Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-67893

Pre-Authorization Arbitrary File Read in /s/ endpoint - CVE-2021-26085

    • 5.2
    • Medium
    • CVE-2021-26085

      Affected versions of Atlassian Confluence Server allow remote attackers to view restricted resources via a Pre-Authorization Arbitrary File Read vulnerability in the /s/ endpoint.

      The affected versions are before version 7.4.10, and from version 7.5.0 before 7.12.3.

      This vulnerability was discovered by Amit Laish, GE Digital, Cyber Security Lab.

       

      Affected versions:

      • version < 7.4.10
      • 7.5.0 ≤ version < 7.12.3

      Fixed versions:

      • 7.4.10
      • 7.12.3
      • 7.13.0
      • 7.14.0  

            [CONFSERVER-67893] Pre-Authorization Arbitrary File Read in /s/ endpoint - CVE-2021-26085

            Aleksandr Kuznetsov added a comment - - edited

            Will the fix be prepared for Data Center v7.11.6 ?

            Aleksandr Kuznetsov added a comment - - edited Will the fix be prepared for Data Center v7.11.6 ?

            When's the fix for Atlassian cloud supposed to go live? We use Altassian cloud at my company and I've verified that I can read certain files without authentication in my account.

            Alfredo Hickman added a comment - When's the fix for Atlassian cloud supposed to go live? We use Altassian cloud at my company and I've verified that I can read certain files without authentication in my account.

            A fix for this issue is available to Server and Data Center customers in Confluence 7.13.0
            Upgrade now or check out the Release Notes to see what other issues are resolved.

            Jiri Hronik added a comment - A fix for this issue is available to Server and Data Center customers in Confluence 7.13.0 Upgrade now or check out the Release Notes to see what other issues are resolved.

            A fix for this issue is available to Server and Data Center customers in Confluence 7.4.10
            Upgrade now or check out the Release Notes to see what other issues are resolved.

            Jiri Hronik added a comment - A fix for this issue is available to Server and Data Center customers in Confluence 7.4.10 Upgrade now or check out the Release Notes to see what other issues are resolved.

            AB added a comment - - edited

            This is an independent assessment and you should evaluate its applicability to your own IT environment.

            CVSS v3 score: 5.3 => Medium severity

            Exploitability Metrics

            Attack Vector Network
            Attack Complexity Low
            Privileges Required None
            User Interaction None

            Scope Metric

            Scope Unchanged

            Impact Metrics

            Confidentiality Low
            Integrity None
            Availability None

            https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

            AB added a comment - - edited This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 5.3 => Medium severity Exploitability Metrics Attack Vector Network Attack Complexity Low Privileges Required None User Interaction None Scope Metric Scope Unchanged Impact Metrics Confidentiality Low Integrity None Availability None https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

              Unassigned Unassigned
              security-metrics-bot Security Metrics Bot
              Votes:
              0 Vote for this issue
              Watchers:
              12 Start watching this issue

                Created:
                Updated:
                Resolved: