Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

CVE-2019-3398

🗓️ 18 Apr 2019 17:21:37Reported by atlassianType 
cve
 cve🔗 web.nvd.nist.gov📰️ 4 Media mentions👁 1082 Views🌐 WEB

Confluence Server and Data Center had a path traversal vulnerability in the downloadallattachments resource, allowing remote code execution

Related
Detection
Affected
Refs
Paths
Social
ReporterTitlePublishedViews
Family
0day.today		Confluence Server / Data Center Path Traversal Vulnerability
24 Apr 201900:00
zdt
0day.today		Atlassian Confluence 6.15.1 - Directory Traversal Vulnerability
12 Nov 201900:00
zdt
0day.today		Atlassian Confluence 6.15.1 - Directory Traversal Exploit
12 Nov 201900:00
zdt
ATTACKERKB		CVE-2019-3398
18 Apr 201900:00
attackerkb
Atlassian		Confluence - Path traversal vulnerability - CVE-2019-3398
31 Mar 201921:40
atlassian
Atlassian		Confluence - Path traversal vulnerability - CVE-2019-3398
31 Mar 201921:40
atlassian
BDU FSTEC		The vulnerability in the Atlassian Confluence Server’s web server exists due to an incorrect path name limitation for the restricted access catalog. This allows a hacker to write files anywhere and execute any code.
15 May 202000:00
bdu_fstec
Circl		CVE-2019-3398
9 Dec 202007:18
circl
CISA KEV Catalog		Atlassian Confluence Server and Data Center Path Traversal Vulnerability
3 Nov 202100:00
cisa_kev
Tenable Nessus		Atlassian Confluence < 6.6.13 / 6.7.x < 6.12.4 / 6.13.x < 6.13.4 / 6.14.x < 6.14.3 / 6.15.x < 6.15.2 Directory Traversal Vulnerability
25 Apr 201900:00
nessus
Rows per page
NVD
Node
atlassianconfluence_serverRange2.06.6.13
OR
atlassianconfluence_serverRange6.7.06.12.4
OR
atlassianconfluence_serverRange6.13.06.13.4
OR
atlassianconfluence_serverRange6.14.06.14.3
OR
atlassianconfluence_serverRange6.15.06.15.2
[
  {
    "product": "Confluence",
    "vendor": "Atlassian",
    "versions": [
      {
        "lessThan": "unspecified",
        "status": "affected",
        "version": "2.0.0",
        "versionType": "custom"
      },
      {
        "lessThan": "6.6.13",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      },
      {
        "lessThan": "unspecified",
        "status": "affected",
        "version": "6.7.0",
        "versionType": "custom"
      },
      {
        "lessThan": "6.12.4",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      },
      {
        "lessThan": "unspecified",
        "status": "affected",
        "version": "6.13.0",
        "versionType": "custom"
      },
      {
        "lessThan": "6.13.4",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      },
      {
        "lessThan": "unspecified",
        "status": "affected",
        "version": "6.14.0",
        "versionType": "custom"
      },
      {
        "lessThan": "6.14.3",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      },
      {
        "lessThan": "unspecified",
        "status": "affected",
        "version": "6.15.0",
        "versionType": "custom"
      },
      {
        "lessThan": "6.15.2",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]
ParameterPositionPathDescriptionCWE
pageIdquery parampages/downloadallattachments.actionPath traversal vulnerability in downloadallattachments allows arbitrary file write via crafted pageId (and related parameters) to place shellcode on serverCWE-22
pageIdquery paramplugins/drag-and-drop/upload.actionShellcode upload via path traversal in filename parameter enables writing shellcode to a root directoryCWE-22
filenamequery paramplugins/drag-and-drop/upload.actionShellcode upload via path traversal in filename parameter enables writing shellcode to a root directoryCWE-22
sizequery paramplugins/drag-and-drop/upload.actionShellcode upload via path traversal in filename parameter enables writing shellcode to a root directoryCWE-22
mimeTypequery paramplugins/drag-and-drop/upload.actionShellcode upload via path traversal in filename parameter enables writing shellcode to a root directoryCWE-22
spaceKeyquery paramplugins/drag-and-drop/upload.actionShellcode upload via path traversal in filename parameter enables writing shellcode to a root directoryCWE-22
atl_tokenquery paramplugins/drag-and-drop/upload.actionShellcode upload via path traversal in filename parameter enables writing shellcode to a root directoryCWE-22
namequery paramplugins/drag-and-drop/upload.actionShellcode upload via path traversal in filename parameter enables writing shellcode to a root directoryCWE-22

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
17 Jun 2026 02:35Current
8.8High risk
Vulners AI Score8.8
CVSS 3.18.8
CVSS 29
EPSS0.97153
SSVC
CWE-22In Wild
cve-2019-3398confluenceserverdata centerpath traversalvulnerabilityremote code executionnvdsecurity fix
1082