Uploaded image for project: 'Confluence Server and Data Center'
  1. Confluence Server and Data Center
  2. CONFSERVER-61399

Blind SSRF in widgetConnector - CVE-2021-26072

    XMLWordPrintable

    Details

    • CVSS Score:
      4.3
    • CVSS Severity:
      Medium
    • CVE ID:
      CVE-2021-26072

      Description

      Affected versions of Atlassian Confluence Server allow remote attackers to manipulate the content of internal network resources via a blind Server-Side Request Forgery (SSRF) vulnerability in the widgetconnector plugin.

      When running in an environment like Amazon EC2, this flaw may be used to access to a metadata resource that provides access credentials and other potentially confidential information. 

      The patch is deployed by configuring the Confluence URL allow list. N.B: The allowlist is enabled by default. But the fixed versions will be vulnerable if allowlist is disabled by the administrator. 

      The affected versions are before version 5.8.6.

       

      Affected versions:

      • version < 5.8.6

      Fixed versions:

      • 5.8.6  

       


      This is an independent assessment and you should evaluate its applicability to your own IT environment.

      CVSS v3 score: 4.3 => Medium severity

      Exploitability Metrics

      Attack Vector Network
      Attack Complexity Low
      Privileges Required Low
      User Interaction None

      Scope Metric

      Scope Unchanged

      Impact Metrics

      Confidentiality Low
      Integrity None
      Availability None

      See http://go.atlassian.com/cvss for more details.

      https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              security-metrics-bot Security Metrics Bot
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: