Confluence Server and Data Center had a path traversal vulnerability in the downloadallattachments resource. A remote attacker who has permission to add attachments to pages and / or blogs or to create a new space or a personal space or who has 'Admin' permissions for a space can exploit this path traversal vulnerability to write files to arbitrary locations which can lead to remote code execution on systems that run a vulnerable version of Confluence Server or Data Center. All versions of Confluence Server from 2.0.0 before 6.6.13 (the fixed version for 6.6.x), from 6.7.0 before 6.12.4 (the fixed version for 6.12.x), from 6.13.0 before 6.13.4 (the fixed version for 6.13.x), from 6.14.0 before 6.14.3 (the fixed version for 6.14.x), and from 6.15.0 before 6.15.2 are affected by this vulnerability.

CVE-2019-3398

Mitigation
If you are unable to upgrade Confluence immediately, then as a temporary workaround, you should block the affected //pages/downloadallattachments.action URL. Disabling this URL will prevent anyone downloading all attachments via the attachments page, or the attachments macro. Downloading individual attachments will still work. 

To block the URL directly in Tomcat:

1. Stop Confluence.
2. Edit /conf/server.xml.
3. Add the following inside the   element:


    



If you run Confluence with a context path, for example /wiki, you will need to include your context path in the path, as shown here:


    


4. Save the file, and restart Confluence.
To verify that the workaround was applied correctly:

1. Navigate to a page or blog that has 2 or more attachments. 
2. Go to  > Attachments and then click Download all attachments.

You should see a 404 error and no files should be downloaded

Mitigation
If you are unable to upgrade Confluence immediately, then as a temporary workaround, you should block the affected //pages/downloadallattachments.action URL. Disabling this URL will prevent anyone downloading all attachments via the attachments page, or the attachments macro. Downloading individual attachments will still work. 
To block the URL directly in Tomcat:
<ol>
<li>Stop Confluence.</li>
<li>Edit /conf/server.xml.</li>
<li>Add the following inside the element:</li>
</ol>
If you run Confluence with a context path, for example /wiki, you will need to include your context path in the path, as shown here:
<ol>
<li>Save the file, and restart Confluence.
To verify that the workaround was applied correctly:
</li>
<li>Navigate to a page or blog that has 2 or more attachments. 
</li>
<li>Go to &gt; Attachments and then click Download all attachments.
</li>
</ol>
You should see a 404 error and no files should be downloaded

Mitigation of Confluence - Path traversal vulnerability - CVE-2019-3398

Confluence Server and Data Center had a path traversal vulnerability in the downloadallattachments resource. A remote attacker who has permission to add attachments to pages and / or blogs or to create a new space or a personal space or who has 'Admin' permissions for a space can exploit this path traversal vulnerability to write files to arbitrary locations which can lead to remote code execution on systems that run a vulnerable version of Confluence Server or Data Center. 

*Affected versions:*
* All versions of Confluence Server from 2.0.0 before 6.6.13 (the fixed version for 6.6.x), from 6.7.0 before 6.12.4 (the fixed version for 6.12.x), from 6.13.0 before 6.13.4 (the fixed version for 6.13.x), from 6.14.0 before 6.14.3 (the fixed version for 6.14.x), and from 6.15.0 before 6.15.2  are affected by this vulnerability. 

*Fix:*
 * Confluence Server and Data Center versions 6.15.2 is available for download from [https://www.atlassian.com/software/confluence/download].
 * Confluence Server and Data Center versions 6.14.3 is available for download from [https://www.atlassian.com/software/confluence/download-archives].
 * Confluence Server and Data Center versions 6.13.4 is available for download from [https://www.atlassian.com/software/confluence/download-archives].
 * Confluence Server and Data Center versions 6.12.4 is available for download from [https://www.atlassian.com/software/confluence/download-archives].
 * Confluence Server and Data Center versions 6.6.13 is available for download from [https://www.atlassian.com/software/confluence/download-archives].


For additional details, see the [full advisory|https://confluence.atlassian.com/x/d5e8OQ].

Confluence Server and Data Center had a path traversal vulnerability in the downloadallattachments resource. A remote attacker who has permission to add attachments to pages and / or blogs or to create a new space or a personal space or who has 'Admin' permissions for a space can exploit this path traversal vulnerability to write files to arbitrary locations which can lead to remote code execution on systems that run a vulnerable version of Confluence Server or Data Center. 
Affected versions:
<ul>
<li>All versions of Confluence Server from 2.0.0 before 6.6.13 (the fixed version for 6.6.x), from 6.7.0 before 6.12.4 (the fixed version for 6.12.x), from 6.13.0 before 6.13.4 (the fixed version for 6.13.x), from 6.14.0 before 6.14.3 (the fixed version for 6.14.x), and from 6.15.0 before 6.15.2 are affected by this vulnerability. </li>
</ul>
Fix:
<ul>
<li>Confluence Server and Data Center versions 6.15.2 is available for download from [<a href="https://www.atlassian.com/software/confluence/download%5D">https://www.atlassian.com/software/confluence/download]</a>.</li>
<li>Confluence Server and Data Center versions 6.14.3 is available for download from [<a href="https://www.atlassian.com/software/confluence/download-archives%5D">https://www.atlassian.com/software/confluence/download-archives]</a>.</li>
<li>Confluence Server and Data Center versions 6.13.4 is available for download from [<a href="https://www.atlassian.com/software/confluence/download-archives%5D">https://www.atlassian.com/software/confluence/download-archives]</a>.</li>
<li>Confluence Server and Data Center versions 6.12.4 is available for download from [<a href="https://www.atlassian.com/software/confluence/download-archives%5D">https://www.atlassian.com/software/confluence/download-archives]</a>.</li>
<li>Confluence Server and Data Center versions 6.6.13 is available for download from [<a href="https://www.atlassian.com/software/confluence/download-archives%5D">https://www.atlassian.com/software/confluence/download-archives]</a>.</li>
</ul>
For additional details, see the [full advisory|<a href="https://confluence.atlassian.com/x/d5e8OQ%5D">https://confluence.atlassian.com/x/d5e8OQ]</a>.

Confluence - Path traversal vulnerability - CVE-2019-3398

Featured CVEs

Feed of the featured CVEs from Vulcan Remedy Cloud.

Vulcan Remedy Cloud - Featured CVEs

Thank you for downloading from Remedy Cloud!

Please fill out the form to download the CSV

Your Script is On It's Way!

Tell us where to send the script

Your Email Was Successfully Sent!

Email

Your Name

Your fix has been sent successfully!

Suggest a Fix

Search for a CVE below to see all the available fixes

Remedy Cloud

Loading - Vulcan Remedy Cloud

The page you are looking for was moved, removed, renamed or might never existed.

CVE-2019-3398

2 fixes found:

Workaround

Mitigation of Confluence - Path traversal vulnerability - CVE-2019-3398

Version Update

Confluence - Path traversal vulnerability - CVE-2019-3398