There was an SSRF vulnerability in Confluence Server and Data Center in the WebDAV plugin. A remote attacker is able to exploit this issue to send arbitrary HTTP and WebDAV requests from a Confluence Server instance.

       

      Affected versions:

      • All versions of Confluence Server and Confluence Data Center before version 6.6.7, from version 6.7.0 before 6.8.5 (the fixed version for 6.8.x), from version 6.9.0 before 6.9.3 (the fixed version for 6.9.x).

       

      Fix:

       

      For additional details, see the full advisory: https://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+-+2019-03-20

       

          Form Name

            [CONFSERVER-57971] SSRF via WebDAV endpoint - CVE-2019-3395

            Instructions from KB above are invalid at least for Confluence 6.1.1 and 6.13.3. New macro require more parameters and simple macro name replacement doens't work.

            Yevgen Lasman added a comment - Instructions from KB above are invalid at least for Confluence 6.1.1 and 6.13.3. New macro require more parameters and simple macro name replacement doens't work.

            AB added a comment -

            rachel.x.purpel.-nd: No, it's just Office Connector (and the features of WebDAV itself).

            atlassian.resales: Firstly, we do recommend disabling the WebDAV plugin as a temporary measure only until you can complete an upgrade.

            Until then, disabling the WebDAV plugin will cause the "Edit in Office" button on attachment previews to stop functioning. It will also cause the following macros to stop working: viewdoc, viewxls, viewppt, and viewpdf. These macros can all be replaced with the File Preview macro. This can be done in bulk for your entire Confluence instance by following the SQL instructions on this KB article.

             

            AB added a comment - rachel.x.purpel.-nd : No, it's just Office Connector (and the features of WebDAV itself). atlassian.resales : Firstly, we do recommend disabling the WebDAV plugin as a temporary measure only until you can complete an upgrade. Until then, disabling the WebDAV plugin will cause the "Edit in Office" button on attachment previews to stop functioning. It will also cause the following macros to stop working: viewdoc, viewxls, viewppt, and viewpdf . These macros can all be replaced with the File Preview macro.  This can be done in bulk for your entire Confluence instance by following the SQL instructions on this KB article .  

            Hi Team,

            A customer has come across the following problem while going through our fix recommendations:

            We have come across an issue where even by disabling just the modules for the WebDAV plugin, our users are unable to edit their attachments using the Office Connector. I have a user where she is attempting use the “Edit in Office” option and receives an error of: 

            Any ideas of a way around this?

             

             

            ServiceRocket added a comment - Hi Team, A customer has come across the following problem while going through our fix recommendations: We have come across an issue where even by disabling just the modules for the WebDAV plugin, our users are unable to edit their attachments using the Office Connector. I have a user where she is attempting use the “Edit in Office” option and receives an error of:  Any ideas of a way around this?    

            All of the Office Connector macros (notably viewxls) are dependent on WebDAV and do not work if WebDAV is disabled. Are there other macros that might be broken when WebDAV is disabled? This is a major loss of functionality for our users.

            Rachel Purpel added a comment - All of the Office Connector macros (notably viewxls) are dependent on WebDAV and do not work if WebDAV is disabled. Are there other macros that might be broken when WebDAV is disabled? This is a major loss of functionality for our users.

            Thanks, overlooked that in the initial pass.

            Boris Berenberg - Atlas Authority added a comment - Thanks, overlooked that in the initial pass.

            Ed Letifov [TechTime - New Zealand] added a comment - @Boris Berenberg: According to this disabling is a mitigation:  https://confluence.atlassian.com/doc/confluence-security-advisory-2019-03-20-966660264.html#ConfluenceSecurityAdvisory-2019-03-20-Mitigation

            Can the WebDAV plugin be disabled to mitigate the impact of this vulnerability?

            Boris Berenberg - Atlas Authority added a comment - Can the WebDAV plugin be disabled to mitigate the impact of this vulnerability?

            A fix for this issue is available to Server and Data Center customers in Confluence 6.12.3
            Upgrade now or check out the Release Notes to see what other issues are resolved.

            Ganesh Gautam added a comment - A fix for this issue is available to Server and Data Center customers in Confluence 6.12.3 Upgrade now or check out the Release Notes to see what other issues are resolved.

            A fix for this issue is available to Server and Data Center customers in Confluence 6.13.3
            Upgrade now or check out the Release Notes to see what other issues are resolved.

            Ganesh Gautam added a comment - A fix for this issue is available to Server and Data Center customers in Confluence 6.13.3 Upgrade now or check out the Release Notes to see what other issues are resolved.

            If you're running the Confluence 6.6 Enterprise release, a fix for this issue is now available in Confluence 6.6.12, which you can find in the Download Archives.

            Ganesh Gautam added a comment - If you're running the Confluence 6.6 Enterprise release, a fix for this issue is now available in Confluence 6.6.12, which you can find in the Download Archives .

              security-metrics-bot Security Metrics Bot
              security-metrics-bot Security Metrics Bot
              Affected customers:
              0 This affects my team
              Watchers:
              25 Start watching this issue

                Created:
                Updated:
                Resolved: