-
Public Security Vulnerability
-
Resolution: Fixed
-
High
-
7.13.0, (53)
7.13.1, 7.13.2, 7.13.3, 7.13.4, 7.13.5, 7.13.6, 7.13.7, 7.13.8, 7.13.9, 7.13.10, 7.13.11, 7.13.12, 7.19.0, 7.19.1, 7.19.2, 7.19.3, 7.19.4, 7.19.5, 8.1.0, 8.2.0, 8.3.0, 8.5.0, 7.13.13, 7.19.6, 7.13.14, 8.1.1, 7.13.15, 7.13.16, 7.13.17, 7.13.18, 7.13.19, 7.19.7, 7.19.8, 7.19.9, 7.19.10, 7.19.11, 8.1.3, 8.2.1, 8.1.4, 8.2.2, 8.2.3, 8.3.1, 8.3.2, 7.13.20, 7.19.12, 8.5.1, 7.19.14, 8.5.2, 7.19.15, 7.19.16, 8.3.3, 8.5.3, 8.3.4 -
None
-
7.5
-
High
-
CVE-2022-28366
-
Atlassian (Internal)
-
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
-
DoS (Denial of Service)
-
Confluence Data Center, Confluence Server
This High severity Third-Party Dependency vulnerability was introduced in versions 7.13.0, 7.19, 8.1.0, 8.2.0, 8.3.0 and 8.5 of Confluence Data Center and Server.
This Third-Party Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an unauthenticated attacker to expose assets in your environment susceptible to exploitation which has no impact to confidentiality, no impact to integrity, high impact to availability, and requires no user interaction.
Atlassian recommends that Confluence Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:
- Confluence Data Center and Server 8.6: Upgrade to a release greater than or equal to 8.6.0
See the release notes (https://confluence.atlassian.com/doc/confluence-release-notes-327.html). You can download the latest version of Confluence Data Center and Server from the download center (https://www.atlassian.com/software/confluence/download-archives).
The National Vulnerability Database provides the following description for this vulnerability: Certain Neko-related HTML parsers allow a denial of service via crafted Processing Instruction (PI) input that causes excessive heap memory consumption. In particular, this issue exists in HtmlUnit-Neko through 2.26, and is fixed in 2.27. This issue also exists in CyberNeko HTML through 1.9.22 (also affecting OWASP AntiSamy before 1.6.6), but 1.9.22 is the last version of CyberNeko HTML. NOTE: this may be related to CVE-2022-24839.
[CONFSERVER-93169] DoS (Denial of Service) net.sourceforge.nekohtml:nekohtml in Confluence Data Center and Server
This ticket refers to CVE-2022-24839 as possibly related. Doing a search in a local Confluence v7.19.16 LTS deployment, I found two neko based files in my <confluence-install>/confluence/WEB-INF/lib/ directory:
1) nekohtml-1.9.22-atlassian-2.jar
2) neko-htmlunit-2.67.0.jar
If related to CVE-2022-24839, I surmise Atlassian is maintaining their own Nokogiri (nekohtml-1.9.22) fork. That is a lot of work given that development for the original stopped in 2014. This CVE dates back to April 2022. This vulnerability was missed for some time...
The 2nd jar - neko-htmlunit-2.67.0 - seems to be related to CVE-2023-2798, which is vulnerable to crash by stack overflow. This is fixed in neko-htmlunit-2.70.
Based on the existence of neko-htmlunit-2.67.0.jar in the lib directory, Confluence v7.19.16 may have the vulnerable version.
I am working on attack payloads for testing.
Hello Atlassian,
any ETA when fixed versions would be available?
Kind regards
Hi Everyone, Apologies for the confusion. There was an issue internally which led to the confusion. This issue is being fixed and will be released as part of 7.19.17 and 8.5.4. Also its already fixed as part of the 8.6.0.
Thanks & Regards
Sandeep
Yeah bit strange to list 8.5.4 as fixed release without an actually release / ETA ?
8.5.4?
where can i get this?
here not: [Download-Archive für Confluence Server | Atlassian|https://www.atlassian.com/de/software/confluence/download-archives]
Hey guys, sorry to say, but that's not really professional! 
Yesterday you told us that everything is fine when being > 7.19.4. And today you retract this statement and inform us that we apparently need to upgrade to a new LTS version 7.19.17.
Could you please try to avoid moving back and forth when publishing security relevant information? In my opinion, this type of informations should be carefully checked before actually publishing it.
Thanks a lot & best regards,
-Rainer
The updates on the affected and fixed versions are getting ridiculous. Is someone actually taking care at Atlassian about it or do we have funny random generators working here?
Your version list is still incomplete. It can't be that difficult!
My question again: Is 7.19.16 LTS affected by security vulnerabilities or not?
I'm sorry, but my trust in Atlassian is dwindling more and more by the minute.
What is this procedure? Does anyone else here know what they are doing? The fix versions change almost every hour.
We also have other things to do than chase the bug fixes!
Please exactly list all affected and non affected Versions so fast as possible!
Here a Jira Server 9.4.15 LTS from 03.01.2024 is installed
I see two outdated JAR files
and some plugin JARs embedding the nekohtml directly
Just one example:
streams-core-plugin-9.1.6_1704274718000.jar contains an older version without the latest fix in scanPI() method.
The payload is almoast clear for me, I "just" need the trigger for it
Create a Processing Instruction, which is not an xml target, but any other: https://github.com/sparklemotion/nekohtml/blob/1.9.22/src/org/cyberneko/html/HTMLScanner.java#L2553
The fix contains a check against last entry, while it is missing in other version: https://github.com/sparklemotion/nekohtml/blob/1.9.22/src/org/cyberneko/html/HTMLScanner.java#L2591
The whole payload line fits the DEFAULT_BUFFER_SIZE = 2048 https://github.com/sparklemotion/nekohtml/blob/1.9.22/src/org/cyberneko/html/HTMLScanner.java#L330
but does not close with the bracket
something like: