Atlassian Confluence 9.2.8 < 9.2.11 (CONFSERVER-101842)

🗓️ 05 Feb 2026 00:00:00Reported by TenableType

Confluence Server 9.2.8 to 9.2.11 has a PostgreSQL JDBC channel binding flaw (cve 2025 49146) fixed by 42.7.7.

Reporter	Title	Published	Views	Family All 64
IBM Security Bulletins	Security Bulletin: IBM Event Processing is vulnerable to Improper Authentication	11 Aug 202509:52	–	ibm
IBM Security Bulletins	Security Bulletin: IBM watsonx Orchestrate Cartridge affected by vulnerability in postgresql-42.7.6.jar	20 Sep 202511:33	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Maximo Application Suite uses multiple third party dependencies which is vulnerable to CVEs.	7 Oct 202507:40	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple Vulnerabilities in IBM Concert Software.	22 Dec 202509:22	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple security vulnerabilities are addressed with IBM Process Mining 2.0.2	21 Jun 202513:39	–	ibm
IBM Security Bulletins	Security Bulletin: The following vulnerabilities that can affect IBM Storage Scale and the Management GUI are now included (CVE-2025-49146)	2 Sep 202518:38	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerabilities in pgjdbc affects IBM watsonx Orchestrate with watsonx Assistant Cartridge	12 Aug 202519:35	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple security vulnerabilities in IBM Business Automation Manager Open Editions.	30 Jun 202523:10	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Cognos Analytics Certified Containers is affected by security vulnerabilities	7 Nov 202519:31	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Cognos Dashboards on Cloud Pak for Data has addressed security vulnerabilities.	31 Oct 202514:34	–	ibm

Source	Link
jira	www.jira.atlassian.com/browse/CONFSERVER-101842
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(298043);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/02/05");

  script_cve_id("CVE-2025-49146");

  script_name(english:"Atlassian Confluence 9.2.8 < 9.2.11 (CONFSERVER-101842)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Atlassian Confluence host is missing a security update.");
  script_set_attribute(attribute:"description", value:
"The version of Atlassian Confluence Server running on the remote host is affected by a vulnerability as referenced in
the CONFSERVER-101842 advisory.

  - pgjdbc is an open source postgresql JDBC Driver. From 42.7.4 and until 42.7.7, when the PostgreSQL JDBC
    driver is configured with channel binding set to required (default value is prefer), the driver would
    incorrectly allow connections to proceed with authentication methods that do not support channel binding
    (such as password, MD5, GSS, or SSPI authentication). This could allow a man-in-the-middle attacker to
    intercept connections that users believed were protected by channel binding requirements. This
    vulnerability is fixed in 42.7.7. (CVE-2025-49146)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://jira.atlassian.com/browse/CONFSERVER-101842");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Atlassian Confluence version 9.2.11 or later.");
  script_set_attribute(attribute:"agent", value:"all");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2025-49146");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2025/06/11");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/12/12");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/02/05");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:atlassian:confluence");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_set_attribute(attribute:"enable_cgi_scanning", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("confluence_detect.nasl", "confluence_nix_installed.nbin", "confluence_win_installed.nbin");
  script_require_keys("installed_sw/Atlassian Confluence");

  exit(0);
}

include('vcf.inc');

var app_info = vcf::combined_get_app_info(app:'Atlassian Confluence');

var constraints = [
  { 'min_version' : '9.2.8', 'fixed_version' : '9.2.11' }
];

vcf::check_version_and_report(
    app_info:app_info,
    constraints:constraints,
    severity:SECURITY_WARNING
);

05 Feb 2026 00:00Current

5.6Medium risk

Vulners AI Score5.6

CVSS 3.15.9 - 8.2

EPSS0.0004

SSVC