[CONFSERVER-82436] Information disclosure via Synchrony service

Type: Public Security Vulnerability
Resolution: Fixed
Priority: Low
Fix Version/s: 8.1.0, 7.19.6, 7.13.14
Affects Version/s: 7.11.2
Component/s: None
Labels:

CVSS Score:
6.5
CVSS Severity:
Medium

Affected versions of Atlassian Confluence Server allow remote attackers to view sensitive information via an Information Disclosure vulnerability in the Synchrony service.

This vulnerability was discovered by Rojan Rijal of Tinder Security Engineering.

The affected versions are before version 7.13.14, from version 7.14.0 before 7.19.6, and from version 7.20.0 before 8.1.0.

Affected versions:

version < 7.13.14
7.14.0 ≤ version < 7.19.6
7.20.0 ≤ version < 8.1.0

Fixed versions:

7.13.14
7.19.6
8.1.0

Aline Souza added a comment - 06/Mar/2023 6:17 AM

Hi Team,

could you please confirm either Confluence Data Center is affected by it?
Thank you & Regards

Aline

Aline Souza added a comment - 06/Mar/2023 6:17 AM Hi Team, could you please confirm either Confluence Data Center is affected by it? Thank you & Regards Aline

Simon Peters (L) added a comment - 05/Mar/2023 10:28 PM

What sort of Information Disclosure is this.

Is it one of those things where you can only get confirmation if a thing with a certain name exists or is there a risk of Page Content, Attachment or Credential leak via this vulnerability?

Simon Peters (L) added a comment - 05/Mar/2023 10:28 PM What sort of Information Disclosure is this. Is it one of those things where you can only get confirmation if a thing with a certain name exists or is there a risk of Page Content, Attachment or Credential leak via this vulnerability?

Security Metrics Bot added a comment - 23/Feb/2023 1:47 PM

This is an independent assessment and you should evaluate its applicability to your own IT environment.

CVSS v3 score: 6.5 => Medium severity

Exploitability Metrics

Attack Vector	Network
Attack Complexity	Low
Privileges Required	None
User Interaction	None

Scope Metric

Scope	Unchanged

Impact Metrics

Confidentiality	Low
Integrity	Low
Availability	None

https://asecurityteam.bitbucket.io/cvss_v3/?#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Security Metrics Bot added a comment - 23/Feb/2023 1:47 PM This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 6.5 => Medium severity Exploitability Metrics Attack Vector Network Attack Complexity Low Privileges Required None User Interaction None Scope Metric Scope Unchanged Impact Metrics Confidentiality Low Integrity Low Availability None https://asecurityteam.bitbucket.io/cvss_v3/?#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Assignee:: Unassigned

Reporter:: Security Metrics Bot

Votes:: 0 Vote for this issue

Watchers:: 7 Start watching this issue

Created:: 23/Feb/2023 6:33 AM

Updated:: 19/Apr/2023 4:34 AM

Resolved:: 02/Mar/2023 1:54 AM

Details

Description

Attachments

Forms

Activity

Collapse comment: Aline Souza added a comment - 06/Mar/2023 6:17 AM

Expand comment: Aline Souza added a comment - 06/Mar/2023 6:17 AM

Collapse comment: Simon Peters (L) added a comment - 05/Mar/2023 10:28 PM

Expand comment: Simon Peters (L) added a comment - 05/Mar/2023 10:28 PM

Collapse comment: Security Metrics Bot added a comment - 23/Feb/2023 1:47 PM

Expand comment: Security Metrics Bot added a comment - 23/Feb/2023 1:47 PM

People

Dates