• Type: Bug
• Resolution: Fixed
• Priority: Highest
• Fix Version/s: 6.6.16, 6.13.7, 6.13.8, 6.15.8, 6.15.9
• Affects Version/s: 6.1.0, 6.4.0, 6.5.0, 6.6.0, 6.7.0, 6.8.0, 6.9.0, 6.10.0, 6.11.0, 6.12.0, 6.13.0, 6.14.0, 6.6.15, 6.13.6, 6.15.1, 6.15.7
• Component/s: Editor - Core
• Labels:

  • CVE-2019-3394
  • advisory
  • advisory-released
  • cvss-critical
  • information-disclosure
  • security

[CONFSERVER-58734] Local File Disclosure via Word Export in Confluence Server - CVE-2019-3394

Byron Conroy made changes - 17/Aug/2023 12:57 AM

Remote Link

Original: This issue links to "Page (Confluence)" [ 800567 ]

Byron Conroy made changes - 16/Aug/2023 6:56 AM

Remote Link

New: This issue links to "Page (Confluence)" [ 800567 ]

set-jac-bot made changes - 22/May/2020 8:26 AM

Fixed in Enterprise Release/s

New: [Download 6.6, 6.13|https://confluence.atlassian.com/enterprise/atlassian-enterprise-releases-948227420.html]

Colin Xu made changes - 06/Apr/2020 1:17 AM

Labels

Original: CVE-2019-3394 advisory advisory-to-release cvss-critical information-disclosure security

New: CVE-2019-3394 advisory advisory-released cvss-critical information-disclosure security

Said made changes - 17/Feb/2020 5:14 AM

Remote Link

New: This issue links to "Page (Confluence)" [ 471236 ]

Said made changes - 06/Dec/2019 3:48 AM

Labels

Original: CVE-2019-3394 advisory advisory-to-release cvss-critical security

New: CVE-2019-3394 advisory advisory-to-release cvss-critical information-disclosure security

Collapse comment: Tim Menke added a comment - 20/Sep/2019 2:12 PM

Tim Menke added a comment - 20/Sep/2019 2:12 PM

why is the CVE referenced in both 6.15.8 and 6.15.9?    If I have 6.15.8, do I need to update to .9 to be fixed?

 

Thanks

Expand comment: Tim Menke added a comment - 20/Sep/2019 2:12 PM

Tim Menke added a comment - 20/Sep/2019 2:12 PM why is the CVE referenced in both 6.15.8 and 6.15.9?    If I have 6.15.8, do I need to update to .9 to be fixed?   Thanks

Sattesh M made changes - 30/Aug/2019 1:34 PM

Description

Original: Confluence Server and Data Center had a local file disclosure vulnerability in the page export function. A remote attacker who has Add Page space permission would be able to read arbitrary files in the *<install-directory>/confluence/WEB-INF/packages* directory, which may contain configuration files used for integrating with other services, which could potentially leak credentials or other sensitive information such as LDAP credentials. The LDAP credential will be potentially leaked only if the Confluence server LDAP credential is specified in atlassian-user.xml file, which is deprecated way of configure LDAP integration. *Affected versions:* * All versions of Confluence Server from 6.1.0 before 6.6.16 (the fixed version for 6.6.x), from 6.7.0 before 6.13.7 (the fixed version for 6.13.x), and from 6.14.0 before 6.15.8 (the fixed version for 6.15.x) are affected by this vulnerability. *Fix:* * Confluence Server and Data Center versions 6.15.8 is available for download from https://www.atlassian.com/software/confluence/download. * Confluence Server and Data Center versions 6.6.16 and 6.13.7 are available for download from https://www.atlassian.com/software/confluence/download-archives . For additional details, see the [full advisory| https://confluence.atlassian.com/x/uAsvOg]. h3. Workaround Please see the [full advisory| https://confluence.atlassian.com/x/uAsvOg] for mitigation information.

New: Confluence Server and Data Center had a local file disclosure vulnerability in the page export function. A remote attacker who has Add Page space permission would be able to read arbitrary files in the *<install-directory>/confluence/WEB-INF/* directory *and it's subdirectories*, which may contain configuration files used for integrating with other services, which could potentially leak credentials or other sensitive information such as LDAP credentials. The LDAP credential will be potentially leaked only if the Confluence server LDAP credential is specified in atlassian-user.xml file, which is deprecated way of configure LDAP integration. *Affected versions:*  * All versions of Confluence Server from 6.1.0 before 6.6.16 (the fixed version for 6.6.x), from 6.7.0 before 6.13.7 (the fixed version for 6.13.x), and from 6.14.0 before 6.15.8 (the fixed version for 6.15.x) are affected by this vulnerability. *Fix:*  * Confluence Server and Data Center versions 6.15.8 is available for download from [https://www.atlassian.com/software/confluence/download].  * Confluence Server and Data Center versions 6.6.16 and 6.13.7 are available for download from [https://www.atlassian.com/software/confluence/download-archives] . For additional details, see the [full advisory|https://confluence.atlassian.com/x/uAsvOg]. h3. Workaround Please see the [full advisory|https://confluence.atlassian.com/x/uAsvOg] for mitigation information.

Collapse comment: Jeff Blaine added a comment - 29/Aug/2019 3:03 PM

Jeff Blaine added a comment - 29/Aug/2019 3:03 PM

Couldn't you just disable all Export privileges for all users until an upgrade can be scheduled?

Expand comment: Jeff Blaine added a comment - 29/Aug/2019 3:03 PM

Jeff Blaine added a comment - 29/Aug/2019 3:03 PM Couldn't you just disable all Export privileges for all users until an upgrade can be scheduled?

Collapse comment: Quan Pham added a comment - 29/Aug/2019 9:20 AM

Quan Pham added a comment - 29/Aug/2019 9:20 AM

A fix for this issue is available to Server and Data Center customers in Confluence 6.15.9
Upgrade now or check out the Release Notes to see what other issues are resolved.

Expand comment: Quan Pham added a comment - 29/Aug/2019 9:20 AM

Quan Pham added a comment - 29/Aug/2019 9:20 AM A fix for this issue is available to Server and Data Center customers in Confluence 6.15.9 Upgrade now or check out the Release Notes to see what other issues are resolved.

Load more older events