Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-52560

Access Restriction Bypass using watch notifications (CVE-2017-9505)

XMLWordPrintable

      Confluence did not check if a user had permission to view a page when creating a workbox notification about new comments. An attacker who can login to Confluence could receive workbox notifications, which contain the content of comments, for comments added to a page after they started watching it even if they do not have permission to view the page itself.

      Affected versions:

      • Versions of Confluence starting with 4.3.0 before 6.2.1 are affected by this vulnerability.

      Fix:

       Workaround

      If you are unable to upgrade to the fixed version or newer and need a workaround, you will need to disable in-app notifications from workbox as per the instructions found here:

      1. Navigate to > General Configuration
      2. Choose In-app Notifications in the left-hand panel
      3. Select does not provide in-app notifications.
      4. The workbox icon will disappear from the Confluence top menu bar.
         

      Acknowledgements
      Atlassian would like to credit Mathias Frank of SEC Consult Vulnerability Lab for reporting this issue to us.

            [CONFSERVER-52560] Access Restriction Bypass using watch notifications (CVE-2017-9505)

            Brian Adeloye (Inactive) made changes -
            Remote Link Original: This issue links to "Page (Confluence)" [ 521505 ]
            Brian Adeloye (Inactive) made changes -
            Remote Link New: This issue links to "Page (Confluence)" [ 521505 ]
            Katherine Yabut made changes -
            Workflow Original: JAC Bug Workflow v3 [ 2890089 ] New: CONFSERVER Bug Workflow v4 [ 2982470 ]
            Owen made changes -
            Workflow Original: JAC Bug Workflow v2 [ 2803655 ] New: JAC Bug Workflow v3 [ 2890089 ]
            Status Original: Resolved [ 5 ] New: Closed [ 6 ]
            Owen made changes -
            Workflow Original: JAC Bug Workflow [ 2737312 ] New: JAC Bug Workflow v2 [ 2803655 ]
            Owen made changes -
            Symptom Severity Original: Major [ 14431 ] New: Severity 2 - Major [ 15831 ]
            Owen made changes -
            Workflow Original: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2386894 ] New: JAC Bug Workflow [ 2737312 ]
            David Black made changes -
            Remote Link Original: This issue links to "Page (Extranet)" [ 298591 ]
            David Black made changes -
            Labels Original: CVE-2017-9505 advisory basm css-medium security New: CVE-2017-9505 advisory basm css-medium improper-authorization security
            David Black made changes -
            Labels Original: CVE-2017-9505 advisory css-medium poor-auth security New: CVE-2017-9505 advisory basm css-medium security

              Unassigned Unassigned
              f100d1de8639 Mathias Frank
              Affected customers:
              0 This affects my team
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: