--------------------

This problem refers to the advisory found at https://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+-+2019-03-20

CVE ID:

* CVE-2019-3395.

* CVE-2019-3396.

Product:

Confluence Server and Confluence Data Center.

Affected Confluence Server and Confluence Data Center product versions:

6.6.0 <= version < 6.6.12

6.12.0 <= version < 6.12.3
6.13.0 <= version < 6.13.3
6.14.0 <= version < 6.14.2

Fixed Confluence Server and Confluence Data Center product versions:

* for 6.6.x, Confluence Server and Data Center 6.6.12 have been released with a fix for these issues.

* for 6.12.x, Confluence Server and Data Center 6.12.3 have been released with a fix for these issues.

* for 6.13.x, Confluence Server and Data Center 6.13.3 have been released with a fix for these issues.

* for 6.14.x, Confluence Server and Data Center 6.14.2 have been released with a fix for these issues.

Summary:

This advisory discloses critical severity security vulnerabilities. Versions of Confluence Server and Data Center before 6.6.12 (the fixed version for 6.6.x),  from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before 6.13.3 (the fixed version for 6.13.x) and from version 6.14.0 before 6.14.2 (the fixed version for 6.14.x) are affected by these vulnerabilities.

Customers who have upgraded Confluence to version 6.6.12 or 6.12.3 or 6.13.3 or 6.14.2 are not affected.

Customers who have downloaded and installed Confluence >= 6.6.0 but less than 6.6.12 (the fixed version for 6.6.x) or who have downloaded and installed Confluence >= 6.12.0 but less than 6.12.3(the fixed version for 6.12.x) or who have downloaded and installed Confluence >= 6.13.0 but less than 6.13.3 (the fixed version for 6.13.x) or who have downloaded and installed Confluence >=  6.14.0 but less than 6.14.2 (the fixed version for 6.14.x) please upgrade your Confluence installations immediately to fix these vulnerabilities.

WebDAV vulnerability (CVE-2019-3395)
Severity:
Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low. This is our assessment and you should evaluate its applicability to your own IT environment.

Description:
A remote attacker is able to exploit a Server-Side Request Forgery (SSRF) vulnerability via the WebDAV plugin to send arbitrary HTTP and WebDAV requests from a Confluence Server or Data Center instance. Versions of Confluence before version 6.6.7 (the fixed version for 6.6.x), from version 6.7.0 before 6.7.3 (the fixed version for 6.7.x), from version 6.8.0 before 6.8.5 (the fixed version for 6.8.x) and from version 6.9.0 before 6.9.3 (the fixed version for 6.9.x) are affected by this vulnerability. This issue can be tracked at: https://jira.atlassian.com/browse/CONFSERVER-57971

Remote code execution via Widget Connector macro (CVE-2019-3396)

Severity:

Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low. This is our assessment and you should evaluate its applicability to your own IT environment.

Description:
There was a server-side template injection vulnerability in Confluence via Widget Connector. An attacker is able to exploit this issue to achieve path traversal and remote code execution on systems that run a vulnerable version of Confluence.

Versions of Confluence before version 6.6.12 (the fixed version for 6.6.x), from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before 6.13.3 (the fixed version for 6.13.x) and from version 6.14.0 before 6.14.2 (the fixed version for 6.14.x) are affected by this vulnerability. This issue can be tracked at:https://jira.atlassian.com/browse/CONFSERVER-57974 .

Fix:

To address these issues, we have released the following versions of
Confluence Server and Data Center containing a fix:

* version 6.6.12
* version 6.12.3
* version 6.13.3
* version 6.14.2

Remediation:

Upgrade Confluence Server and Data Center to version 6.14.2 or higher.

The vulnerabilities and fix versions are described above. If affected, you should upgrade to the latest version immediately.

If you are running Confluence Server and or Data Center 6.6.x and cannot upgrade to 6.14.2, upgrade to version 6.6.12.

If you are running Confluence Server and or Data Center 6.12.x and cannot upgrade to 6.14.2, to version 6.12.3.

If you are running Confluence Server and or Data Center 6.13.x and cannot upgrade to 6.14.2, upgrade to version 6.13.3.

For a full description of the latest version of Confluence Server and Data Center, see the release notes found at https://confluence.atlassian.com/display/DOC/Confluence+Release+Notes. You can download the latest version of Confluence Server and Confluence Data Center from the download centre found at https://www.atlassian.com/software/confluence/download.

Support:
If you have questions or concerns regarding this advisory, please raise a
support request at https://support.atlassian.com/.

Atlassian - Confluence Security Advisory - 2019-03-20的更多相关文章

  1. 2019.03.20 mvt,Django分页

    MVT模式   MVT各部分的功能:   M全拼为Model,与MVC中的M功能相同,负责和数据库交互,进行数据处理.       V全拼为View,与MVC中的C功能相同,接收请求,进行业务处理,返 ...

  2. [2019.03.20]Linux Shell 执行传参数和expr

    前不久入职实习生,现在在帮着组里面dalao们跑Case,时不时要上去收一下有木有Dump,每次敲命令太烦人于是逼着自己学写Shell脚本.一开始真的是很痛苦啊,也没能搞到书,只能凭网上半真半假的消息 ...

  3. 2019.03.20 读书笔记 as is 以及重写隐式/显示

    强转.as is 的用法 强制转换类型有两种:子类转基类,重写隐式(implicit )\显示(explicit) 转换操作符 class myclass { private int value; p ...

  4. 2019.03.20 读书笔记 关于Reflect与Emit的datatable转list的效率对比

    Reflect public static List<T> ToListByReflect<T>(this DataTable dt) where T : new() { Li ...

  5. Debian Security Advisory(Debian安全报告) DSA-4414-1 libapache2-mod-auth-mellon security update

    Debian Security Advisory(Debian安全报告) DSA-4414-1 libapache2-mod-auth-mellon security update Package:l ...

  6. [2019.03.25]Linux中的查找

    TMUX天下第一 全世界所有用CLI Linux的人都应该用TMUX,我爱它! ======================== 以下是正文 ======================== Linu ...

  7. Debian Security Advisory DSA-4421-1 chromium security update

    Debian Security Advisory DSA-4421-1 chromium security update Package        : chromiumCVE ID         ...

  8. 2019.03.03 - Linux搭建go语言交叉环境

    编译GO 1.6版本以上的需要依赖GO 1.4版本的二进制,并且需要把GOROOT_BOOTSTRAP的路径设置为1.4版本GO的根目录,这样它的bin目录就可以直接使用到1.4版本的GO 搭建go语 ...

  9. Debian Security Advisory(Debian安全报告) DSA-4416-1 wireshark security update

    Debian Security Advisory(Debian安全报告) DSA-4416-1 wireshark security update Package:wireshark CVE ID : ...

随机推荐

  1. webpack入门(六) API in modules

    A quick summary of all methods and variables available in code compiled with webpack. 用webpack编译的一些变 ...

  2. Cookie知识点总结

    Cookie机制是采用客户端保持Http状态信息的方案. Cookie是在浏览器访问web服务器的某个资源的时候,由web服务器在http响应消息头中附带给浏览器的一个小文本文件. 一旦web服务器保 ...

  3. QML学习笔记(五)— 做一个简单的待做事项列表

    做一个简单的QML待做事项列表,能够动态添加和删除和编辑数据 GitHub:八至 作者:狐狸家的鱼 本文链接:QML学习笔记(五)— 做一个待做事项列表 主要用到QML:ListView 效果 全部代 ...

  4. CF1140E Palindrome-less Arrays

    我觉得这道题非常有前途....... 题意:给定一个填了一半的数组,你要把它补完,使之不存在奇回文串,求方案数.字符集为k. n,k<=20w 解:不能有长为三的回文串.也就是不能有两个相隔1的 ...

  5. 第三十一篇-TextInputLayout(增强文本输入)的使用

    效果图: 密码使用的是增强文本输入类型,当密码长度小于6或者密码长度大于10的时候就会给出提示. main.xml 当添加TextInputLayout时,旁边会有一个下载符号,如果点不动,可以右键点 ...

  6. Altium Designer 17 ------ 多层板设计

    Pullback:在内电层边缘设置一个去铜边界,以保证内电层边界距离PCB边缘有一个安全间距.

  7. java十进制转三十六进制

    import java.util.HashMap; public class Ten2Thirty { private static final String X36 = "01234567 ...

  8. Java流程控制语句和数组整理

    7.1选择结构switch switch (表达式){ case 目标值1: 执行语句1 break; case 目标值2: 执行语句2 break; ...... case 目标值n: 执行语句n ...

  9. nginx配置打印请求响应内容

    #放在http{}里面 log_format kyh ' [$time_local] "$request" $status \n' 'req_header:"$req_h ...

  10. webpack打包进内联html

    用到一个新插件:html-webpack-inline-source-plugin(依赖于html-webpack-plugin) 1.安装 npm i -D html-webpack-inline- ...