--------------------

This problem refers to the advisory found at https://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+-+2019-03-20

CVE ID:

* CVE-2019-3395.

* CVE-2019-3396.

Product:

Confluence Server and Confluence Data Center.

Affected Confluence Server and Confluence Data Center product versions:

6.6.0 <= version < 6.6.12

6.12.0 <= version < 6.12.3
6.13.0 <= version < 6.13.3
6.14.0 <= version < 6.14.2

Fixed Confluence Server and Confluence Data Center product versions:

* for 6.6.x, Confluence Server and Data Center 6.6.12 have been released with a fix for these issues.

* for 6.12.x, Confluence Server and Data Center 6.12.3 have been released with a fix for these issues.

* for 6.13.x, Confluence Server and Data Center 6.13.3 have been released with a fix for these issues.

* for 6.14.x, Confluence Server and Data Center 6.14.2 have been released with a fix for these issues.

Summary:

This advisory discloses critical severity security vulnerabilities. Versions of Confluence Server and Data Center before 6.6.12 (the fixed version for 6.6.x),  from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before 6.13.3 (the fixed version for 6.13.x) and from version 6.14.0 before 6.14.2 (the fixed version for 6.14.x) are affected by these vulnerabilities.

Customers who have upgraded Confluence to version 6.6.12 or 6.12.3 or 6.13.3 or 6.14.2 are not affected.

Customers who have downloaded and installed Confluence >= 6.6.0 but less than 6.6.12 (the fixed version for 6.6.x) or who have downloaded and installed Confluence >= 6.12.0 but less than 6.12.3(the fixed version for 6.12.x) or who have downloaded and installed Confluence >= 6.13.0 but less than 6.13.3 (the fixed version for 6.13.x) or who have downloaded and installed Confluence >=  6.14.0 but less than 6.14.2 (the fixed version for 6.14.x) please upgrade your Confluence installations immediately to fix these vulnerabilities.

WebDAV vulnerability (CVE-2019-3395)
Severity:
Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low. This is our assessment and you should evaluate its applicability to your own IT environment.

Description:
A remote attacker is able to exploit a Server-Side Request Forgery (SSRF) vulnerability via the WebDAV plugin to send arbitrary HTTP and WebDAV requests from a Confluence Server or Data Center instance. Versions of Confluence before version 6.6.7 (the fixed version for 6.6.x), from version 6.7.0 before 6.7.3 (the fixed version for 6.7.x), from version 6.8.0 before 6.8.5 (the fixed version for 6.8.x) and from version 6.9.0 before 6.9.3 (the fixed version for 6.9.x) are affected by this vulnerability. This issue can be tracked at: https://jira.atlassian.com/browse/CONFSERVER-57971

Remote code execution via Widget Connector macro (CVE-2019-3396)

Severity:

Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low. This is our assessment and you should evaluate its applicability to your own IT environment.

Description:
There was a server-side template injection vulnerability in Confluence via Widget Connector. An attacker is able to exploit this issue to achieve path traversal and remote code execution on systems that run a vulnerable version of Confluence.

Versions of Confluence before version 6.6.12 (the fixed version for 6.6.x), from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before 6.13.3 (the fixed version for 6.13.x) and from version 6.14.0 before 6.14.2 (the fixed version for 6.14.x) are affected by this vulnerability. This issue can be tracked at:https://jira.atlassian.com/browse/CONFSERVER-57974 .

Fix:

To address these issues, we have released the following versions of
Confluence Server and Data Center containing a fix:

* version 6.6.12
* version 6.12.3
* version 6.13.3
* version 6.14.2

Remediation:

Upgrade Confluence Server and Data Center to version 6.14.2 or higher.

The vulnerabilities and fix versions are described above. If affected, you should upgrade to the latest version immediately.

If you are running Confluence Server and or Data Center 6.6.x and cannot upgrade to 6.14.2, upgrade to version 6.6.12.

If you are running Confluence Server and or Data Center 6.12.x and cannot upgrade to 6.14.2, to version 6.12.3.

If you are running Confluence Server and or Data Center 6.13.x and cannot upgrade to 6.14.2, upgrade to version 6.13.3.

For a full description of the latest version of Confluence Server and Data Center, see the release notes found at https://confluence.atlassian.com/display/DOC/Confluence+Release+Notes. You can download the latest version of Confluence Server and Confluence Data Center from the download centre found at https://www.atlassian.com/software/confluence/download.

Support:
If you have questions or concerns regarding this advisory, please raise a
support request at https://support.atlassian.com/.

Atlassian - Confluence Security Advisory - 2019-03-20的更多相关文章

  1. 2019.03.20 mvt,Django分页

    MVT模式   MVT各部分的功能:   M全拼为Model,与MVC中的M功能相同,负责和数据库交互,进行数据处理.       V全拼为View,与MVC中的C功能相同,接收请求,进行业务处理,返 ...

  2. [2019.03.20]Linux Shell 执行传参数和expr

    前不久入职实习生,现在在帮着组里面dalao们跑Case,时不时要上去收一下有木有Dump,每次敲命令太烦人于是逼着自己学写Shell脚本.一开始真的是很痛苦啊,也没能搞到书,只能凭网上半真半假的消息 ...

  3. 2019.03.20 读书笔记 as is 以及重写隐式/显示

    强转.as is 的用法 强制转换类型有两种:子类转基类,重写隐式(implicit )\显示(explicit) 转换操作符 class myclass { private int value; p ...

  4. 2019.03.20 读书笔记 关于Reflect与Emit的datatable转list的效率对比

    Reflect public static List<T> ToListByReflect<T>(this DataTable dt) where T : new() { Li ...

  5. Debian Security Advisory(Debian安全报告) DSA-4414-1 libapache2-mod-auth-mellon security update

    Debian Security Advisory(Debian安全报告) DSA-4414-1 libapache2-mod-auth-mellon security update Package:l ...

  6. [2019.03.25]Linux中的查找

    TMUX天下第一 全世界所有用CLI Linux的人都应该用TMUX,我爱它! ======================== 以下是正文 ======================== Linu ...

  7. Debian Security Advisory DSA-4421-1 chromium security update

    Debian Security Advisory DSA-4421-1 chromium security update Package        : chromiumCVE ID         ...

  8. 2019.03.03 - Linux搭建go语言交叉环境

    编译GO 1.6版本以上的需要依赖GO 1.4版本的二进制,并且需要把GOROOT_BOOTSTRAP的路径设置为1.4版本GO的根目录,这样它的bin目录就可以直接使用到1.4版本的GO 搭建go语 ...

  9. Debian Security Advisory(Debian安全报告) DSA-4416-1 wireshark security update

    Debian Security Advisory(Debian安全报告) DSA-4416-1 wireshark security update Package:wireshark CVE ID : ...

随机推荐

  1. PHP基础学习----字符串操作

    1.单引号和双引号的区别 在php中,字符串的定义可以使用英文单引号'',也可以使用英文双引号“”: <?php $str = 'hello'; echo "str is $str&q ...

  2. Linux安装Gitlab,附iSCSI分区挂载说明

    因为Gitlab数据要存放在共享存储,所以本次配置的重头戏倒变成了挂载ISCSI了. OS:CentOS 7.2IP:172.16.1.191/192.168.2.191 iSCSI分Target(服 ...

  3. yzh的神仙题

    U66905 zz题 考虑一个点权值被计算了多少次...不知 所以对未来承诺,方便直接算上总数! 然后其实是给边定向,即先删除fa和son的哪一个 f[x][j],会计算j次 无法转移 f[x][j] ...

  4. vetur插件提示 'v-for' directives require 'v-bind:key' directives.错误的解决办法

    在用vscode编写vue代码时,因为安装的有vetur插件,所以当代码中有v-for语法时,会提示 [vue-language-server] 'v-for' directives require ...

  5. numpy 多维数组及数组操作

    NumPy是Python语言的一个扩充程序库.支持高级大量的维度数组与矩阵运算,此外也针对数组运算提供大量的数学函数库.Numpy内部解除了Python的PIL(全局解释器锁),运算效率极好,是大量机 ...

  6. Vue+Django2.0 restframework打造前后端分离的生鲜电商项目(3)

    1.drf前期准备 1.django-rest-framework官方文档 https://www.django-rest-framework.org/ #直接百度找到的djangorestframe ...

  7. 常用的git操作

    (转)仅供自己学习,特此转发记录 链接:Git命令清单

  8. 【非专业前端】使用vue2.5.17+element2.4.5

    开发工具:WebStorm 先搞好环境 可以看出,想安装@vue/cli需要node.js.先去下载安装好. 然后安装@vue/cli npm install -g @vue/clinpm insta ...

  9. argparse模块的应用

    主要参照博客https://www.cnblogs.com/lindaxin/p/7975697.html http://wiki.jikexueyuan.com/project/explore-py ...

  10. Codeforces Gym 191033 E. Explosion Exploit (记忆化搜索+状压)

    E. Explosion Exploit time limit per test 2.0 s memory limit per test 256 MB input standard input out ...