Atlassian Confluence officially released security notifications to repair the local file exists in Confluence Disclosure Vulnerability (CVE-2019-3394). Vulnerability level is very serious. Atlassian Confluence Server and Atlassian Data Center is Atlassian Corp. products. Atlassian Confluence Server is a professional enterprise knowledge management and collaboration software can also be used to build enterprise WiKi. Atlassian Data Center is a data center system.
Confluence Server and Data Center local file disclosure vulnerability exists in the page in the export function. "Remote attackers have permission to add a page space will be able to read <install-directory> / confluence / WEB-INF directory of any file in the directory may contain integrated with other services for the profile, you may disclose credentials, for example, LDAP credentials or other sensitive information. If you specify the LDAP credentials atlassian-user.xml file, the likelihood of leakage LDAP credentials exist, the file is configured LDAP integration is not a recommended method.
Affected versions
- All 6.1.x versions
- All 6.2.x versions
- All 6.3.x versions
- All 6.4.x versions
- All 6.5.x versions
- All 6.6.x versions prior to 6.6.16 (the fixed version 6.6.x)
- All 6.7.x versions
- All 6.8.x versions
- All 6.9.x versions
- All 6.10.x versions
- All 6.11.x versions
- All 6.12.x versions
- All 6.13.x versions 在6.13.7之前(6.13.x的固定版本)
- All 6.14.x versions
- All 6.15.x versions 在6.15.8之前(6.15.x的固定版本)
解决方法
使用Confluence的用户可以通过将Confluence Server或Confluence数据中心更新到版本6.6.16,6.13.3或6.15.8来修复此漏洞。