Details
-
Public Security Vulnerability
-
Status: Published (View Workflow)
-
Low
-
Resolution: Fixed
-
5.7.4
-
None
-
4.3
-
Medium
-
CVE-2021-26072
Description
Affected versions of Atlassian Confluence Server allow remote attackers to manipulate the content of internal network resources via a blind Server-Side Request Forgery (SSRF) vulnerability in the widgetconnector plugin.
When running in an environment like Amazon EC2, this flaw may be used to access to a metadata resource that provides access credentials and other potentially confidential information.
The patch is deployed by configuring the Confluence URL allow list. N.B: The allowlist is enabled by default. But the fixed versions will be vulnerable if allowlist is disabled by the administrator.
The affected versions are before version 5.8.6.
Affected versions:
- version < 5.8.6
Fixed versions:
- 5.8.6
This is an independent assessment and you should evaluate its applicability to your own IT environment.
CVSS v3 score: 4.3 => Medium severity
Exploitability Metrics
| Attack Vector | Network |
|---|---|
| Attack Complexity | Low |
| Privileges Required | Low |
| User Interaction | None |
Scope Metric
| Scope | Unchanged |
|---|
Impact Metrics
| Confidentiality | Low |
|---|---|
| Integrity | None |
| Availability | None |
See http://go.atlassian.com/cvss for more details.
https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attachments
Issue Links
- mentioned in
-
Page Loading...
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- relates to
-