Atlassian Confluence Server up to 6.6.11/6.12.2/6.13.2/6.14.1 Widget Connector Macro path traversal

Summaryinfo

A vulnerability was found in Atlassian Confluence Server up to 6.6.11/6.12.2/6.13.2/6.14.1. It has been declared as critical. The impacted element is an unknown function of the component Widget Connector Macro. Such manipulation leads to path traversal. This vulnerability is traded as CVE-2019-3396. The attack may be launched remotely. Furthermore, there is an exploit available. It is recommended to upgrade the affected component.

Detailsinfo

A vulnerability, which was classified as critical, has been found in Atlassian Confluence Server up to 6.6.11/6.12.2/6.13.2/6.14.1. Affected by this issue is some unknown processing of the component Widget Connector Macro. The manipulation with an unknown input leads to a path traversal vulnerability. Using CWE to declare the problem leads to CWE-22. The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. Impacted is confidentiality, integrity, and availability. CVE summarizes:

The Widget Connector macro in Atlassian Confluence Server before version 6.6.12 (the fixed version for 6.6.x), from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before 6.13.3 (the fixed version for 6.13.x), and from version 6.14.0 before 6.14.2 (the fixed version for 6.14.x), allows remote attackers to achieve path traversal and remote code execution on a Confluence Server or Data Center instance via server-side template injection.

The bug was discovered 03/25/2019. The weakness was shared 03/25/2019 as confirmed mailinglist post (Bugtraq). The advisory is available at seclists.org. This vulnerability is handled as CVE-2019-3396 since 12/19/2018. The exploitation is known to be easy. The attack may be launched remotely. No form of authentication is required for exploitation. Technical details are unknown but a public exploit is available. This vulnerability is assigned to T1006 by the MITRE ATT&CK project.

A public exploit has been developed by Metasploit in Ruby/Metasploit and been published immediately after the advisory. The exploit is available at exploit-db.com. It is declared as attacked. The commercial vulnerability scanner Qualys is able to test this issue with plugin 13459 (Atlassian Confluence Server Remote Code Execution Vulnerability (CONFSERVER-57974)). This issue was added on 11/03/2021 to the CISA Known Exploited Vulnerabilities Catalog with a due date of 05/03/2022:

Apply updates per vendor instructions.

Upgrading to version 6.6.12, 6.12.3, 6.13.3 or 6.14.2 eliminates this vulnerability. The upgrade is hosted for download at confluence.atlassian.com. A possible mitigation has been published even before and not after the disclosure of the vulnerability.

The vulnerability is also documented in the vulnerability database at Exploit-DB (46731). The entry VDB-132193 is related to this item. If you want to get best quality of vulnerability data, you may have to visit VulDB.

Productinfo

Vendor

• Atlassian

Name

• Confluence Server

Version

• 6.6.0
• 6.6.1
• 6.6.2
• 6.6.3
• 6.6.4
• 6.6.5
• 6.6.6
• 6.6.7
• 6.6.8
• 6.6.9
• 6.6.10
• 6.6.11
• 6.12.0
• 6.12.1
• 6.12.2
• 6.13.0
• 6.13.1
• 6.13.2
• 6.14.0
• 6.14.1

License

• free

Website

• Vendor: https://www.atlassian.com/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Discussion