[CONFSERVER-61453] Blind SSRF in Team Calendars REST API using location parameter - CVE-2020-29445 - Create and track feature requests for Atlassian products.

Type: Public Security Vulnerability
Resolution: Fixed
Priority: Low
Fix Version/s: 7.4.8, 7.11.0
Affects Version/s: 7.4.6
Component/s: None
Labels:

CVSS Score:
4.3
CVSS Severity:
Medium
CVE ID:
CVE-2020-29445

Affected versions of Confluence Server allow attackers to identify internal hosts and ports via a blind server-side request forgery vulnerability in Team Calendars parameters.

Affected versions:

< 7.11.0

Fixed versions:

7.11.0
7.4.8 (LTS)

This vulnerability is attributed to Stefano Castilletti, a security researcher at Apple.

mentioned in: Page Failed to load; Page Failed to load; Page Failed to load

Mandeep Jadon made changes - 21/Feb/2023 3:40 PM

Remote Link

New: This issue links to "Page (Confluence)" [ 733360 ]

Cathy S made changes - 01/Jun/2022 2:34 AM

Remote Link

New: This issue links to "Page (Confluence)" [ 647673 ]

Cathy S made changes - 22/Mar/2022 4:56 PM

Remote Link

New: This issue links to "Page (Confluence)" [ 629054 ]

Security Metrics Bot made changes - 16/Sep/2021 5:28 AM

CVE ID

New: CVE-2020-29445

Rodrigo Girardi Adami made changes - 07/Jun/2021 9:15 PM

Description

Original: Affected versions of Confluence Server allow attackers to identify internal hosts and ports via a blind server-side request forgery vulnerability in Team Calendars parameters.

Affected versions:
* < 7.11.0

Fixed versions:
* 7.11.0

This vulnerability is attributed to Stefano Castilletti, a security researcher at Apple.

New: Affected versions of Confluence Server allow attackers to identify internal hosts and ports via a blind server-side request forgery vulnerability in Team Calendars parameters.

Affected versions:
* < 7.11.0

Fixed versions:
* 7.11.0
* 7.4.8 (LTS)

This vulnerability is attributed to Stefano Castilletti, a security researcher at Apple.

chucktalk (Inactive) made changes - 01/Jun/2021 4:59 PM

Remote Link

Original: This issue links to "Page (Confluence)" [ 553511 ]

chucktalk (Inactive) made changes - 18/May/2021 1:48 PM

Remote Link

New: This issue links to "Page (Confluence)" [ 553511 ]

Rodrigo Girardi Adami made changes - 17/May/2021 1:52 PM

Fix Version/s

New: 7.4.8 [ 94601 ]

Eugen Zwinger [demicon] added a comment - 11/May/2021 10:40 AM

Is it planed to include this bug fixes also into the current LTS Version?

Eugen Zwinger [demicon] added a comment - 11/May/2021 10:40 AM Is it planed to include this bug fixes also into the current LTS Version?

David Black made changes - 07/May/2021 5:59 AM

Labels

Original: advisory advisory-to-release dont-import security

New: advisory advisory-released dont-import security

Assignee:: Unassigned

Reporter:: Security Metrics Bot

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Created:: 03/Mar/2021 10:39 PM

Updated:: 21/Feb/2023 3:40 PM

Resolved:: 07/May/2021 5:59 AM

Details

Description

Attachments

Issue Links

Forms

Activity

[CONFSERVER-61453] Blind SSRF in Team Calendars REST API using location parameter - CVE-2020-29445

Collapse comment: Eugen Zwinger [demicon] added a comment - 11/May/2021 10:40 AM

Expand comment: Eugen Zwinger [demicon] added a comment - 11/May/2021 10:40 AM

People

Dates