-
Bug
-
Resolution: Fixed
-
Highest
-
6.1.0, 6.4.0, 6.5.0, 6.6.0, 6.7.0, 6.8.0, 6.9.0, 6.10.0, 6.11.0, 6.12.0, 6.13.0, 6.14.0, 6.6.15, 6.13.6, 6.15.1, 6.15.7
-
Severity 1 - Critical
-
Confluence Server and Data Center had a local file disclosure vulnerability in the page export function. A remote attacker who has Add Page space permission would be able to read arbitrary files in the <install-directory>/confluence/WEB-INF/ directory and it's subdirectories, which may contain configuration files used for integrating with other services, which could potentially leak credentials or other sensitive information such as LDAP credentials. The LDAP credential will be potentially leaked only if the Confluence server LDAP credential is specified in atlassian-user.xml file, which is deprecated way of configure LDAP integration.
Affected versions:
- All versions of Confluence Server from 6.1.0 before 6.6.16 (the fixed version for 6.6.x), from 6.7.0 before 6.13.7 (the fixed version for 6.13.x), and from 6.14.0 before 6.15.8 (the fixed version for 6.15.x) are affected by this vulnerability.
Fix:
- Confluence Server and Data Center versions 6.15.8 is available for download from https://www.atlassian.com/software/confluence/download.
- Confluence Server and Data Center versions 6.6.16 and 6.13.7 are available for download from https://www.atlassian.com/software/confluence/download-archives .
For additional details, see the full advisory.
Workaround
Please see the full advisory for mitigation information.
[CONFSERVER-58734] Local File Disclosure via Word Export in Confluence Server - CVE-2019-3394
| Remote Link | Original: This issue links to "Page (Confluence)" [ 800567 ] |
| Remote Link | New: This issue links to "Page (Confluence)" [ 800567 ] |
| Fixed in Enterprise Release/s | New: [Download 6.6, 6.13|https://confluence.atlassian.com/enterprise/atlassian-enterprise-releases-948227420.html] |
| Labels | Original: CVE-2019-3394 advisory advisory-to-release cvss-critical information-disclosure security | New: CVE-2019-3394 advisory advisory-released cvss-critical information-disclosure security |
| Remote Link | New: This issue links to "Page (Confluence)" [ 471236 ] |
| Labels | Original: CVE-2019-3394 advisory advisory-to-release cvss-critical security | New: CVE-2019-3394 advisory advisory-to-release cvss-critical information-disclosure security |
| Description |
Original:
Confluence Server and Data Center had a local file disclosure vulnerability in the page export function. A remote attacker who has Add Page space permission would be able to read arbitrary files in the *<install-directory>/confluence/WEB-INF/packages* directory, which may contain configuration files used for integrating with other services, which could potentially leak credentials or other sensitive information such as LDAP credentials. The LDAP credential will be potentially leaked only if the Confluence server LDAP credential is specified in atlassian-user.xml file, which is deprecated way of configure LDAP integration.
*Affected versions:* * All versions of Confluence Server from 6.1.0 before 6.6.16 (the fixed version for 6.6.x), from 6.7.0 before 6.13.7 (the fixed version for 6.13.x), and from 6.14.0 before 6.15.8 (the fixed version for 6.15.x) are affected by this vulnerability. *Fix:* * Confluence Server and Data Center versions 6.15.8 is available for download from https://www.atlassian.com/software/confluence/download. * Confluence Server and Data Center versions 6.6.16 and 6.13.7 are available for download from https://www.atlassian.com/software/confluence/download-archives . For additional details, see the [full advisory| https://confluence.atlassian.com/x/uAsvOg]. h3. Workaround Please see the [full advisory| https://confluence.atlassian.com/x/uAsvOg] for mitigation information. |
New:
Confluence Server and Data Center had a local file disclosure vulnerability in the page export function. A remote attacker who has Add Page space permission would be able to read arbitrary files in the *<install-directory>/confluence/WEB-INF/* directory *and it's subdirectories*, which may contain configuration files used for integrating with other services, which could potentially leak credentials or other sensitive information such as LDAP credentials. The LDAP credential will be potentially leaked only if the Confluence server LDAP credential is specified in atlassian-user.xml file, which is deprecated way of configure LDAP integration.
*Affected versions:* * All versions of Confluence Server from 6.1.0 before 6.6.16 (the fixed version for 6.6.x), from 6.7.0 before 6.13.7 (the fixed version for 6.13.x), and from 6.14.0 before 6.15.8 (the fixed version for 6.15.x) are affected by this vulnerability. *Fix:* * Confluence Server and Data Center versions 6.15.8 is available for download from [https://www.atlassian.com/software/confluence/download]. * Confluence Server and Data Center versions 6.6.16 and 6.13.7 are available for download from [https://www.atlassian.com/software/confluence/download-archives] . For additional details, see the [full advisory|https://confluence.atlassian.com/x/uAsvOg]. h3. Workaround Please see the [full advisory|https://confluence.atlassian.com/x/uAsvOg] for mitigation information. |
| Fix Version/s | New: 6.13.8 [ 89193 ] | |
| Fix Version/s | New: 6.15.9 [ 89192 ] |
| Security | Original: Atlassian Staff [ 10750 ] |
| Remote Link | New: This issue links to "Page (Confluence)" [ 445549 ] |