CVE-2019-3398

Warnung

Exploit

EPSS 94.01%
Veröffentlicht 18.04.2019 18:29:00
Zuletzt bearbeitet 24.10.2025 13:39:16
Quelle security@atlassian.com
CVE-Watchlists
Login
Unerledigt
Login

Confluence Server and Data Center had a path traversal vulnerability in the downloadallattachments resource. A remote attacker who has permission to add attachments to pages and / or blogs or to create a new space or a personal space or who has 'Admin' permissions for a space can exploit this path traversal vulnerability to write files to arbitrary locations which can lead to remote code execution on systems that run a vulnerable version of Confluence Server or Data Center. All versions of Confluence Server from 2.0.0 before 6.6.13 (the fixed version for 6.6.x), from 6.7.0 before 6.12.4 (the fixed version for 6.12.x), from 6.13.0 before 6.13.4 (the fixed version for 6.13.x), from 6.14.0 before 6.14.3 (the fixed version for 6.14.x), and from 6.15.0 before 6.15.2 are affected by this vulnerability.

Betroffene Produkte Warnungen 1 Metriken 4 CWE 1 Referenzen 10

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Atlassian ≫ Confluence Server Version >= 2.0 < 6.6.13

Atlassian ≫ Confluence Server Version >= 6.7.0 < 6.12.4

Atlassian ≫ Confluence Server Version >= 6.13.0 < 6.13.4

Atlassian ≫ Confluence Server Version >= 6.14.0 < 6.14.3

Atlassian ≫ Confluence Server Version >= 6.15.0 < 6.15.2

03.11.2021: CISA Known Exploited Vulnerabilities (KEV) Catalog

Atlassian Confluence Server and Data Center Path Traversal Vulnerability

Schwachstelle

Atlassian Confluence Server and Data Center contain a path traversal vulnerability in the downloadallattachments resource that may allow a privileged, remote attacker to write files. Exploitation can lead to remote code execution.

Beschreibung

Apply updates per vendor instructions.

Erforderliche Maßnahmen

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	94.01%	0.999

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	9	8	10	AV:N/AC:L/Au:S/C:C/I:C/A:C
134c704f-9b21-4f2e-91b3-4a467353bcc0	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

http://packetstormsecurity.com/files/152616/Confluence-Server-Data-Center-Path-Traversal.html

Third Party Advisory

VDB Entry

http://packetstormsecurity.com/files/155235/Atlassian-Confluence-6.15.1-Directory-Traversal.html

Third Party Advisory

Exploit

VDB Entry

http://packetstormsecurity.com/files/155245/Atlassian-Confluence-6.15.1-Directory-Traversal.html

Third Party Advisory

VDB Entry

http://www.securityfocus.com/bid/108067

Third Party Advisory