

      The vulnerability has been fixed in releases 5.5.7 and 5.6.6.

      For additional details see the full advisory.

            [CONFSERVER-36080] OGNL Double Evaluation Vulnerability

            Is there any description or symptomatology of this vulnerability?
            It would be beneficial to know what to look for and where to look.
            Replacing a jar doesn't provide much validation.

            Chris Grijalva added a comment - Is there any description or symptomatology of this vulnerability? It would be beneficial to know what to look for and where to look. Replacing a jar doesn't provide much validation.

            Same question of Atte Oksman

            "It's still unclear to me. Does the attacker have to be logged in or is it enough that he has the details (knowledge) of an account? What is the "Confluence web interface"? Is the login page part of the web interface?"

            Frederico Silva Guimaraes added a comment - - edited Same question of Atte Oksman "It's still unclear to me. Does the attacker have to be logged in or is it enough that he has the details (knowledge) of an account? What is the "Confluence web interface"? Is the login page part of the web interface?"

            This issue does impact all 5.6 versions up to and including 5.6.5

            Steve Haffenden (Inactive) added a comment - This issue does impact all 5.6 versions up to and including 5.6.5

            Same question – does this affect 5.6.3 and 5.6.4 or are they ok?

            Carter Snowden added a comment - Same question – does this affect 5.6.3 and 5.6.4 or are they ok?

            I am unsure if this affects version 5.6.3. It says 5.6 and 5.6.5 fix version 5.6.6.

            Should I assume this affects all version between 5.6 and 5.6.5?

            Timothy Harris added a comment - I am unsure if this affects version 5.6.3. It says 5.6 and 5.6.5 fix version 5.6.6. Should I assume this affects all version between 5.6 and 5.6.5?

            It's still unclear to me. Does the attacker have to be logged in or is it enough that he has the details (knowledge) of an account? What is the "Confluence web interface"? Is the login page part of the web interface?

            Atte Oksman added a comment - It's still unclear to me. Does the attacker have to be logged in or is it enough that he has the details (knowledge) of an account? What is the "Confluence web interface"? Is the login page part of the web interface?

            Ingo Bente added a comment -

            Yes, it now is. The wording was changed afterwards. See the Page History / the Activity of the issue for more details.

            Ingo Bente added a comment - Yes, it now is. The wording was changed afterwards. See the Page History / the Activity of the issue for more details.

            From the Advisory:

            The attacker needs to have an account and be able to access the Confluence web interface.

            I think this is pretty clear.

            Francisco Villar Romasanta added a comment - - edited From the Advisory : The attacker needs to have an account and be able to access the Confluence web interface. I think this is pretty clear.

            braxton1 there is no CVE for this vulnerability.

            David Black added a comment - braxton1 there is no CVE for this vulnerability.

            Is there a CVE for this vulnerability?

            Braxton Ehle added a comment - Is there a CVE for this vulnerability?

              Unassigned Unassigned
              dblack David Black
              Affected customers:
              0 This affects my team
              Watchers:
              31 Start watching this issue

                Created:
                Updated:
                Resolved: