-
Bug
-
Resolution: Fixed
-
Highest
-
6.1.3, 6.7.3, 6.8.3
-
Severity 1 - Critical
-
There was an SSRF vulnerability in Confluence Server and Data Center in the WebDAV plugin. A remote attacker is able to exploit this issue to send arbitrary HTTP and WebDAV requests from a Confluence Server instance.
Affected versions:
- All versions of Confluence Server and Confluence Data Center before version 6.6.7, from version 6.7.0 before 6.8.5 (the fixed version for 6.8.x), from version 6.9.0 before 6.9.3 (the fixed version for 6.9.x).
Fix:
- Confluence Server version 6.15.1 is available for download from https://www.atlassian.com/software/confluence/download.
- Confluence Server version 6.14.2 is available for download from https://www.atlassian.com/software/confluence/download-archives.
- Confluence Server version 6.13.3 is available for download from https://www.atlassian.com/software/confluence/download-archives.
- Confluence Server version 6.12.3 is available for download from https://www.atlassian.com/software/confluence/download-archives.
- Confluence Server version 6.6.12 is available for download from https://www.atlassian.com/software/confluence/download-archives.
For additional details, see the full advisory: https://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+-+2019-03-20
- causes
-
CONFSERVER-58070 Disabling WebDAV add-on will disable Office connector add-on.
- Closed
- relates to
-
-
- Closed
-
- mentioned in
-
Page Failed to load
-
Page Failed to load
-
Page Loading...
-
-
-
-
-
-
![[Atlassian Documentation] Page](https://confluence.atlassian.com/images/icons/favicon.png "[Atlassian Documentation] Page"){kind=icon}
[CONFSERVER-57971] SSRF via WebDAV endpoint - CVE-2019-3395
| Remote Link | New: This issue links to "Page (Confluence)" [ 913549 ] |
| Remote Link | New: This issue links to "Page (Confluence)" [ 847661 ] |
| Remote Link | New: This issue links to "Page (Confluence)" [ 845996 ] |
| Fixed in Enterprise Release/s | New: [Download 6.6|https://confluence.atlassian.com/enterprise/atlassian-enterprise-releases-948227420.html] |
| Remote Link | New: This issue links to "Page (Confluence)" [ 471320 ] |
rachel.x.purpel.-nd: No, it's just Office Connector (and the features of WebDAV itself).
atlassian.resales: Firstly, we do recommend disabling the WebDAV plugin as a temporary measure only until you can complete an upgrade.
Until then, disabling the WebDAV plugin will cause the "Edit in Office" button on attachment previews to stop functioning. It will also cause the following macros to stop working: viewdoc, viewxls, viewppt, and viewpdf. These macros can all be replaced with the File Preview macro. This can be done in bulk for your entire Confluence instance by following the SQL instructions on this KB article.
| Labels | Original: CVE-2019-3395 advisory advisory-to-release cvss-critical security ssrf windows | New: CVE-2019-3395 advisory advisory-released cvss-critical security ssrf windows |
Hi Team,
A customer has come across the following problem while going through our fix recommendations:
We have come across an issue where even by disabling just the modules for the WebDAV plugin, our users are unable to edit their attachments using the Office Connector. I have a user where she is attempting use the “Edit in Office” option and receives an error of:
Any ideas of a way around this?
| Link |
New:
This issue causes |
Instructions from KB above are invalid at least for Confluence 6.1.1 and 6.13.3. New macro require more parameters and simple macro name replacement doens't work.