Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-58734

Local File Disclosure via Word Export in Confluence Server - CVE-2019-3394

      Confluence Server and Data Center had a local file disclosure vulnerability in the page export function. A remote attacker who has Add Page space permission would be able to read arbitrary files in the <install-directory>/confluence/WEB-INF/ directory and it's subdirectories, which may contain configuration files used for integrating with other services, which could potentially leak credentials or other sensitive information such as LDAP credentials. The LDAP credential will be potentially leaked only if the Confluence server LDAP credential is specified in atlassian-user.xml file, which is deprecated way of configure LDAP integration.

      Affected versions:

      • All versions of Confluence Server from 6.1.0 before 6.6.16 (the fixed version for 6.6.x), from 6.7.0 before 6.13.7 (the fixed version for 6.13.x), and from 6.14.0 before 6.15.8 (the fixed version for 6.15.x) are affected by this vulnerability.

      Fix:

      For additional details, see the full advisory.

      Workaround

      Please see the full advisory for mitigation information.

          Form Name

            [CONFSERVER-58734] Local File Disclosure via Word Export in Confluence Server - CVE-2019-3394

            Tim Menke added a comment -

            why is the CVE referenced in both 6.15.8 and 6.15.9?    If I have 6.15.8, do I need to update to .9 to be fixed?

             

            Thanks

            Tim Menke added a comment - why is the CVE referenced in both 6.15.8 and 6.15.9?    If I have 6.15.8, do I need to update to .9 to be fixed?   Thanks

            Couldn't you just disable all Export privileges for all users until an upgrade can be scheduled?

            Jeff Blaine added a comment - Couldn't you just disable all Export privileges for all users until an upgrade can be scheduled?

            Quan Pham added a comment -

            A fix for this issue is available to Server and Data Center customers in Confluence 6.15.9
            Upgrade now or check out the Release Notes to see what other issues are resolved.

            Quan Pham added a comment - A fix for this issue is available to Server and Data Center customers in Confluence 6.15.9 Upgrade now or check out the Release Notes to see what other issues are resolved.

            Quan Pham added a comment -

            A fix for this issue is available to Server and Data Center customers in Confluence 6.13.8
            Upgrade now or check out the Release Notes to see what other issues are resolved.

            If you're running the Confluence 6.13 Enterprise release, a fix for this issue is now available in Confluence 6.13.8, which you can find in the Download Archives.

            Quan Pham added a comment - A fix for this issue is available to Server and Data Center customers in Confluence 6.13.8 Upgrade now or check out the Release Notes to see what other issues are resolved. If you're running the Confluence 6.13 Enterprise release, a fix for this issue is now available in Confluence 6.13.8, which you can find in the Download Archives .

            Quan Pham added a comment -

            A fix for this issue is available to Server and Data Center customers in Confluence 6.6.16
            Upgrade now or check out the Release Notes to see what other issues are resolved.

            If you're running the Confluence 6.6 Enterprise release, a fix for this issue is now available in Confluence 6.6.16, which you can find in the Download Archives.

            Quan Pham added a comment - A fix for this issue is available to Server and Data Center customers in Confluence 6.6.16 Upgrade now or check out the Release Notes to see what other issues are resolved. If you're running the Confluence 6.6 Enterprise release, a fix for this issue is now available in Confluence 6.6.16, which you can find in the Download Archives .

            Quan Pham added a comment -

            A fix for this issue is available to Server and Data Center customers in Confluence 6.15.8
            Upgrade now or check out the Release Notes to see what other issues are resolved.

            Quan Pham added a comment - A fix for this issue is available to Server and Data Center customers in Confluence 6.15.8 Upgrade now or check out the Release Notes to see what other issues are resolved.

            Quan Pham added a comment -

            A fix for this issue is available to Server and Data Center customers in Confluence 6.13.7
            Upgrade now or check out the Release Notes to see what other issues are resolved.

            If you're running the Confluence 6.13 Enterprise release, a fix for this issue is now available in Confluence 6.13.7, which you can find in the Download Archives.

            Quan Pham added a comment - A fix for this issue is available to Server and Data Center customers in Confluence 6.13.7 Upgrade now or check out the Release Notes to see what other issues are resolved. If you're running the Confluence 6.13 Enterprise release, a fix for this issue is now available in Confluence 6.13.7, which you can find in the Download Archives .

            Ming (Inactive) added a comment - - edited

            This is an independent assessment and you should evaluate its applicability to your own IT environment.
            CVSS v3 score: 9.6 => Critical severity

            Exploitability Metrics

            Attack Vector Network
            Attack Complexity Low
            Privileges Required Low
            User Interaction None

            Scope Metric

            Scope Changed

            Impact Metrics

            Confidentiality High
            Integrity High
            Availability None

            See http://go.atlassian.com/cvss for more details.

            https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

            Ming (Inactive) added a comment - - edited This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 9.6 => Critical severity Exploitability Metrics Attack Vector Network Attack Complexity Low Privileges Required Low User Interaction None Scope Metric Scope Changed Impact Metrics Confidentiality High Integrity High Availability None See http://go.atlassian.com/cvss for more details. https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

              Unassigned Unassigned
              mchang@atlassian.com Ming (Inactive)
              Affected customers:
              0 This affects my team
              Watchers:
              14 Start watching this issue

                Created:
                Updated:
                Resolved: