cv-announce-l@list.iu.edu
Subject: cv alerts list
List archive
- From: Andrew K Adams <akadams@psc.edu>
- To: cv-announce@trustedci.org
- Cc: "Andrew K. Adams" <akadams@psc.edu>
- Subject: [cv-announce-l] Confluence Path Traversal Vulnerability (CVE-2019-3398)
- Date: Thu, 18 Apr 2019 10:20:56 -0400
- Authentication-results: external-relay.iu.edu; spf=PermError smtp.pra=akadams@psc.edu; spf=SoftFail smtp.mailfrom=akadams@psc.edu; spf=None smtp.helo=postmaster@relay12.mail.gandi.net
- Ironport-phdr: 9a23:zC7ADh1q4bHIcw1FsmDT+DRfVm0co7zxezQtwd8ZseIeLvad9pjvdHbS+e9qxAeQG9mCsrQf1qGN7eigATVGvc/Z9ihaMdRlbFwssY0uhQsuAcqIWwXQDcXBSGgEJvlET0Jv5HqhMEJYS47UblzWpWCuv3ZJQk2sfQV6Kf7oFYHMks+5y/69+4HJYwVPmTGxfa5+IA+5oAnMq8Uam4VvJ6Y+xhbHo3ZDZuBayX91KV6JkBvw+9u88IR//yhMvv4q6tJNX7j9c6kkV7JTES4oM3oy5M3ltBnDSRWA634BWWgIkRRGHhbI4gjiUpj+riX1uOx92DKHPcLtVrA7RS6i76ZwRxD2jioMKiM0/3vWisx0i6JbvQ6hqhliyIPafI2ZKPxzdb7GcNgEWWROQNpeVy1ZAoO9cYQPCfYBPf1FpIX5vlcCsAeyCRWpCO7p1zRGhGL53bci3usuEQ/I0g8uEc8QvnvIt9j6LrseXPqvwaXU0TnObfVb0ir95ojSdRAhpOmBUK52ccXM00kgCQ3EhUiVp4f4Iz6ay/4Cs22A7+F9Uu+gkW0npBtsrTe1w8cskZLEhpoOyl/Y7yl23ps6JcChRUN9fNWqHpxQtySAOIt3RMMvW2BouDsgxrIYpJG7YTAGyIg9xx7CcPyHb5aH7Q//W+aQOzt4g2hleL2nixmo7UigzvfzVtKv0FZLtCVFlMPAuWwK1xzW7MWMV/hz/l+51DqRygze6PtILEIomabBNpIswL09moANvUnNACP6gFv6gLOSe0k++eWl6/7rbqv7qpKeLYN5hQ/zP6IzkcKlG+s4KBIBX22D9OS8yrLj+Ur5Ta1QjvIolqnWqpDbKdkFqqKjBg9ayIcj6xKlAzepytsYm2QILFNfdBKBkYfpJ0nCIPH+Dfihn1ShiClny+3EM7H7AJjBMmLPnKrjcLt+8UJQ1gQ+wc5H65JREL4BIfbzWkHrtNzfCx80Kxa7w+X9B9pgzIweXHmPD7SBMKPJrVCE/PwgLPSRZIMNojbyN+Al5+LyjX8+gVISYbep0YINZ3C+GPRmJFiZYXzwjdgfCGsKuhEzTOjriF2ZTT5ffXeyX78m6j4lFY2mENSLeof4i6LE1SG9GYBQbW1uFkqRCmvle46FHfAWZ3G8OMhkxxUCWaKsVMcCnTiivQrhg+5uLePY8ygDnYr435546/CFxkJ6ziB9E8nIizLFdGpzhG5dAmZuhPol82Vg1leO17R5iPVEFNtVoslESRo+KYWFkr0oBsDuVxjHd9PMUluiS8TgACx3Q94skJcVe0goI9i4iz3ZxS2wS6QQi6TNHIY9p6vf1nT4It1V023NkqQtkgpuWdNBYFahiLJR/gnXT5XMj13fkq+rcaoG2yuY/WSKwWOLp2lASwU2XKnYDjgEfkWDi9P/6wvZSqO2T7QqNgwU0cmZNq5DccHkl31cSfPqKY2EJWe4mmP2Ch+OyrLKaof2Ij9P5ijWBUkangxWxk6oaVdiVB+suWfzFiZpDxqvblPw/PN4oXf+VEIwxhDMblAn2raoqFYejPqaTO9b1bUeoioqtzFleTT1l9PQF9eavxBsYO1HbNUx7U0P3H/FtwF7Ip2rLrxzzl8YfQNtukry1hJxQotals1ioHQvxQt0YaWWtTEJPzqb1Jz5P6b/MnL5uh2jdu+e213T1sqX5rZa8O4x+B3ouACkEFZn8m0yiYAKlSTEoMyVXExICsiiNyR/vwJ3rLzbfCQnso7EyXB2N6Cw9yXP39s4Quo4jBusYoQ6UuvMGQnsHskdH8XrJvYtng3jZxENMOlX74YsJMjgevebkv3jLKN7kTSqgH4Sqol+206F8jFUUvXDmZsJ3rvLu2nPHye5h1CnvMftnIlCbjxHBWuzxx/vA4tJb7Fzd4IGWi++Zte6zdJki9vxSmZVoRS9Ukge1pXvIVDBCj61lR0Vz0kcpmar3De13yAh2S98tbKRhmqWhPz4fVICKiZKXDUw1A28Z9Hk1ZZCGhDvNlZM9lPt5F6mlfEK/uImdzCVGBwZOXCxdT0qU7Pu5ODaO5cdtZ5443cQC77ZAxjSS7j2pwYW3nHUBHNQgj88cD6ut9PymBkyiWSWKGt/oSjUI8R5gxHS+JTKTPpVlGNcFhN1gjTWGFWweuKR04nLz8X4te6ieWugUtUTfDn3wJmGvS/+/2BuCAz5nu31l9H6Q0A21iry1t8iUiutzl60a4ri262/Ksp/ZUIuCVPho8thUoB4mY8xgpwckWQdzpOS4TILnHzyPtNSxa+2NiNSA2FThYeKsE6/gxcGTDrBzpmxTniHx8p9e9S2Kngb3C4w9YECCauZ6qBFgTogp1O5qQzLZv0u+1VVgfAq6XMcn6QIoF93l3rbXehURBYIe3a3zUfA9d21oaRJaXz6fKis2VB4lNTkFryGqxAaWWu/d5s/TkoSpo1yNkzB1Hrr58TqYt7VOJgatRSYmhLbp/BOI9Q8mudA1mJ3fHnwu3Eo0btxhB9n0Zi/p6CfMG4r8a6kSE09VHW9d4YY/Tfjirxbl8Cd0tW0H5lvLT4MWYPhUfOiFD9B/eSiLQuFFycw72uKAbeKVxHK819o9jicdvLjf2HSPnQSys9uAQWQNFAKyh5BRy00x9Y8Bkir3JCzKR0poGlBvBig7EMLk7wNVVG3U3+D9l75MHFtEMHZdUEHqFkFvRudMNTAvLgrR3gKo5Dx/l7KcTb+BUwADGcCXlGICgLUJaGgo9bH9OecC6y1KP6GYLOFrfFSWqWFn5emlI1r436aP8GLdCA4Xcc20UdCQ311Xv/htW5VEH4xkCTAJ46WtAux4Ct+qoWl/fDiSUTu+M2CB6YAedNoswu7h6uOLaaZmTp5JDBE15gN2W6tqvBX3VgcjDtrfiWsFrJIvDDETabZkKtaRxABbCY7OMxN5qM6lg5DXKyTwsvyzaJ9h+UpBk1tT1Hlk9DwP4oPKmC5clzOAkqKcrKLOXyDws36Z7+9VawFjOhQsE7V237TGEviMzKf0jjxAkr2bqcT1GfCY0wY4trnIV53BGPuTczrcEi2IMN6lzs/xfgui3fDJCgdLH5xf14ey9/YpS5enPh7HHRMq3R/KuzR0S+a5uXRL40+qeBgRCl4iqgJhRZyg6sQ9yxCSPFvzWHKqcVypli9juSV4iBqVBNf82wNgYuKuQNtMKPV999GVGqOr3dvpS2ATh8NodViENjmvatdn8POmKzEIzBH69vI/MEYCpGFevLCC2IoNF/SIBCRCQIESTCxMmSO1VRGm7ef+mDH9cFm+Kipo4IHT/pgbHJwDukTWxZ9B9dELZtqDG19zOyryfUQ7H/7lyH/AcVXupedCqCIDPHmOW/Dy7xNZh9Ozrr+IYVVMIDniRRv
CI Operators:
Atlassian has issued a Critical Security Advisory [1] detailing vulnerabilities in Confluence Server and Confluence Data Center. The vulnerability leverages a “path traversal” in the downloadallattachments resource. Note, this is a different vulnerability than the WebDav/Widget Connector vulnerability announced 2019-04-11 [2].
Versions of Confluence Server and Data Center starting with 2.0.0 before 6.6.13, from 6.7.0 to 6.12.4, from 6.13.0 to 6.13.4, from 6.14.0 to 6.14.3, and from 6.15.0 to 6.15.2 are affected by this vulnerability. Confluence Server and or Data Center versions 6.6.13, 6.12.4, 6.13.4, 6.14.3 or 6.15.2 are not affected.
Impact:
An attacker who has permission to add an attachment to pages and/or blogs, or to create a new space or personal space, or who has 'Admin' permissions for a space, can exploit a path traversal vulnerability to write files to arbitrary locations and possibly perform remote code execution (RCE).
Recommendation:
Update to the latest version of Confluence Server or Data Center [3] immediately. If you are unable to upgrade Confluence immediately, then as a temporary workaround, you should block the affected <base-url>/<context-path>/pages/downloadallattachments.action URL. Disabling this URL will prevent anyone downloading all attachments via the attachments page, or the attachments macro.
Affected Confluence Server and Data Center versions:
* All 2.x.x, 3.x.x, 4.x.x and 5.x.x versions
* All 6.0.x, 6.1.x, 6.2.x, 6.3.x, 6.4.x, and 6.5.x versions
* All 6.6.x versions before 6.6.13
* All 6.7.x, 6.8.x, 6.9.x, 6.10.x and 6.11.x versions
* All 6.12.x versions before 6.12.4
* All 6.13.x versions before 6.13.4
* All 6.14.x versions before 6.14.3
* Note that Confluence Cloud is NOT affected
References:
[1] https://confluence.atlassian.com/doc/confluence-security-advisory-2019-04-17-968660855.html
[2] https://list.iu.edu/sympa/arc/cv-announce-l/2019-04/msg00002.html
[3] https://www.atlassian.com/software/confluence/download/
How Trusted CI can help:
The potential impact of any vulnerability, and therefore the appropriate response, depends in part on operational conditions that are unique to each cyberinfrastructure deployment. Trusted CI can not provide a one-size-fits-all severity rating and response recommendation for all NSF cyberinfrastructure. Please contact us (http://trustedci.org/help/) if you need assistance with assessing the potential impact of this vulnerability in your environment and/or you have additional information about this issue that should be shared with the community.
- [cv-announce-l] Confluence Path Traversal Vulnerability (CVE-2019-3398), Andrew K Adams, 04/18/2019
Archive powered by MHonArc 2.6.24.