8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
6.5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
0.048 Low
EPSS
Percentile
92.6%
h3. Problem
XStream is vulnerable to security exploits including [CVE-2021-29505|http://x-stream.github.io/CVE-2021-29505.html]. This ticket tracks it’s upgrade to 1.4.17
{panel:title=Atlassian Update - July 2021|borderStyle=solid|borderColor=#6554c0|titleBGColor=#6554c0|bgColor=#eae6ff}
We have upgraded XStream to 1.4.17. If your plugin bundles your own version of XStream you will also need to upgrade to this version or later. This is because XStream 1.4.16 provides a newer implementation of {{XmlPullParser}} through service loader. XStream’s default parser has changed from {{Xpp3}} to {{MXParser}}, which is a fork of {{Xpp3}}. You can read more about the changes in the [XStream change log|https://x-stream.github.io/changes.html].
When upgrading XStream in our own plugins, we found that it remained compatible with older Confluence versions, as there’s a dependency of {{xpp3_min}} which helps the plugin to work with older {{XmlPullParser}} implementations mentioned in service loader in older Confluence versions.
{panel}
h3. Environment
Confluence v7.4
h3. Workaround
There are no workaround available for this up til now.
CPE | Name | Operator | Version |
---|---|---|---|
confluence data center | le | 7.4.4 | |
confluence data center | lt | 7.12.3 | |
confluence data center | lt | 7.13.0 |
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
6.5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
0.048 Low
EPSS
Percentile
92.6%