Uploaded image for project: 'Confluence Server and Data Center'
  1. Confluence Server and Data Center
  2. CONFSERVER-83218

A user with read permissions to a Confluence page is able to upload attachments - CVE-2023-22504

    XMLWordPrintable

Details

    • 4.3
    • Medium
    • CVE-2023-22504

    Description

      Affected versions of Atlassian Confluence Server and Data Center allow remote attackers who have read permissions to a page, but not write permissions, to upload attachments via a Broken Access Control vulnerability in the attachments feature.

      The affected versions are before version 7.13.17, from version 7.14.0 before 7.19.9, and from version 7.20.0 before 8.2.2.

      This vulnerability was discovered by Rojan Rijal of the Tinder Security Engineering Team.

      Affected versions:

      • version < 7.13.17
      • 7.14.0 ≀ version < 7.19.9
      • 7.20.0 ≀ version < 8.2.2

      Fixed versions:

      • 7.13.17
      • 7.19.9
      • 8.2.2
      • 8.3.0

      Attachments

        Issue Links

          mentions

          CSP-316627 Loading...

          Activity

            People

              ablack@atlassian.com AB
              security-metrics-bot Security Metrics Bot
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: