-
Public Security Vulnerability
-
Resolution: Fixed
-
High
-
7.3.0, 7.19.0, 7.20.0, 8.0.0, 8.1.0, 8.2.0, 8.3.0, 8.4.0, 8.5.0, 8.6.0, 8.8.0, 8.7.1
-
None
-
8.8
-
High
-
Bug Bounty
-
l3yx
-
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
-
Injection
-
Confluence Data Center
This High severity Gatekeeper Injection vulnerability was introduced in versions 7.1.0 of Confluence Data Center.
This Injection vulnerability, with a CVSS Score of 8.8, allows an unauthenticated attacker to modify the actions taken by a system call which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires user interaction.
Atlassian recommends that Confluence Data Center customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:
- Confluence Data Center 7.19: Upgrade to a release greater than or equal to 7.19.21
- Confluence Data Center 8.5: Upgrade to a release greater than or equal to 8.5.8
- Confluence Data Center 8.9: Upgrade to a release greater than or equal to 8.9.0
See the release notes (https://confluence.atlassian.com/doc/confluence-release-notes-327.html). You can download the latest version of Confluence Data Center from the download center (https://www.atlassian.com/software/confluence/download-archives).
This vulnerability was discovered by l3yx and reported via our Bug Bounty program
- mentioned in
-
Page Failed to load
| Form Name | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
[CONFSERVER-94957] Gatekeeper Template Injection in Confluence Data Center
Hi 5de531f82e45 - not sure why I am able to see this issue still in CONFSERVER if it is supposed to be restricted to Atlassian staff only...
Is this now a real issue?
Thanks!
Rick
Hey 4aedf339586e , 54794a758297 , 5889114c598d Just letting you know that tthis ticket was published inadvertently via automation. The CVE/NVD record as well as this ticket are INACCURATE and Confluence is not affected. The product team evaluated this finding in our Security Bulletin draft and marked it for removal as the product was not affected. Unfortunately, this ticket made it through our publishing process via an error and as you pointed out I also missed updating the security level properly and only updated to Draft Status.
I am correcting that mistake now - by restricting this ticket access to Atlassian Staff.
Just to give you a clue, what happened:
Have a look at the History tab:
A bot switched the ticket from Draft to Published yesterday and the Security field was set from "Atlassian stuff" to empty, so that customers can see the ticket of course.
Then Lee Berg switched the status back to Draft for some reason. But the Security Level did not change back accordingly.
Then the NIST bot did his run and now it's out on the internet
What does "Gatekeeper" mean in this context? Is this releated to some features we could check for?
So do we have to shut down confluence to prevent malicious interaction and wait till the fix version is approved?
I have the same question, is this vulnerability fixed in version 7.19.21? Shall we proceed with update of 7.19.20 or shall we wait for another release?
This issue has Fix Versions 8.9.0, 7.19.21, 8.5.8
Status in "DRAFT" and resolution "Unresolved"
All listed Fix Version releases are already out.
This issue is not in release notes (probably because of the status).
But even worse, this is not in just released Security Bulletin: https://confluence.atlassian.com/security/security-bulletin-april-16-2024-1387857429.html
So is this fixed or not?
Atlassian, you must do better with these security issue documentation, issue tracking and usage of your own tools!
And check out your Security Bulletin page layouts. Those are broken. The tables are hard to read, they don't scale.
We have had an external vulnerability scan performed against our public web properties (by Tenable), and they flagged a 10.0 against our Confluence, without mentioning a CVE, but referencing this ticket
CONFSERVER-94957.So it is clear that in general, 'the internet' view this as a real issue. We really need Atlassian to either confirm it is a real issue, or tidy up the mess so that it no longer appears in vuln test reports.