-
Public Security Vulnerability
-
Resolution: Fixed
-
High
-
8.1.1, 7.13.15, 7.19.7
-
None
-
7.5
-
High
-
CVE-2023-28709
-
Atlassian (Internal)
-
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
-
Patch Management
-
Confluence Data Center, Confluence Server
This high severity Patch Management vulnerability was introduced in version 7.13.15 of Confluence Data Center & Server.
This Patch Management vulnerability, with CVSS Score(s) of 7.5, allows an authenticated attacker to expose assets in your environment susceptible to exploitation which has no impact to confidentiality, no impact to integrity, high impact to availability, and requires no user interaction.
The following Confluence Data Center & Server versions are affected:
>= 7.13.15 < 7.13.19
>= 7.19.7 < 7.19.11
>= 8.1.1 < 8.4.1
Atlassian recommends that you upgrade your instance to latest version, if you're unable to do so, upgrade to these fixed versions: 7.13.19, 7.19.11, 8.4.1. See the release notes (https://confluence.atlassian.com/doc/confluence-release-notes-327.html). You can download the latest version of Confluence Data Center & Server from the download center (https://www.atlassian.com/software/confluence/download-archives).
The following is the listed NVD description for this vulnerability's CVE:
- The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount parameters in the query string, the limit for uploaded request parts could be bypassed with the potential for a denial of service to occur.
[CONFSERVER-90185] Third-Party Dependency Vulnerability in Confluence
Hi 879e71060473 ,
7.14.3 was released way back in 02-Jun-2022 and it was using tomcat 9.0.63 which has the vulnerability.
We don't release 7.14.x version any more.
Refer 7.14.3 section in - https://www.atlassian.com/software/confluence/download-archives
One would have to upgrade minimally to 7.19.11 , which contains tomcat 9.0.76 and hence is sanitised ie does not have the vulnerability.
Refer https://www.atlassian.com/software/confluence/download-archives for details.
Thank You.
Hello, I am having difficulty understanding the versions with the issues... Does version 7.14.3 contain the vulnerability? Thank you.
Hey all, FYI I have updated the description of this ticket:
"high impact to confidentiality, high impact to integrity" has been updated to match the specified CVSS Vector details for this CVE: "no impact to confidentiality, no impact to integrity"
Apologies for any confusion this may have caused, we are reviewing internally how this incorrect description detail was posted.
Thank you 1caf9a948cc0 & c5ec364a278c , great catch, appreciate you taking the time to comment!
Atlassian replied that
Additionally, I'd like to share with you that for this vulnerability to be exploited, these conditions must also be met:
- A custom connector with an explicitly defined maxParameterCount
Based on the CVSSv3 Vector field, the integrity and confidentiality impact is none (I:N and C:N) but your sentence here:
susceptible to exploitation which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction.
says something different. Could you please clarify this?
"If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters" -> So it depends on the configuration if we are affected or not, right? Is there any config check available for this CVE to see if the system needs this fix or not?
The Apache Tomcat CVE-2023-28709 mentiones a potential DoS only. This affects availability, obviously. What was the reason, Atlassian flags this as "high impact to confidentiality, high impact to integrity, high impact to availability" for Confluence?
Does this CVE also apply to Jira/Jira LTS? I can't (quickly) see whether the latest versions of Jira/Jira LTS are impacted.
What about Crowd too?
I truly wish Atlassian would better describe affected versions. This should be improved in the future.