[CONFSERVER-57971] SSRF via WebDAV endpoint - CVE-2019-3395 - Create and track feature requests for Atlassian products.

Type: Bug
Resolution: Fixed
Priority: Highest
Fix Version/s: 6.6.7, 6.8.5, 6.9.3
Affects Version/s: 6.1.3, 6.7.3, 6.8.3
Component/s: Server - Plugin Development
Labels:

Fixed in Long Term Support Release/s:

Download 6.6
Symptom Severity:
Severity 1 - Critical
Bug Fix Policy:
View Atlassian Server bug fix policy

There was an SSRF vulnerability in Confluence Server and Data Center in the WebDAV plugin. A remote attacker is able to exploit this issue to send arbitrary HTTP and WebDAV requests from a Confluence Server instance.

Affected versions:

All versions of Confluence Server and Confluence Data Center before version 6.6.7, from version 6.7.0 before 6.8.5 (the fixed version for 6.8.x), from version 6.9.0 before 6.9.3 (the fixed version for 6.9.x).

Fix:

Confluence Server version 6.15.1 is available for download from https://www.atlassian.com/software/confluence/download.
Confluence Server version 6.14.2 is available for download from https://www.atlassian.com/software/confluence/download-archives.
Confluence Server version 6.13.3 is available for download from https://www.atlassian.com/software/confluence/download-archives.
Confluence Server version 6.12.3 is available for download from https://www.atlassian.com/software/confluence/download-archives.
Confluence Server version 6.6.12 is available for download from https://www.atlassian.com/software/confluence/download-archives.

For additional details, see the full advisory: https://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+-+2019-03-20

causes

CONFSERVER-58070 Disabling WebDAV add-on will disable Office connector add-on.

Closed

relates to

CONFSERVER-57974 Remote code execution via Widget Connector macro - CVE-2019-3396

Closed

mentioned in: Confluence Security Advisory - 2019-03-20; Page Failed to load; Page Failed to load; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...

(7 mentioned in)

Ben Cambourne made changes - 06/Jun/2024 4:39 AM

Remote Link

New: This issue links to "Page (Confluence)" [ 913549 ]

Eric Franklin (Inactive) made changes - 13/Dec/2023 5:37 PM

Remote Link

New: This issue links to "Page (Confluence)" [ 847661 ]

Eric Franklin (Inactive) made changes - 08/Dec/2023 8:28 PM

Remote Link

New: This issue links to "Page (Confluence)" [ 845996 ]

set-jac-bot made changes - 22/May/2020 8:25 AM

Fixed in Enterprise Release/s

New: [Download 6.6|https://confluence.atlassian.com/enterprise/atlassian-enterprise-releases-948227420.html]

Said made changes - 17/Feb/2020 5:14 AM

Remote Link

New: This issue links to "Page (Confluence)" [ 471320 ]

David Black made changes - 31/Mar/2019 9:42 PM

Labels

Original: CVE-2019-3395 advisory advisory-to-release cvss-critical security ssrf windows

New: CVE-2019-3395 advisory advisory-released cvss-critical security ssrf windows

Chii (Inactive) made changes - 25/Mar/2019 11:29 PM

Link

New: This issue causes ~~CONFSERVER-58070~~ [ ~~CONFSERVER-58070~~ ]

FNU made changes - 20/Mar/2019 5:20 PM

Security

Original: Atlassian Staff [ 10750 ]

David Black made changes - 18/Mar/2019 12:20 AM

Priority

Original: Low [ 4 ]

New: Highest [ 1 ]

David Black made changes - 18/Mar/2019 12:18 AM

Link

New: This issue relates to ~~CONFSERVER-57974~~ [ ~~CONFSERVER-57974~~ ]

Assignee:: Security Metrics Bot

Reporter:: Security Metrics Bot

Affected customers:: 0 This affects my team

Watchers:: 25 Start watching this issue

Created:: 27/Feb/2019 10:52 PM

Updated:: 06/Jun/2024 4:39 AM

Resolved:: 27/Feb/2019 11:37 PM

Confluence Data Center

Details

Description

Attachments

Issue Links

Forms

Activity

[CONFSERVER-57971] SSRF via WebDAV endpoint - CVE-2019-3395

People

Dates