Fri. Aug 14th, 2020

CVE-2019-3398: Confluence – Path traversal vulnerability Alert

2 min read

On April 17, 2019, Confluence officially released a security bulletin. Confluence Server and Data Center products have a path traversal vulnerability in the downloadallattachments resource. “A remote attacker who has permission to add attachments to pages and / or blogs, or to create a new space or personal space, or who has ‘Admin’ permissions for a space, can exploit this path traversal vulnerability to write files to arbitrary locations which can lead to remote code execution on systems that run a vulnerable version of Confluence Server or Data Center.

CVE-2019-3398

Confluence officially rated this vulnerability as a serious level. It is recommended that users update the Confluence Server or Data Center in time to avoid hacking.

Affected product:

  • Confluence Server
  • Confluence Data Center

Affected version:

  • All versions prior to 6.6.14
  • All versions 6.7.x-6.11.x
  • All 6.12.x versions prior to 6.12.4
  • All previous 6.13.x versions prior to 6.13.4
  • All previous 6.14.x versions prior to 6.14.3
  • All 6.15.x versions prior to 6.15.2

Unaffected version

Confluence Server or Data Center version:

  • 6.6.13
  • 6.13.4
  • 6.14.3
  • 6.15.2

Solution

Update your software to the unaffected version.

If you are unable to upgrade Confluence immediately, then as a temporary workaround, you should block the affected <base-url>/<context-path>/pages/downloadallattachments.action URL. Disabling this URL will prevent anyone downloading all attachments via the attachments page, or the attachments macro. Downloading individual attachments will still work. 

To block the URL directly in Tomcat:

  1. Stop Confluence.
  2. Edit <install-directory>/conf/server.xml.
  3. Add the following inside the <Host>  element:

    <Context path="/pages/downloadallattachments.action" docBase="" >
        <Valapp className="org.apache.catalina.valapps.RemoteAddrValapp" deny="*" />
    </Context>

    If you run Confluence with a context path, for example /wiki, you will need to include your context path in the path, as shown here:

    <Context path="/wiki/pages/downloadallattachments.action" docBase="" >
        <Valapp className="org.apache.catalina.valapps.RemoteAddrValapp" deny="*" />
    </Context>
  4. Save the file, and restart Confluence.

To verify that the workaround was applied correctly:

  1. Navigate to a page or blog that has 2 or more attachments. 
  2. Go to  > Attachments and then click Download all attachments.

You should see a 404 error and no files should be downloaded.