[CONFSERVER-55237] The bundled Atlassian Universal Plugin Manager plugin had a XSS issue - CVE-2018-5229 - Create and track feature requests for Atlassian products.

Type: Bug
Resolution: Fixed
Priority: High
Fix Version/s: 6.6.10, 6.8.2, 6.9.0, 6.10.0
Affects Version/s: 6.8.1
Component/s: Universal Plugin Manager / Manage apps
Labels:

Fixed in Long Term Support Release/s:

Download 6.6
Symptom Severity:
Severity 2 - Major
Bug Fix Policy:
View Atlassian Server bug fix policy

The version of the bundled Atlassian Universal Plugin Manager plugin had a cross site scripting vulnerability (XSS). See https://ecosystem.atlassian.net/browse/UPM-5871 for more details.

relates to

JRASERVER-66748 The bundled Atlassian Universal Plugin Manager plugin had a XSS issue - CVE-2018-5229

Closed

PSR-179 You do not have permission to view this issue

UPM-5806 Failed to load

is related to

UPM-5871 XSS through user requested add-on names - CVE-2018-5229

Done

mentioned in: Page No Confluence page found with the given URL.

Minh Tran added a comment - 14/Nov/2018 4:29 AM

If you're running the Confluence 6.6 Enterprise release, a fix for this issue is now available in Confluence 6.6.10, which you can find in the Download Archives.

Minh Tran added a comment - 14/Nov/2018 4:29 AM If you're running the Confluence 6.6 Enterprise release, a fix for this issue is now available in Confluence 6.6.10, which you can find in the Download Archives .

Minh Tran added a comment - 26/Apr/2018 5:42 AM

A fix for this issue is available to Server and Data Center customers in Confluence 6.8.2
Upgrade now or check out the Release Notes to see what other issues are resolved.

Minh Tran added a comment - 26/Apr/2018 5:42 AM A fix for this issue is available to Server and Data Center customers in Confluence 6.8.2 Upgrade now or check out the Release Notes to see what other issues are resolved.

David Black added a comment - 23/Mar/2018 6:41 AM - edited

This is an independent assessment and you should evaluate its applicability to your own IT environment.
CVSS v3 score: 8.0 => High severity

Exploitability Metrics

Attack Vector	Network
Attack Complexity	Low
Privileges Required	Low
User Interaction	Required

Scope Metric

Scope	Unchanged

Impact Metrics

Confidentiality	High
Integrity	High
Availability	High

https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

David Black added a comment - 23/Mar/2018 6:41 AM - edited This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 8.0 => High severity Exploitability Metrics Attack Vector Network Attack Complexity Low Privileges Required Low User Interaction Required Scope Metric Scope Unchanged Impact Metrics Confidentiality High Integrity High Availability High https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Assignee:: Minh Tran

Reporter:: David Black

Affected customers:: 0 This affects my team

Watchers:: 2 Start watching this issue

Created:: 23/Mar/2018 6:40 AM

Updated:: 31/May/2023 10:15 PM

Resolved:: 26/Apr/2018 5:26 AM

Confluence Data Center

Details

Description

Attachments

Issue Links

Forms

Activity

[CONFSERVER-55237] The bundled Atlassian Universal Plugin Manager plugin had a XSS issue - CVE-2018-5229

Collapse comment: Minh Tran added a comment - 14/Nov/2018 4:29 AM

Expand comment: Minh Tran added a comment - 14/Nov/2018 4:29 AM

Collapse comment: Minh Tran added a comment - 26/Apr/2018 5:42 AM

Expand comment: Minh Tran added a comment - 26/Apr/2018 5:42 AM

Collapse comment: David Black added a comment - 23/Mar/2018 6:41 AM, Edited by David Black - 23/Jul/2018 6:51 AM

Expand comment: David Black added a comment - 23/Mar/2018 6:41 AM, Edited by David Black - 23/Jul/2018 6:51 AM

People

Dates