-
Public Security Vulnerability
-
Resolution: Fixed
-
Low
-
7.6.3, 7.8.3, 7.9.0, 7.10.0, 7.10.1
-
None
-
5.2
-
Medium
-
CVE-2021-26085
Affected versions of Atlassian Confluence Server allow remote attackers to view restricted resources via a Pre-Authorization Arbitrary File Read vulnerability in the /s/ endpoint.
The affected versions are before version 7.4.10, and from version 7.5.0 before 7.12.3.
This vulnerability was discovered by Amit Laish, GE Digital, Cyber Security Lab.
Affected versions:
- version < 7.4.10
- 7.5.0 ≤ version < 7.12.3
Fixed versions:
- 7.4.10
- 7.12.3
- 7.13.0
- 7.14.0
- is related to
-
-
- Published
-
-
-
- Published
-
[CONFSERVER-67893] Pre-Authorization Arbitrary File Read in /s/ endpoint - CVE-2021-26085
When's the fix for Atlassian cloud supposed to go live? We use Altassian cloud at my company and I've verified that I can read certain files without authentication in my account.
A fix for this issue is available to Server and Data Center customers in Confluence 7.13.0
Upgrade now or check out the Release Notes to see what other issues are resolved.
A fix for this issue is available to Server and Data Center customers in Confluence 7.4.10
Upgrade now or check out the Release Notes to see what other issues are resolved.
This is an independent assessment and you should evaluate its applicability to your own IT environment.
CVSS v3 score: 5.3 => Medium severity
Exploitability Metrics
| Attack Vector | Network |
|---|---|
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
Scope Metric
| Scope | Unchanged |
|---|
Impact Metrics
| Confidentiality | Low |
|---|---|
| Integrity | None |
| Availability | None |
https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Will the fix be prepared for Data Center v7.11.6 ?