Insecure version of Spring Web MVC used in Confluence Analytics
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
Hello! A transitive dependency issue has been found in Confluence Analytics:
https://atlassian.sourceclear.io/workspaces/Paaina7/issues/vulnerabilities/26465610
Confluence Analytics has a transitive dependency on the Spring Web MVC library, which has a security bug.
The issue can be fixed by overriding and adding a new direct dependency of the library in your project.
We do not have a confirmed fix for this issue yet. However, newer versions of the library have been released. We suggest that you upgrade to 4.3.20.RELEASE, which is considered safe.
To upgrade, update the pom.xml file:
{code:java}
- <dependency>
- <groupId>org.springframework</groupId>
- <artifactId>spring-webmvc</artifactId>
- <version>4.3.20.RELEASE</version>
- </dependency>
{code}
| CPE | Name | Operator | Version |
|---|---|---|---|
| confluence server | lt | 7.5.0 | |
| confluence server | le | 7.3.4 |
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P