We couldn't load all Actvitity tabs. Refresh the page to try again.
If the problem persists, contact your Jira admin.
IMPORTANT: JAC is a Public system and anyone on the internet will be able to view the data in the created JAC tickets. Please don’t include Customer or Sensitive data in the JAC ticket.
Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-52560

Access Restriction Bypass using watch notifications (CVE-2017-9505)

XMLWordPrintable

      Confluence did not check if a user had permission to view a page when creating a workbox notification about new comments. An attacker who can login to Confluence could receive workbox notifications, which contain the content of comments, for comments added to a page after they started watching it even if they do not have permission to view the page itself.

      Affected versions:

      • Versions of Confluence starting with 4.3.0 before 6.2.1 are affected by this vulnerability.

      Fix:

       Workaround

      If you are unable to upgrade to the fixed version or newer and need a workaround, you will need to disable in-app notifications from workbox as per the instructions found here:

      1. Navigate to > General Configuration
      2. Choose In-app Notifications in the left-hand panel
      3. Select does not provide in-app notifications.
      4. The workbox icon will disappear from the Confluence top menu bar.
         

      Acknowledgements
      Atlassian would like to credit Mathias Frank of SEC Consult Vulnerability Lab for reporting this issue to us.

            Loading...
            IMPORTANT: JAC is a Public system and anyone on the internet will be able to view the data in the created JAC tickets. Please don’t include Customer or Sensitive data in the JAC ticket.
            Uploaded image for project: 'Confluence Data Center'
            1. Confluence Data Center
            2. CONFSERVER-52560

            Access Restriction Bypass using watch notifications (CVE-2017-9505)

            XMLWordPrintable

                Confluence did not check if a user had permission to view a page when creating a workbox notification about new comments. An attacker who can login to Confluence could receive workbox notifications, which contain the content of comments, for comments added to a page after they started watching it even if they do not have permission to view the page itself.

                Affected versions:

                • Versions of Confluence starting with 4.3.0 before 6.2.1 are affected by this vulnerability.

                Fix:

                 Workaround

                If you are unable to upgrade to the fixed version or newer and need a workaround, you will need to disable in-app notifications from workbox as per the instructions found here:

                1. Navigate to > General Configuration
                2. Choose In-app Notifications in the left-hand panel
                3. Select does not provide in-app notifications.
                4. The workbox icon will disappear from the Confluence top menu bar.
                   

                Acknowledgements
                Atlassian would like to credit Mathias Frank of SEC Consult Vulnerability Lab for reporting this issue to us.

                        Unassigned Unassigned
                        f100d1de8639 Mathias Frank
                        Votes:
                        0 Vote for this issue
                        Watchers:
                        5 Start watching this issue

                          Created:
                          Updated:
                          Resolved:

                            Unassigned Unassigned
                            f100d1de8639 Mathias Frank
                            Affected customers:
                            0 This affects my team
                            Watchers:
                            5 Start watching this issue

                              Created:
                              Updated:
                              Resolved: