CVE-2019-3394

There was a local file disclosure vulnerability in Confluence Server and Confluence Data Center via page exporting. An attacker with permission to editing a page is able to exploit this issue to read arbitrary file on the server under <install-directory>/confluence/WEB-INF directory, which may contain configuration files used for integrating with other services, which could potentially leak credentials or other sensitive information such as LDAP credentials. The LDAP credential will be potentially leaked only if the Confluence server is configured to use LDAP as user repository. All versions of Confluence Server from 6.1.0 before 6.6.16 (the fixed version for 6.6.x), from 6.7.0 before 6.13.7 (the fixed version for 6.13.x), and from 6.14.0 before 6.15.8 (the fixed version for 6.15.x) are affected by this vulnerability.

CVSS v3 8.8 HIGH
CVSS v2.0 4.0 MEDIUM

8.8^/10

CVSS v3 : HIGH

Vector : AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

4.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:P/I:N/A:N

Exploitability : 8.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://confluence.atlassian.com/x/uAsvOg	Patch Vendor Advisory
https://jira.atlassian.com/browse/CONFSERVER-58734	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:atlassian:confluence::::::::
	cpe:2.3:a:atlassian:confluence::::::::
	cpe:2.3:a:atlassian:confluence_server::::::::

History

No history.

Information

Published : 2019-08-29 15:15

Updated : 2024-02-28 17:08

NVD link : CVE-2019-3394

Mitre link : CVE-2019-3394

CVE.ORG link : CVE-2019-3394

JSON object : View

Products Affected

atlassian

confluence
confluence_server

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

{"id": "CVE-2019-3394", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "authentication": "SINGLE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2019-08-29T15:15:11.027", "references": [{"url": "https://confluence.atlassian.com/x/uAsvOg", "tags": ["Patch", "Vendor Advisory"], "source": "security@atlassian.com"}, {"url": "https://jira.atlassian.com/browse/CONFSERVER-58734", "tags": ["Vendor Advisory"], "source": "security@atlassian.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "There was a local file disclosure vulnerability in Confluence Server and Confluence Data Center via page exporting. An attacker with permission to editing a page is able to exploit this issue to read arbitrary file on the server under <install-directory>/confluence/WEB-INF directory, which may contain configuration files used for integrating with other services, which could potentially leak credentials or other sensitive information such as LDAP credentials. The LDAP credential will be potentially leaked only if the Confluence server is configured to use LDAP as user repository. All versions of Confluence Server from 6.1.0 before 6.6.16 (the fixed version for 6.6.x), from 6.7.0 before 6.13.7 (the fixed version for 6.13.x), and from 6.14.0 before 6.15.8 (the fixed version for 6.15.x) are affected by this vulnerability."}, {"lang": "es", "value": "Hay una vulnerabilidad de divulgaci\u00f3n de archivos locales en Confluence Server y Confluence Data Center por medio de la exportaci\u00f3n de p\u00e1gina. Un atacante con permiso para editar una p\u00e1gina puede explotar este problema para leer archivos arbitrarios en el servidor bajo el directorio (install-directory)/confluence/WEB-INF, que puede contener archivos de configuraci\u00f3n utilizados para integrarse con otros servicios, que podr\u00edan potencialmente filtrar credenciales u otra informaci\u00f3n confidencial como credenciales de LDAP. La credencial de LDAP ser\u00e1 filtrada potencialmente solo si el servidor Confluence est\u00e1 configurado para usar LDAP como repositorio de usuarios. Todas las versiones de Confluence Server desde 6.1.0 anteriores a 6.6.16 (la versi\u00f3n corregida para 6.6.x), desde versiones 6.7.0 anteriores a 6.13.7 (la versi\u00f3n corregida para 6.13.x) y desde versiones 6.14.0 anteriores a 6.15.8 (la versi\u00f3n corregida para 6.15.x) est\u00e1n afectadas por esta vulnerabilidad."}], "lastModified": "2021-12-13T16:05:54.210", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:atlassian:confluence:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "05936908-961E-4BED-84F8-43EBC82428FC", "versionEndExcluding": "6.6.16", "versionStartIncluding": "6.1.0"}, {"criteria": "cpe:2.3:a:atlassian:confluence:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3CA41EB3-96B9-490A-9624-576150354543", "versionEndExcluding": "6.13.7", "versionStartIncluding": "6.7.0"}, {"criteria": "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C074617C-5D55-47C8-8AB6-B3497ADA9EC4", "versionEndExcluding": "6.15.8", "versionStartIncluding": "6.14.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@atlassian.com"}