Uploaded image for project: 'Confluence Server'
  1. Confluence Server
  2. CONFSERVER-52560

Access Restriction Bypass using watch notifications (CVE-2017-9505)

    XMLWordPrintable

    Details

    • Symptom Severity:
      Severity 2 - Major
    • QA Demo Status:
      Not Done
    • QA Kickoff Status:
      Not Done

      Description

      Confluence did not check if a user had permission to view a page when creating a workbox notification about new comments. An attacker who can login to Confluence could receive workbox notifications, which contain the content of comments, for comments added to a page after they started watching it even if they do not have permission to view the page itself.

      Affected versions:

      • Versions of Confluence starting with 4.3.0 before 6.2.1 are affected by this vulnerability.

      Fix:

       Workaround

      If you are unable to upgrade to the fixed version or newer and need a workaround, you will need to disable in-app notifications from workbox as per the instructions found here:

      1. Navigate to > General Configuration
      2. Choose In-app Notifications in the left-hand panel
      3. Select does not provide in-app notifications.
      4. The workbox icon will disappear from the Confluence top menu bar.
         

      Acknowledgements
      Atlassian would like to credit Mathias Frank of SEC Consult Vulnerability Lab for reporting this issue to us.

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Last commented:
                  1 year, 25 weeks, 4 days ago