Loading...

XML

Word

Printable

Details

Type: Public Security Vulnerability
Resolution: Fixed
Priority: Low
Fix Version/s: 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, 7.18.1
Affects Version/s: 7.4.0, 7.13.0, 7.14.0, 7.15.0, 7.16.0, 7.17.0, 7.18.0
Component/s: None
Labels:

CVSS Score:
10
CVSS Severity:
Critical
CVE ID:
CVE-2016-10750

Description

Summary
A remote attacker who can connect to the Hazelcast service, running on port 5801 (and potentially 5701), is able to execute arbitrary code on all the nodes in a Confluence Data Center through Java deserialization.

Vulnerability Details
Confluence Data Center uses the third-party software Hazelcast, which is vulnerable to Java deserialization attacks (CVE-2016-10750). Hazelcast provides functionality needed to run Confluence Data Center as a cluster. A remote, unauthenticated attacker can exploit this vulnerability by sending a specially crafted JoinRequest, resulting in arbitrary code execution.

The affected versions are from 1.3.0 before 7.4.17, from 7.13.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and from 7.18.0 before 7.18.1.

Attachments

Issue Links

mentioned in: Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...

(2 mentioned in)

Activity

People

Assignee:: Unassigned

Reporter:: Security Metrics Bot

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 06/Jun/2022 6:20 AM

Updated:: 02/Aug/2022 5:56 AM

Resolved:: 06/Jun/2022 6:40 AM