Remote DoS Exploit on Confluence

Type atlassian
Modified 2017-02-17T04:30:27


Nir Goldshlager have discovered a vulnerability on atlassian-gadgets when parsing XMLs.

Basically anyone can craft a URL containing a parameter with some XML that will make the instance run out of memory when trying to parse it.

Details on the attack can be found on

The vulnerability was detected on our fork of apache shindig, which atlassian-gadgets depends on. We have made a fix and published a new version for it (1.0-incubating-atlassian-20) that solves the problem.

Any product that uses atlassian-gadgets to render gadgets is vulnerable to this, and Confluence is one of those.

You would need to check your current version of atlassian-gadgets and see which version of apache shindig is using. Anything lower than 1.0-incubating-atlassian-20 would make Confluence vulnerable to this attack.

The fix is quite easy, just bump the version of shindig on the version of gadgets that you are using. Then release a new version of gadgets and bump the version on Confluence to pick up the fix.

If you need any details, ping me @jsanchez.