[CONFSERVER-33515] ClassLoader Manipulation vulnerability

Type: Bug
Resolution: Fixed
Priority: High
Fix Version/s: 5.5.2
Affects Version/s: None
Component/s: None
Labels:

CVSS Score:
8.5
Bug Fix Policy:
View Atlassian Server bug fix policy

We have fixed a vulnerability in our version of an Xwork library which is also part of Apache Struts. Attackers can use this vulnerability to execute Java code of their choice on systems that use these frameworks. The attacker needs to be able to access the Confluence web interface. In cases when anonymous access is enabled, a valid user account is not required to exploit this vulnerability.

We have discovered this vulnerability during our review of the recent Struts security advisories. This vulnerability is specific to Confluence.
The vulnerability affects all versions of Confluence up to and including 5.5.1.

For more information see the full advisory.

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List

atlassian-xwork-core-1.17.jar
43 kB
12/May/2014 5:36 AM

causes

CONFSERVER-33738 Patch for Security advisory 2014-05-21 doesn't work in Confluence 3.5.X

Closed

is related to

CONFSERVER-33729 Upgrading to 5.5.1 from 5.4.3 didn't update xwork from 1.13 to 1.17

Closed

mentioned in: Confluence Security Advisory 2014-05-21; Page Failed to load; Page Failed to load; Page Loading...

(1 mentioned in)

Katherine Yabut made changes - 13/Nov/2018 4:42 AM

Workflow

Original: JAC Bug Workflow v3 [ 2893349 ]

New: CONFSERVER Bug Workflow v4 [ 2984866 ]

Owen made changes - 11/Oct/2018 8:59 AM

Workflow	Original: JAC Bug Workflow v2 [ 2793266 ]	New: JAC Bug Workflow v3 [ 2893349 ]
Status	Original: Resolved [ 5 ]	New: Closed [ 6 ]

Owen made changes - 29/Aug/2018 11:17 PM

Workflow

Original: JAC Bug Workflow [ 2723047 ]

New: JAC Bug Workflow v2 [ 2793266 ]

Owen made changes - 02/Jul/2018 6:59 AM

Workflow

Original: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2386138 ]

New: JAC Bug Workflow [ 2723047 ]

Alex Yakovlev (Inactive) made changes - 16/Oct/2017 3:51 AM

Labels

Original: advisory affects-server bugfix cvss-critical loyalty security

New: advisory affects-server cvss-critical loyalty security

Alex Yakovlev (Inactive) made changes - 16/Oct/2017 3:44 AM

Labels

Original: advisory affects-server bugfix cvss-critical security

New: advisory affects-server bugfix cvss-critical loyalty security

Katherine Yabut made changes - 22/Jun/2017 6:49 AM

Workflow

Original: Confluence Workflow - Public Facing - Restricted v5 [ 2283091 ]

New: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2386138 ]

Katherine Yabut made changes - 31/May/2017 5:35 AM

Workflow

Original: Confluence Workflow - Public Facing - Restricted v5.1 - TEMP [ 2223699 ]

New: Confluence Workflow - Public Facing - Restricted v5 [ 2283091 ]

Katherine Yabut made changes - 31/May/2017 4:57 AM

Workflow

Original: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2176991 ]

New: Confluence Workflow - Public Facing - Restricted v5.1 - TEMP [ 2223699 ]

Katherine Yabut made changes - 31/May/2017 2:00 AM

Workflow

Original: Confluence Workflow - Public Facing - Restricted v5 [ 1941833 ]

New: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2176991 ]

Assignee:: Unassigned

Reporter:: VitalyA

Affected customers:: 0 This affects my team

Watchers:: 8 Start watching this issue

Created:: 02/May/2014 5:03 AM

Updated:: 11/Oct/2018 8:59 AM

Resolved:: 20/May/2014 4:16 AM

Confluence Data Center

Details

Description

Attachments

Attachments

Issue Links

Forms

Activity

People

Dates