• 4.3
    • Medium
    • CVE-2021-26072

      Affected versions of Atlassian Confluence Server allow remote attackers to manipulate the content of internal network resources via a blind Server-Side Request Forgery (SSRF) vulnerability in the widgetconnector plugin.

      When running in an environment like Amazon EC2, this flaw may be used to access to a metadata resource that provides access credentials and other potentially confidential information. 

      The mitigation is deployed by configuring the Confluence URL allow list. N.B: The allowlist is enabled by default. But the fixed versions will be vulnerable if allowlist is disabled by the administrator, or the allowlist is configured to be overly permissive by the administrator. 

      The affected versions are before version 5.8.6.

      Affected versions:

      • version < 5.8.6

      Fixed versions:

      • 5.8.6  

       


      This is an independent assessment and you should evaluate its applicability to your own IT environment.

      CVSS v3 score: 4.3 => Medium severity

      Exploitability Metrics

      Attack Vector Network
      Attack Complexity Low
      Privileges Required Low
      User Interaction None

      Scope Metric

      Scope Unchanged

      Impact Metrics

      Confidentiality Low
      Integrity None
      Availability None

      See http://go.atlassian.com/cvss for more details.

      https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

            [CONFSERVER-61399] Blind SSRF in widgetConnector - CVE-2021-26072

            Aleksandra Wieczorek made changes -
            Remote Link New: This issue links to "Page (Atlassian Documentation)" [ 971893 ]
            Wendy R made changes -
            Remote Link New: This issue links to "Page (Atlassian Documentation)" [ 969673 ]
            Wendy R made changes -
            Remote Link New: This issue links to "Page (Atlassian Documentation)" [ 960025 ]
            Iryna Solonyshyn (Inactive) made changes -
            Remote Link New: This issue links to "Page (Atlassian Documentation)" [ 931932 ]
            James Ponting made changes -
            Description Original: Affected versions of Atlassian Confluence Server allow remote attackers to manipulate the content of internal network resources via a blind Server-Side Request Forgery (SSRF) vulnerability in the {{widgetconnector}} plugin.

            When running in an environment like Amazon EC2, this flaw may be used to access to a metadata resource that provides access credentials and other potentially confidential information. 

            The patch is deployed by configuring the [Confluence URL allow list|https://confluence.atlassian.com/doc/configuring-the-allowlist-381255821.html]. *N.B:* The allowlist is enabled by default. But the fixed versions will be vulnerable if allowlist is disabled by the administrator. 

            The affected versions are before version 5.8.6.

             

            *Affected versions:*
             * version < 5.8.6

            *Fixed versions:*
             * 5.8.6  

             
            ----
            This is an independent assessment and you should evaluate its applicability to your own IT environment.

            CVSS v3 score: 4.3 => Medium severity

            *Exploitability Metrics*
            ||Attack Vector|Network|
            ||Attack Complexity|Low|
            ||Privileges Required|Low|
            ||User Interaction|None|

            *Scope Metric*
            ||Scope|Unchanged|

            *Impact Metrics*
            ||Confidentiality|Low|
            ||Integrity|None|
            ||Availability|None|

            See [http://go.atlassian.com/cvss] for more details.

            [https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N]
            New: Affected versions of Atlassian Confluence Server allow remote attackers to manipulate the content of internal network resources via a blind Server-Side Request Forgery (SSRF) vulnerability in the {{widgetconnector}} plugin.

            When running in an environment like Amazon EC2, this flaw may be used to access to a metadata resource that provides access credentials and other potentially confidential information. 

            The mitigation is deployed by configuring the [Confluence URL allow list|https://confluence.atlassian.com/doc/configuring-the-allowlist-381255821.html]. *N.B:* The allowlist is enabled by default. But the fixed versions will be vulnerable if allowlist is disabled by the administrator, or the allowlist is configured to be overly permissive by the administrator. 

            The affected versions are before version 5.8.6.

            *Affected versions:*
             * version < 5.8.6

            *Fixed versions:*
             * 5.8.6  

             
            ----
            This is an independent assessment and you should evaluate its applicability to your own IT environment.

            CVSS v3 score: 4.3 => Medium severity

            *Exploitability Metrics*
            ||Attack Vector|Network|
            ||Attack Complexity|Low|
            ||Privileges Required|Low|
            ||User Interaction|None|

            *Scope Metric*
            ||Scope|Unchanged|

            *Impact Metrics*
            ||Confidentiality|Low|
            ||Integrity|None|
            ||Availability|None|

            See [http://go.atlassian.com/cvss] for more details.

            [https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N]
            Mandeep Jadon made changes -
            Remote Link New: This issue links to "Page (Confluence)" [ 733359 ]
            Wendy H made changes -
            Remote Link New: This issue links to "Page (Atlassian Documentation)" [ 706571 ]
            Security Metrics Bot made changes -
            CVE ID New: CVE-2021-26072
            Rachel Robins made changes -
            Remote Link New: This issue links to "Page (Atlassian Documentation)" [ 570318 ]
            Rachel Robins made changes -
            Remote Link New: This issue links to "Page (Atlassian Documentation)" [ 570047 ]

              Unassigned Unassigned
              security-metrics-bot Security Metrics Bot
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: