Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-98413

Confluence Data Center for Windows has confluence.cfg.xml file readable by BUILTIN/Users by default

XMLWordPrintable

    • 6.4
    • Medium
    • Bug Bounty
    • matcluck
    • CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
    • PrivEsc (Priviledge Escalation), Security Misconfiguration
    • Confluence Data Center

      Affected versions of Atlassian Confluence Data Center in Windows installations contain a security misconfiguration in which the confluence.cfg.xml file is readable by users in the BUILTIN/Users group by default.

      An attacker with local access to the Windows host with Confluence Data Center installed within the BUILTIN/Users group can read sensitive information within the confluence.cfg.xml configuration file which could lead to local privilege escalation as the Confluence installation user. The CWE ID for this vulnerability is CWE-732: Incorrect Permission Assignment for Critical Resource.

       

      Affected Versions:

      • version < 8.7.1

      Fixed Versions:

      • 7.19.18
      • 8.5.5
      • 8.7.2
      • 8.8.0

              Unassigned Unassigned
              7310b7a8df2a Jeremy Jorge
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: