Atlassian Confluence Server/Data Center up to 6.15.1 downloadallattachments path traversal

Summaryinfo

A vulnerability was found in Atlassian Confluence Server and Data Center up to 6.6.12/6.12.3/6.13.3/6.14.2/6.15.1. It has been classified as critical. This affects an unknown function of the file downloadallattachments. Performing a manipulation results in path traversal. This vulnerability is known as CVE-2019-3398. Remote exploitation of the attack is possible. Furthermore, an exploit is available. Upgrading the affected component is recommended.

Detailsinfo

A vulnerability was found in Atlassian Confluence Server and Data Center up to 6.6.12/6.12.3/6.13.3/6.14.2/6.15.1. It has been classified as critical. This affects an unknown code block of the file downloadallattachments. The manipulation with an unknown input leads to a path traversal vulnerability. CWE is classifying the issue as CWE-22. The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. This is going to have an impact on confidentiality, integrity, and availability. The summary by CVE is:

Confluence Server and Data Center had a path traversal vulnerability in the downloadallattachments resource. A remote attacker who has permission to add attachments to pages and / or blogs or to create a new space or a personal space or who has 'Admin' permissions for a space can exploit this path traversal vulnerability to write files to arbitrary locations which can lead to remote code execution on systems that run a vulnerable version of Confluence Server or Data Center. All versions of Confluence Server from 2.0.0 before 6.6.13 (the fixed version for 6.6.x), from 6.7.0 before 6.12.4 (the fixed version for 6.12.x), from 6.13.0 before 6.13.4 (the fixed version for 6.13.x), from 6.14.0 before 6.14.3 (the fixed version for 6.14.x), and from 6.15.0 before 6.15.2 are affected by this vulnerability.

The weakness was published 04/18/2019 as not defined mailinglist post (Bugtraq). The advisory is shared at seclists.org. This vulnerability is uniquely identified as CVE-2019-3398 since 12/19/2018. It is possible to initiate the attack remotely. The requirement for exploitation is a authentication. Technical details and a public exploit are known. MITRE ATT&CK project uses the attack technique T1006 for this issue.

A public exploit has been developed by max7253 in Ruby/Metasploit and been published 8 months after the advisory. The exploit is shared for download at exploit-db.com. It is declared as attacked. The commercial vulnerability scanner Qualys is able to test this issue with plugin 13475 (Atlassian Confluence Server Path traversal Vulnerability (CONFSERVER-58102)). The CISA Known Exploited Vulnerabilities Catalog lists this issue since 11/03/2021 with a due date of 05/03/2022:

Apply updates per vendor instructions.

Upgrading to version 6.6.13, 6.12.4, 6.13.4, 6.14.3 or 6.15.2 eliminates this vulnerability.

The vulnerability is also documented in the vulnerability database at Exploit-DB (47635). If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Productinfo

Vendor

• Atlassian

Name

• Confluence Server
• Data Center

Version

• 6.6.0
• 6.6.1
• 6.6.2
• 6.6.3
• 6.6.4
• 6.6.5
• 6.6.6
• 6.6.7
• 6.6.8
• 6.6.9
• 6.6.10
• 6.6.11
• 6.6.12
• 6.12.0
• 6.12.1
• 6.12.2
• 6.12.3
• 6.13.0
• 6.13.1
• 6.13.2
• 6.13.3
• 6.14.0
• 6.14.1
• 6.14.2
• 6.15.0
• 6.15.1

License

• free

Website

• Vendor: https://www.atlassian.com/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Discussion