Affected versions of Atlassian Confluence Server allow remote attackers to manipulate the content of internal network resources via a blind Server-Side Request Forgery (SSRF) vulnerability in the widgetconnector plugin.
When running in an environment like Amazon EC2, this flaw may be used to access to a metadata resource that provides access credentials and other potentially confidential information.
The patch is deployed by configuring the Confluence URL allow list. N.B: The allowlist is enabled by default. But the fixed versions will be vulnerable if allowlist is disabled by the administrator.
The affected versions are before version 5.8.6.
- version < 5.8.6
This is an independent assessment and you should evaluate its applicability to your own IT environment.
CVSS v3 score: 4.3 => Medium severity
See http://go.atlassian.com/cvss for more details.