Lucene search

AtlassianCVE-2019-3394

HistoryAug 29, 2019 - 3:15 p.m.

CVE-2019-3394

2019-08-2915:15:11

CWE-22

atlassian

web.nvd.nist.gov

cve-2019-3394

confluence server

confluence data center

local file disclosure

page exporting

vulnerability

security issue

ldap credentials

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

Confidence

High

EPSS

0.189

Percentile

96.3%

JSON

There was a local file disclosure vulnerability in Confluence Server and Confluence Data Center via page exporting. An attacker with permission to editing a page is able to exploit this issue to read arbitrary file on the server under <install-directory>/confluence/WEB-INF directory, which may contain configuration files used for integrating with other services, which could potentially leak credentials or other sensitive information such as LDAP credentials. The LDAP credential will be potentially leaked only if the Confluence server is configured to use LDAP as user repository. All versions of Confluence Server from 6.1.0 before 6.6.16 (the fixed version for 6.6.x), from 6.7.0 before 6.13.7 (the fixed version for 6.13.x), and from 6.14.0 before 6.15.8 (the fixed version for 6.15.x) are affected by this vulnerability.

Affected configurations

Nvd

Node

atlassianconfluenceRange6.1.0–6.6.16

atlassianconfluenceRange6.7.0–6.13.7

atlassianconfluence_serverRange6.14.0–6.15.8

VendorProductVersionCPE
atlassianconfluence*cpe:2.3:a:atlassian:confluence:*:*:*:*:*:*:*:*
atlassianconfluence_server*cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
atlassian	confluence	*	cpe:2.3:a:atlassian:confluence::::::::
atlassian	confluence_server	*	cpe:2.3:a:atlassian:confluence_server::::::::

CNA Affected

[
  {
    "product": "Confluence Server",
    "vendor": "Atlassian",
    "versions": [
      {
        "lessThan": "unspecified",
        "status": "affected",
        "version": "6.1.0",
        "versionType": "custom"
      },
      {
        "lessThan": "6.6.16",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      },
      {
        "lessThan": "unspecified",
        "status": "affected",
        "version": "6.7.0",
        "versionType": "custom"
      },
      {
        "lessThan": "6.13.7",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      },
      {
        "lessThan": "unspecified",
        "status": "affected",
        "version": "6.14.0",
        "versionType": "custom"
      },
      {
        "lessThan": "6.15.8",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]