--------------------

This problem refers to the advisory found at https://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+-+2019-03-20

CVE ID:

* CVE-2019-3395.

* CVE-2019-3396.

Product:

Confluence Server and Confluence Data Center.

Affected Confluence Server and Confluence Data Center product versions:

6.6.0 <= version < 6.6.12

6.12.0 <= version < 6.12.3
6.13.0 <= version < 6.13.3
6.14.0 <= version < 6.14.2

Fixed Confluence Server and Confluence Data Center product versions:

* for 6.6.x, Confluence Server and Data Center 6.6.12 have been released with a fix for these issues.

* for 6.12.x, Confluence Server and Data Center 6.12.3 have been released with a fix for these issues.

* for 6.13.x, Confluence Server and Data Center 6.13.3 have been released with a fix for these issues.

* for 6.14.x, Confluence Server and Data Center 6.14.2 have been released with a fix for these issues.

Summary:

This advisory discloses critical severity security vulnerabilities. Versions of Confluence Server and Data Center before 6.6.12 (the fixed version for 6.6.x),  from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before 6.13.3 (the fixed version for 6.13.x) and from version 6.14.0 before 6.14.2 (the fixed version for 6.14.x) are affected by these vulnerabilities.

Customers who have upgraded Confluence to version 6.6.12 or 6.12.3 or 6.13.3 or 6.14.2 are not affected.

Customers who have downloaded and installed Confluence >= 6.6.0 but less than 6.6.12 (the fixed version for 6.6.x) or who have downloaded and installed Confluence >= 6.12.0 but less than 6.12.3(the fixed version for 6.12.x) or who have downloaded and installed Confluence >= 6.13.0 but less than 6.13.3 (the fixed version for 6.13.x) or who have downloaded and installed Confluence >=  6.14.0 but less than 6.14.2 (the fixed version for 6.14.x) please upgrade your Confluence installations immediately to fix these vulnerabilities.

WebDAV vulnerability (CVE-2019-3395)
Severity:
Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low. This is our assessment and you should evaluate its applicability to your own IT environment.

Description:
A remote attacker is able to exploit a Server-Side Request Forgery (SSRF) vulnerability via the WebDAV plugin to send arbitrary HTTP and WebDAV requests from a Confluence Server or Data Center instance. Versions of Confluence before version 6.6.7 (the fixed version for 6.6.x), from version 6.7.0 before 6.7.3 (the fixed version for 6.7.x), from version 6.8.0 before 6.8.5 (the fixed version for 6.8.x) and from version 6.9.0 before 6.9.3 (the fixed version for 6.9.x) are affected by this vulnerability. This issue can be tracked at: https://jira.atlassian.com/browse/CONFSERVER-57971

Remote code execution via Widget Connector macro (CVE-2019-3396)

Severity:

Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low. This is our assessment and you should evaluate its applicability to your own IT environment.

Description:
There was a server-side template injection vulnerability in Confluence via Widget Connector. An attacker is able to exploit this issue to achieve path traversal and remote code execution on systems that run a vulnerable version of Confluence.

Versions of Confluence before version 6.6.12 (the fixed version for 6.6.x), from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before 6.13.3 (the fixed version for 6.13.x) and from version 6.14.0 before 6.14.2 (the fixed version for 6.14.x) are affected by this vulnerability. This issue can be tracked at:https://jira.atlassian.com/browse/CONFSERVER-57974 .

Fix:

To address these issues, we have released the following versions of
Confluence Server and Data Center containing a fix:

* version 6.6.12
* version 6.12.3
* version 6.13.3
* version 6.14.2

Remediation:

Upgrade Confluence Server and Data Center to version 6.14.2 or higher.

The vulnerabilities and fix versions are described above. If affected, you should upgrade to the latest version immediately.

If you are running Confluence Server and or Data Center 6.6.x and cannot upgrade to 6.14.2, upgrade to version 6.6.12.

If you are running Confluence Server and or Data Center 6.12.x and cannot upgrade to 6.14.2, to version 6.12.3.

If you are running Confluence Server and or Data Center 6.13.x and cannot upgrade to 6.14.2, upgrade to version 6.13.3.

For a full description of the latest version of Confluence Server and Data Center, see the release notes found at https://confluence.atlassian.com/display/DOC/Confluence+Release+Notes. You can download the latest version of Confluence Server and Confluence Data Center from the download centre found at https://www.atlassian.com/software/confluence/download.

Support:
If you have questions or concerns regarding this advisory, please raise a
support request at https://support.atlassian.com/.

Atlassian - Confluence Security Advisory - 2019-03-20的更多相关文章

  1. 2019.03.20 mvt,Django分页

    MVT模式   MVT各部分的功能:   M全拼为Model,与MVC中的M功能相同,负责和数据库交互,进行数据处理.       V全拼为View,与MVC中的C功能相同,接收请求,进行业务处理,返 ...

  2. [2019.03.20]Linux Shell 执行传参数和expr

    前不久入职实习生,现在在帮着组里面dalao们跑Case,时不时要上去收一下有木有Dump,每次敲命令太烦人于是逼着自己学写Shell脚本.一开始真的是很痛苦啊,也没能搞到书,只能凭网上半真半假的消息 ...

  3. 2019.03.20 读书笔记 as is 以及重写隐式/显示

    强转.as is 的用法 强制转换类型有两种:子类转基类,重写隐式(implicit )\显示(explicit) 转换操作符 class myclass { private int value; p ...

  4. 2019.03.20 读书笔记 关于Reflect与Emit的datatable转list的效率对比

    Reflect public static List<T> ToListByReflect<T>(this DataTable dt) where T : new() { Li ...

  5. Debian Security Advisory(Debian安全报告) DSA-4414-1 libapache2-mod-auth-mellon security update

    Debian Security Advisory(Debian安全报告) DSA-4414-1 libapache2-mod-auth-mellon security update Package:l ...

  6. [2019.03.25]Linux中的查找

    TMUX天下第一 全世界所有用CLI Linux的人都应该用TMUX,我爱它! ======================== 以下是正文 ======================== Linu ...

  7. Debian Security Advisory DSA-4421-1 chromium security update

    Debian Security Advisory DSA-4421-1 chromium security update Package        : chromiumCVE ID         ...

  8. 2019.03.03 - Linux搭建go语言交叉环境

    编译GO 1.6版本以上的需要依赖GO 1.4版本的二进制,并且需要把GOROOT_BOOTSTRAP的路径设置为1.4版本GO的根目录,这样它的bin目录就可以直接使用到1.4版本的GO 搭建go语 ...

  9. Debian Security Advisory(Debian安全报告) DSA-4416-1 wireshark security update

    Debian Security Advisory(Debian安全报告) DSA-4416-1 wireshark security update Package:wireshark CVE ID : ...

随机推荐

  1. Cannot set property 'innerHTML' of null

    异常处理汇总-前端系列 http://www.cnblogs.com/dunitian/p/4523015.html 看如下错误代码: 知道是加载的问题就好解决了

  2. FastDFS 文件上传工具类

    FastDFS文件上传工具类 import org.csource.common.NameValuePair; import org.csource.fastdfs.ClientGlobal; imp ...

  3. C# 下载文件 只利用文件的存放路径来下载

    第一种方式: 最简单的就是返回一个file类型的数据即FilePathResult类型的对象 string serverPath = ConfigurationManager.AppSettings[ ...

  4. PHP 生成水印图片

    这段时间因工作需要,学习了下用PHP来给背景图上添加公司logo,宣传语之类的图片合并功能.话不多说,直接上代码. <?php public function getImage() { $dat ...

  5. Mysql中INSERT ... ON DUPLICATE KEY UPDATE的实践

    转: Mysql中INSERT ... ON DUPLICATE KEY UPDATE的实践 阿里加多 0.1 2018.03.23 17:19* 字数 492 阅读 2613评论 2喜欢 1 一.前 ...

  6. java的线程

    public class Test1 extends Thread{ public void run(){ // } } public class Test2 immplement Runnable{ ...

  7. Good Bye 2018 C. New Year and the Sphere Transmission

    传送门 https://www.cnblogs.com/violet-acmer/p/10201535.html 题意: n 个people,编号1~n,按顺时针方向围城一圈: 初始,编号为1的peo ...

  8. (排序的新方法)nyoj1080-年龄排序

    1080-年龄排序 内存限制:234MB 时间限制:2000ms 特判: No通过数:148 提交数:575 难度:0 题目描述: JXB经常向HJS炫耀他们家乡那里有多么多么好,但是HJS大牛从来对 ...

  9. mysql主从模式下在主库上的某些操作不记录日志的方法

    mysql主从模式下在主库上的某些操作不记录日志的方法 需求场景: 在主库上的需要删除某个用户,而这个用户在从库上不存在(我在接手一个业务的时候,就遇到主从架构用户授权不一致的情况,主库比较全,而从库 ...

  10. maven_问题

    问题:was cached in the local repository, resolution will not be reattempted until the update interval ...