-
Bug
-
Resolution: Fixed
-
Highest
-
6.6.0, 6.7.0, 6.8.0, 6.9.0, 6.10.0, 6.11.0, 6.12.0, 6.13.0, 6.14.0, 6.14.1
-
Severity 1 - Critical
-
There was a server-side template injection vulnerability in Confluence Server and Data Center, in the Widget Connector. An attacker is able to exploit this issue to achieve path traversal and remote code execution on systems that run a vulnerable version of Confluence Server or Data Center.
Affected versions:
All versions of Confluence Server and Confluence Data Center before version 6.6.12, from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before 6.13.3 (the fixed version for 6.13.x) and from version 6.14.0 before 6.14.2 (the fixed version for 6.14.x).
Fix:
- Confluence Server version 6.15.1 is available for download from https://www.atlassian.com/software/confluence/download.
- Confluence Server version 6.14.2 is available for download from https://www.atlassian.com/software/confluence/download-archives.
- Confluence Server version 6.13.3 is available for download from https://www.atlassian.com/software/confluence/download-archives.
- Confluence Server version 6.12.3 is available for download from https://www.atlassian.com/software/confluence/download-archives.
- Confluence Server version 6.6.12 is available for download from https://www.atlassian.com/software/confluence/download-archives.
For additional details, see the full advisory: https://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+-+2019-03-20
Form Name |
---|
A fix for this issue is available to Server and Data Center customers in Confluence 6.10.3
Upgrade now or check out the Release Notes to see what other issues are resolved.
If you're running the Confluence 6.6 Enterprise release, a fix for this issue is now available in Confluence 6.6.14, which you can find in the Download Archives.
If you're running the Confluence 6.13 Enterprise release, a fix for this issue is now available in Confluence 6.13.5, which you can find in the Download Archives.