Confluence Server and Data Center had a path traversal vulnerability in the downloadallattachments resource. A remote attacker who has permission to add attachments to pages and / or blogs or to create a new space or a personal space or who has 'Admin' permissions for a space can exploit this path traversal vulnerability to write files to arbitrary locations which can lead to remote code execution on systems that run a vulnerable version of Confluence Server or Data Center.

      Affected versions:

      • All versions of Confluence Server from 2.0.0 before 6.6.13 (the fixed version for 6.6.x), from 6.7.0 before 6.12.4 (the fixed version for 6.12.x), from 6.13.0 before 6.13.4 (the fixed version for 6.13.x), from 6.14.0 before 6.14.3 (the fixed version for 6.14.x), and from 6.15.0 before 6.15.2 are affected by this vulnerability.

      Fix:

      For additional details, see the full advisory.

          Form Name

            [CONFSERVER-58102] Confluence - Path traversal vulnerability - CVE-2019-3398

            Is there a test we can run, locally, against the upgraded version to satisfy our ISO that this fix has actually resolved the vulnerability? Our auditors will surely require proof...

            Erin Collins added a comment - Is there a test we can run, locally, against the upgraded version to satisfy our ISO that this fix has actually resolved the vulnerability? Our auditors will surely require proof...

            We had provided no such permissions to remote users. Yet we were successfully attacked, apparently through this. The attack surface may be broader than your warning says.

            Whit Blauvelt added a comment - We had provided no such permissions to remote users. Yet we were successfully attacked, apparently through this. The attack surface may be broader than your warning says.

            Faustin L added a comment -

            Hi, is there a way to check quickly what file was potentially impacted?

             

            Faustin L added a comment - Hi, is there a way to check quickly what file was potentially impacted?  

            A fix for this issue is available to Server and Data Center customers in Confluence 6.15.2.

            Upgrade now or check out the Confluence 6.15 Release Notes to see what other issues are resolved.

            Maxim Leizerovich added a comment - A fix for this issue is available to Server and Data Center customers in Confluence 6.15.2. Upgrade now or check out the Confluence 6.15 Release Notes to see what other issues are resolved.

            Maxim Leizerovich added a comment - - edited

            A fix for this issue is available to Server and Data Center customers in Confluence 6.14.3.

            Upgrade now or check out the Confluence 6.14 Release Notes to see what other issues are resolved.

            Maxim Leizerovich added a comment - - edited A fix for this issue is available to Server and Data Center customers in Confluence 6.14.3. Upgrade now or check out the Confluence 6.14 Release Notes to see what other issues are resolved.

            Maxim Leizerovich added a comment - - edited

            If you're running the Confluence 6.13 Enterprise release, a fix for this issue is now available in Confluence 6.13.4, which you can find in the Download Archives.

            Maxim Leizerovich added a comment - - edited If you're running the Confluence 6.13 Enterprise release, a fix for this issue is now available in Confluence 6.13.4, which you can find in the Download Archives .

            Maxim Leizerovich added a comment - - edited

            A fix for this issue is available to Server and Data Center customers in Confluence 6.12.4.

            Upgrade now or check out the Confluence 6.12 Release Notes to see what other issues are resolved.

            Maxim Leizerovich added a comment - - edited A fix for this issue is available to Server and Data Center customers in Confluence 6.12.4. Upgrade now or check out the Confluence 6.12 Release Notes to see what other issues are resolved.

            If you're running the Confluence 6.6 Enterprise release, a fix for this issue is now available in Confluence 6.6.13, which you can find in the Download Archives.

            Maxim Leizerovich added a comment - If you're running the Confluence 6.6 Enterprise release, a fix for this issue is now available in Confluence 6.6.13, which you can find in the Download Archives .

            This is an independent assessment and you should evaluate its applicability to your own IT environment.

            CVSS v3 score: 9.9 => Critical severity

            Exploitability Metrics

            Attack Vector Network
            Attack Complexity Low
            Privileges Required Low
            User Interaction None

            Scope Metric

            Scope Changed

            Impact Metrics

            Confidentiality High
            Integrity High
            Availability High

            https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

            David Black added a comment - This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 9.9 => Critical severity Exploitability Metrics Attack Vector Network Attack Complexity Low Privileges Required Low User Interaction None Scope Metric Scope Changed Impact Metrics Confidentiality High Integrity High Availability High https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

              Unassigned Unassigned
              dblack David Black
              Affected customers:
              0 This affects my team
              Watchers:
              19 Start watching this issue

                Created:
                Updated:
                Resolved: