Security-metrics-botCONFSERVER-59898Velocity Template Injection in Custom user macros - Macros Platform - CVE-2020-4027
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
EPSS
Percentile
43.2%
Affected versions of Atlassian Confluence Server and Data Center allowed remote attackers with system administration permissions to bypass velocity template injection mitigations via an injection vulnerability in custom user macros.
This issue was discovered and reported by GHSL team member [@pwntester (Alvaro Munoz)|https://github.com/github/securitylab_vulnerabilities/blob/master/vendor_reports/https/github.com/pwntester].
The affected versions are before version 7.4.5, and from version 7.5.0 before 7.5.1.
Affected versions:
- version < 7.4.5
- 7.5.0 ā¤ version < 7.5.1
Fixed versions:
- 7.4.5
- 7.5.1
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| atlassian | confluence_data_center | * | cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:* |
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
EPSS
Percentile
43.2%