ID CVE-2019-3395 Type cve Reporter cve@mitre.org Modified 2019-03-26T17:14:00
Description
The WebDAV endpoint in Atlassian Confluence Server and Data Center before version 6.6.7 (the fixed version for 6.6.x), from version 6.7.0 before 6.8.5 (the fixed version for 6.8.x), and from version 6.9.0 before 6.9.3 (the fixed version for 6.9.x) allows remote attackers to send arbitrary HTTP and WebDAV requests from a Confluence Server or Data Center instance via Server-Side Request Forgery.
{"id": "CVE-2019-3395", "bulletinFamily": "NVD", "title": "CVE-2019-3395", "description": "The WebDAV endpoint in Atlassian Confluence Server and Data Center before version 6.6.7 (the fixed version for 6.6.x), from version 6.7.0 before 6.8.5 (the fixed version for 6.8.x), and from version 6.9.0 before 6.9.3 (the fixed version for 6.9.x) allows remote attackers to send arbitrary HTTP and WebDAV requests from a Confluence Server or Data Center instance via Server-Side Request Forgery.", "published": "2019-03-25T19:29:00", "modified": "2019-03-26T17:14:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-3395", "reporter": "cve@mitre.org", "references": ["https://jira.atlassian.com/browse/CONFSERVER-57971"], "cvelist": ["CVE-2019-3395"], "type": "cve", "lastseen": "2021-02-02T07:13:00", "edition": 9, "viewCount": 14, "enchantments": {"dependencies": {"references": [{"type": "atlassian", "idList": ["ATLASSIAN:CONFSERVER-57971", "ATLASSIAN:CONFSERVER-57974"]}, {"type": "nessus", "idList": ["CONFLUENCE_6_6_12.NASL"]}], "modified": "2021-02-02T07:13:00", "rev": 2}, "score": {"value": 6.4, "vector": "NONE", "modified": "2021-02-02T07:13:00", "rev": 2}, "vulnersScore": 6.4}, "cpe": [], "affectedSoftware": [{"cpeName": "atlassian:confluence", "name": "atlassian confluence", "operator": "lt", "version": "6.12.3"}, {"cpeName": "atlassian:confluence", "name": "atlassian confluence", "operator": "lt", "version": "6.13.3"}, {"cpeName": "atlassian:confluence", "name": "atlassian confluence", "operator": "lt", "version": "6.14.2"}, {"cpeName": "atlassian:confluence", "name": "atlassian confluence", "operator": "lt", "version": "6.6.12"}], "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "cpe23": [], "cwe": ["CWE-918"], "scheme": null, "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:a:atlassian:confluence:6.12.3:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.3", "versionStartIncluding": "6.7.0", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:atlassian:confluence:6.14.2:*:*:*:*:*:*:*", "versionEndExcluding": "6.14.2", "versionStartIncluding": "6.14.0", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:atlassian:confluence:6.13.3:*:*:*:*:*:*:*", "versionEndExcluding": "6.13.3", "versionStartIncluding": "6.13.0", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:atlassian:confluence:6.6.12:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.12", "vulnerable": true}], "operator": "OR"}]}, "extraReferences": [{"name": "https://jira.atlassian.com/browse/CONFSERVER-57971", "refsource": "MISC", "tags": ["Patch", "Vendor Advisory", "Issue Tracking"], "url": "https://jira.atlassian.com/browse/CONFSERVER-57971"}], "immutableFields": []}
{"atlassian": [{"lastseen": "2020-12-24T14:35:27", "bulletinFamily": "software", "cvelist": ["CVE-2019-3395", "CVE-2019-3396"], "description": "There was an SSRF vulnerability in Confluence Server and Data Center in the WebDAV plugin. A remote attacker is able to exploit this issue to send arbitrary HTTP and WebDAV requests from a Confluence Server instance.\r\n\r\n\u00a0\r\n\r\n*Affected versions:*\r\n * All versions of Confluence Server and Confluence Data Center before version 6.6.7, from version 6.7.0 before 6.8.5 (the fixed version for 6.8.x), from version 6.9.0 before 6.9.3 (the fixed version for 6.9.x).\r\n\r\n\u00a0\r\n\r\n*Fix:*\r\n * Confluence Server version 6.15.1 is available for download from [https://www.atlassian.com/software/confluence/download].\r\n * Confluence Server version 6.14.2 is available for download from [https://www.atlassian.com/software/confluence/download-archives].\r\n * Confluence Server version 6.13.3 is available for download from [https://www.atlassian.com/software/confluence/download-archives].\r\n * Confluence Server version 6.12.3 is available for download from [https://www.atlassian.com/software/confluence/download-archives].\r\n * Confluence Server version 6.6.12 is available for download from [https://www.atlassian.com/software/confluence/download-archives].\r\n\r\n\u00a0\r\n\r\nFor additional details, see the full advisory: [https://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+-+2019-03-20]\r\n\r\n\u00a0", "edition": 15, "modified": "2020-05-22T08:25:56", "published": "2019-02-27T22:52:13", "id": "ATLASSIAN:CONFSERVER-57971", "href": "https://jira.atlassian.com/browse/CONFSERVER-57971", "title": "SSRF via WebDAV endpoint - CVE-2019-3395", "type": "atlassian", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-24T14:35:22", "bulletinFamily": "software", "cvelist": ["CVE-2019-3395", "CVE-2019-3396"], "description": "There was a server-side template injection vulnerability in Confluence Server and Data Center, in the Widget Connector. An attacker is able to exploit this issue to achieve path traversal and remote code execution on systems that run a vulnerable version of Confluence Server or Data Center.\r\n\r\n\u00a0\r\n\r\n*Affected versions:*\r\n\r\nAll versions of Confluence Server and Confluence Data Center before version 6.6.12, from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before 6.13.3 (the fixed version for 6.13.x) and from version 6.14.0 before 6.14.2 (the fixed version for 6.14.x).