On April 17, 2019, Confluence officially released a security bulletin. Confluence Server and Data Center products have a path traversal vulnerability in the downloadallattachments resource. “A remote attacker who has permission to add attachments to pages and / or blogs, or to create a new space or personal space, or who has ‘Admin’ permissions for a space, can exploit this path traversal vulnerability to write files to arbitrary locations which can lead to remote code execution on systems that run a vulnerable version of Confluence Server or Data Center.”
Confluence officially rated this vulnerability as a serious level. It is recommended that users update the Confluence Server or Data Center in time to avoid hacking.
- Confluence Server
- Confluence Data Center
- All versions prior to 6.6.14
- All versions 6.7.x-6.11.x
- All 6.12.x versions prior to 6.12.4
- All previous 6.13.x versions prior to 6.13.4
- All previous 6.14.x versions prior to 6.14.3
- All 6.15.x versions prior to 6.15.2
Confluence Server or Data Center version:
Update your software to the unaffected version.
If you are unable to upgrade Confluence immediately, then as a temporary workaround, you should block the affected
<base-url>/<context-path>/pages/downloadallattachments.actionURL. Disabling this URL will prevent anyone downloading all attachments via the attachments page, or the attachments macro. Downloading individual attachments will still work.
To block the URL directly in Tomcat:
- Stop Confluence.
Add the following inside the
<Context path="/pages/downloadallattachments.action" docBase="" > <Valapp className="org.apache.catalina.valapps.RemoteAddrValapp" deny="*" /> </Context>
If you run Confluence with a context path, for example
/wiki, you will need to include your context path in the path, as shown here:
<Context path="/wiki/pages/downloadallattachments.action" docBase="" > <Valapp className="org.apache.catalina.valapps.RemoteAddrValapp" deny="*" /> </Context>
- Save the file, and restart Confluence.
To verify that the workaround was applied correctly:
- Navigate to a page or blog that has 2 or more attachments.
- Go to> Attachments and then click Download all attachments.
You should see a 404 error and no files should be downloaded.