Details
-
Suggestion
-
Resolution: Unresolved
Description
Issue Summary
Webwork/XWork has seen quite a few RCEs in recent past, we have improved velocity/XStream in terms of security. Its time to tighten the ratchet also on Webwork.
As a dev, I would like to see Webwork security at par of Strut's current standards. This means it will involve looking at Strut's closed security issues and assess them against webwork.
Confluence Cloud can pick up a new version of XWork(1.0.3-atlassian-8) and Webwork(2.1.5-atlassian-4) to bring this blocklist feature in.
Please follow this page to see the steps to bring this security feature in: https://hello.atlassian.net/wiki/spaces/~ggautam/blog/2021/10/21/1373912668/Being+proactive+in+guarding+Confluence+DC+Cloud+OGNL+edition#Action-for-Confluence-Cloud
Steps to Reproduce
N/A
Expected Results
Webwork is secure from future RCEs
Actual Results
RCE is there. See https://stash.atlassian.com/projects/CONFSERVER/repos/confluence/pull-requests/13684/overview
Workaround
Don't use AST velocity references to userDirectives like #tag or #bodytag
Attachments
Issue Links
- relates to
-
VULN-568631 Loading...