\r\n\r\n\u00a0\r\n\r\n*Fix:*\r\n * Confluence Server version 6.15.1 is available for download from [https://www.atlassian.com/software/confluence/download].\r\n * Confluence Server version 6.14.2 is available for download from [https://www.atlassian.com/software/confluence/download-archives].\r\n * Confluence Server version 6.13.3 is available for download from [https://www.atlassian.com/software/confluence/download-archives].\r\n * Confluence Server version 6.12.3 is available for download from [https://www.atlassian.com/software/confluence/download-archives].\r\n * Confluence Server version 6.6.12 is available for download from [https://www.atlassian.com/software/confluence/download-archives].\r\n\r\n\u00a0\r\n\r\nFor additional details, see the full advisory: [https://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+-+2019-03-20]\r\n\r\n\u00a0", "edition": 32, "modified": "2020-05-22T08:24:06", "published": "2019-02-28T03:02:04", "id": "ATLASSIAN:CONFSERVER-57974", "href": "https://jira.atlassian.com/browse/CONFSERVER-57974", "title": "Remote code execution via Widget Connector macro - CVE-2019-3396", "type": "atlassian", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2020-09-14T13:25:47", "description": "According to its self-reported version number, the Atlassian\nConfluence application running on the remote host is prior to 6.6.12,\n6.7.x prior to 6.12.3, 6.13.x prior to 6.13.3, or 6.14.x prior to\n6.14.2. It is, therefore, affected by the following vulnerabilities :\n\n - A server-side request forgery (SSRF) exists in the\n WebDAV plugin due to improper input validation. An\n attacker can exploit this, via unspecified vectors, to\n send arbitrary HTTP and WebDAV requests from the\n application. (CVE-2019-3395)\n\n - A server-side template injection exists in the Widget\n Connector due to improper input validation. An attacker\n can exploit this, via unspecified vectors, to traverse\n directories or execute arbitrary code. (CVE-2019-3396)\n\nNote that Nessus has not tested for this issue but has instead relied\nonly on the application's self-reported version number.", "edition": 9, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-03-22T00:00:00", "title": "Atlassian Confluence < 6.6.12 / 6.7.x < 6.12.3 / 6.13.x < 6.13.3 / 6.14.x < 6.14.2 Multiple Vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-3395", "CVE-2019-3396"], "modified": "2019-03-22T00:00:00", "cpe": ["cpe:/a:atlassian:confluence"], "id": "CONFLUENCE_6_6_12.NASL", "href": "https://www.tenable.com/plugins/nessus/123008", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(123008);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/05/01\");\n\n script_cve_id(\"CVE-2019-3395\", \"CVE-2019-3396\");\n script_bugtraq_id(107543);\n script_xref(name:\"IAVA\", value:\"2019-A-0135-S\");\n\n script_name(english:\"Atlassian Confluence < 6.6.12 / 6.7.x < 6.12.3 / 6.13.x < 6.13.3 / 6.14.x < 6.14.2 Multiple Vulnerabilities\");\n script_summary(english:\"Checks the Atlassian Confluence version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web application running on the remote host is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version number, the Atlassian\nConfluence application running on the remote host is prior to 6.6.12,\n6.7.x prior to 6.12.3, 6.13.x prior to 6.13.3, or 6.14.x prior to\n6.14.2. It is, therefore, affected by the following vulnerabilities :\n\n - A server-side request forgery (SSRF) exists in the\n WebDAV plugin due to improper input validation. An\n attacker can exploit this, via unspecified vectors, to\n send arbitrary HTTP and WebDAV requests from the\n application. (CVE-2019-3395)\n\n - A server-side template injection exists in the Widget\n Connector due to improper input validation. An attacker\n can exploit this, via unspecified vectors, to traverse\n directories or execute arbitrary code. (CVE-2019-3396)\n\nNote that Nessus has not tested for this issue but has instead relied\nonly on the application's self-reported version number.\");\n # https://confluence.atlassian.com/doc/confluence-security-advisory-2019-03-20-966660264.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b8e8304c\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Atlassian Confluence version 6.6.12, 6.12.3, 6.13.3,\n6.14.2, 6.15.1 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-3396\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Confluence File Disclosure\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Atlassian Confluence Widget Connector Macro Velocity Template Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/03/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/03/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/03/22\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:atlassian:confluence\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"confluence_detect.nasl\");\n script_require_keys(\"installed_sw/confluence\", \"Settings/ParanoidReport\");\n script_require_ports(\"Services/www\", 8080, 8090);\n\n exit(0);\n}\n\ninclude(\"vcf.inc\");\ninclude(\"http.inc\");\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\napp_name = \"confluence\";\n\nport = get_http_port(default:80);\n\napp_info = vcf::get_app_info(app:app_name, port:port, webapp:true);\nvcf::check_granularity(app_info:app_info, sig_segments:3);\n\nconstraints = [\n { \"fixed_version\": \"6.6.12\" },\n {\"min_version\": \"6.7.0\", \"fixed_version\": \"6.12.3\", \"fixed_display\": \"6.12.3 / 6.15.1\"},\n {\"min_version\": \"6.13.0\", \"fixed_version\": \"6.13.3\", \"fixed_display\": \"6.13.3 / 6.15.1\" },\n {\"min_version\": \"6.14.0\", \"fixed_version\": \"6.14.2\", \"fixed_display\": \"6.14.2 / 6.15.1\" }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
