Local File Disclosure via Word Export in Confluence Server - CVE-2019-3394

Type atlassian
Reporter mchang@atlassian.com
Modified 2020-05-22T08:26:47


Confluence Server and Data Center had a local file disclosure vulnerability in the page export function. A remote attacker who has Add Page space permission would be able to read arbitrary files in the <install-directory>/confluence/WEB-INF/ directory and it's subdirectories, which may contain configuration files used for integrating with other services, which could potentially leak credentials or other sensitive information such as LDAP credentials. The LDAP credential will be potentially leaked only if the Confluence server LDAP credential is specified in atlassian-user.xml file, which is deprecated way of configure LDAP integration.

Affected versions: * All versions of Confluence Server from 6.1.0 before 6.6.16 (the fixed version for 6.6.x), from 6.7.0 before 6.13.7 (the fixed version for 6.13.x), and from 6.14.0 before 6.15.8 (the fixed version for 6.15.x) are affected by this vulnerability.

Fix: * Confluence Server and Data Center versions 6.15.8 is available for download from [https://www.atlassian.com/software/confluence/download]. * Confluence Server and Data Center versions 6.6.16 and 6.13.7 are available for download from [https://www.atlassian.com/software/confluence/download-archives] .

For additional details, see the [full advisory|https://confluence.atlassian.com/x/uAsvOg]. h3. Workaround

Please see the [full advisory|https://confluence.atlassian.com/x/uAsvOg] for mitigation information.