CVE-2019-3394: Confluence Server and Confluence Data Center Local File Disclosure Alert

Atlassian Confluence officially issued a security notice to fix a local file disclosure vulnerability (CVE-2019-3394) that exists in Confluence. The vulnerability level is serious. Atlassian Confluence Server and Atlassian Data Center are products of Atlassian Corp. Atlassian Confluence Server is a professional enterprise knowledge management and collaboration software that can also be used to build enterprise WiKi. Atlassian Data Center is a data center system.

Confluence Server and Data Center have a local file leak vulnerability in the page export feature. ” A remote attacker who has Add Page space permission would be able to read arbitrary files in the  <install-directory>/confluence/WEB-INF directory, which may contain configuration files used for integrating with other services, potentially leaking credentials, such as LDAP credentials, or other sensitive information. The potential to leak LDAP credentials exists if LDAP credentials are specified in an atlassian-user.xml file, which is a deprecated method for configuring LDAP integration.”

Affected version

  • All 6.1.x versions
  • All 6.2.x versions
  • All 6.3.x versions
  • All 6.4.x versions
  • All 6.5.x versions
  • All 6.6.x versions before 6.6.16 (the fixed version for 6.6.x)
  • All 6.7.x versions
  • All 6.8.x versions
  • All 6.9.x versions
  • All 6.10.x versions
  • All 6.11.x versions
  • All 6.12.x versions
  • All 6.13.x versions before 6.13.7 (the fixed version for 6.13.x)
  • All 6.14.x versions
  • All 6.15.x versions before 6.15.8 (the fixed version for 6.15.x)

Solution

Users using Confluence can fix this vulnerability by updating Confluence Server or Confluence Data Center to version 6.6.16, 6.13.7 or 6.15.8.