[CONFSERVER-83218] A user with read permissions to a Confluence page is able to upload attachments - CVE-2023-22504 - Create and track feature requests for Atlassian products.

Type: Public Security Vulnerability
Resolution: Fixed
Priority: Low
Fix Version/s: 8.3.0, 7.13.17, 7.19.9, 8.2.2
Affects Version/s: 7.13.0
Component/s: None
Labels:

CVSS Score:
4.3
CVSS Severity:
Medium
CVE ID:
CVE-2023-22504

Affected versions of Atlassian Confluence Server and Data Center allow remote attackers who have read permissions to a page, but not write permissions, to upload attachments via a Broken Access Control vulnerability in the attachments feature.

The affected versions are before version 7.13.17, from version 7.14.0 before 7.19.9, and from version 7.20.0 before 8.2.2.

This vulnerability was discovered by Rojan Rijal of the Tinder Security Engineering Team.

Affected versions:

version < 7.13.17
7.14.0 ≤ version < 7.19.9
7.20.0 ≤ version < 8.2.2

Fixed versions:

7.13.17
7.19.9
8.2.2
8.3.0

mentions: CSP-316627 You do not have permission to view this issue

AB added a comment - 17/Aug/2023 2:43 AM

ddb136f454b4 Yes, it's reflected in the attachment's version history as per a normal update.

AB added a comment - 17/Aug/2023 2:43 AM ddb136f454b4 Yes, it's reflected in the attachment's version history as per a normal update.

Oleksiy Brushkovskyy added a comment - 16/Aug/2023 1:48 PM

Would it be reflected in the attachment's version history?

Oleksiy Brushkovskyy added a comment - 16/Aug/2023 1:48 PM Would it be reflected in the attachment's version history?

AB added a comment - 06/Jun/2023 11:37 PM

50e16252c2f5 Yes, that's correct. I've updated the ticket description to confirm this.

AB added a comment - 06/Jun/2023 11:37 PM 50e16252c2f5 Yes, that's correct. I've updated the ticket description to confirm this.

AB made changes - 06/Jun/2023 11:35 PM

Assignee

New: AB [ ablack@atlassian.com ]

AB made changes - 06/Jun/2023 11:35 PM

Description

Original: Affected versions of Atlassian Confluence Server allow remote attackers who have read permissions to a page, but not write permissions, to upload attachments via a Broken Access Control vulnerability in the attachments feature.

The affected versions are before version 7.13.17, from version 7.14.0 before 7.19.9, and from version 7.20.0 before 8.2.2.

This vulnerability was discovered by Rojan Rijal of the Tinder Security Engineering Team.

*Affected versions:*
* version < 7.13.17
* 7.14.0 ≤ version < 7.19.9
* 7.20.0 ≤ version < 8.2.2

*Fixed versions:*
* 7.13.17
* 7.19.9
* 8.2.2
* 8.3.0

New: Affected versions of Atlassian Confluence Server and Data Center allow remote attackers who have read permissions to a page, but not write permissions, to upload attachments via a Broken Access Control vulnerability in the attachments feature.

The affected versions are before version 7.13.17, from version 7.14.0 before 7.19.9, and from version 7.20.0 before 8.2.2.

This vulnerability was discovered by Rojan Rijal of the Tinder Security Engineering Team.

*Affected versions:*
* version < 7.13.17
* 7.14.0 ≤ version < 7.19.9
* 7.20.0 ≤ version < 8.2.2

*Fixed versions:*
* 7.13.17
* 7.19.9
* 8.2.2
* 8.3.0

Ryoji Takata (Inactive) made changes - 06/Jun/2023 3:03 AM

Remote Link

New: This issue links to "CSP-316627 (Atlassian Support System)" [ 773011 ]

Security Metrics Bot made changes - 04/Jun/2023 8:28 PM

CVE ID

New: CVE-2023-22504

William W added a comment - 01/Jun/2023 1:51 PM

I assume because this is listed under Confluence "Server" it applies to both Data Center and Server? Can you please confirm?

William W added a comment - 01/Jun/2023 1:51 PM I assume because this is listed under Confluence "Server" it applies to both Data Center and Server? Can you please confirm?

AB made changes - 30/May/2023 11:29 PM

Summary

Original: A user with read permissions to a Confluence page is able to upload attachments

New: A user with read permissions to a Confluence page is able to upload attachments - CVE-2023-22504

AB made changes - 30/May/2023 11:28 PM

Description

Original: Affected versions of Atlassian Confluence Server allow remote attackers who have read permissions to a page, but not write permissions, to upload attachments via a Broken Access Control vulnerability in the attachments feature.

The affected versions are before version 7.19.9.

This vulnerability was discovered by Rojan Rijal of the Tinder Security Engineering Team.

*Affected versions:*
* version < 7.19.9

*Fixed versions:*
* 7.19.9

New: Affected versions of Atlassian Confluence Server allow remote attackers who have read permissions to a page, but not write permissions, to upload attachments via a Broken Access Control vulnerability in the attachments feature.

The affected versions are before version 7.13.17, from version 7.14.0 before 7.19.9, and from version 7.20.0 before 8.2.2.

This vulnerability was discovered by Rojan Rijal of the Tinder Security Engineering Team.

*Affected versions:*
* version < 7.13.17
* 7.14.0 ≤ version < 7.19.9
* 7.20.0 ≤ version < 8.2.2

*Fixed versions:*
* 7.13.17
* 7.19.9
* 8.2.2
* 8.3.0

Assignee:: AB

Reporter:: Security Metrics Bot

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 20/Apr/2023 12:43 PM

Updated:: 17/Aug/2023 2:43 AM

Resolved:: 29/May/2023 12:39 AM

Details

Description

Attachments

Issue Links

Forms

Activity

[CONFSERVER-83218] A user with read permissions to a Confluence page is able to upload attachments - CVE-2023-22504

Collapse comment: AB added a comment - 17/Aug/2023 2:43 AM

Expand comment: AB added a comment - 17/Aug/2023 2:43 AM

Collapse comment: Oleksiy Brushkovskyy added a comment - 16/Aug/2023 1:48 PM

Expand comment: Oleksiy Brushkovskyy added a comment - 16/Aug/2023 1:48 PM

Collapse comment: AB added a comment - 06/Jun/2023 11:37 PM

Expand comment: AB added a comment - 06/Jun/2023 11:37 PM

Collapse comment: William W added a comment - 01/Jun/2023 1:51 PM

Expand comment: William W added a comment - 01/Jun/2023 1:51 PM

People

Dates