Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2019-3398


Confluence Server and Data Center had a path traversal vulnerability in the downloadallattachments resource. A remote attacker who has permission to add attachments to pages and / or blogs or to create a new space or a personal space or who has 'Admin' permissions for a space can exploit this path traversal vulnerability to write files to arbitrary locations which can lead to remote code execution on systems that run a vulnerable version of Confluence Server or Data Center. All versions of Confluence Server from 2.0.0 before 6.6.13 (the fixed version for 6.6.x), from 6.7.0 before 6.12.4 (the fixed version for 6.12.x), from 6.13.0 before 6.13.4 (the fixed version for 6.13.x), from 6.14.0 before 6.14.3 (the fixed version for 6.14.x), and from 6.15.0 before 6.15.2 are affected by this vulnerability.


Published

2019-04-18T18:29:00.970

Last Modified

2025-02-10T18:54:57.053

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 8.8 (HIGH)

CVSSv2 Vector

AV:N/AC:L/Au:S/C:C/I:C/A:C

  • Access Vector: NETWORK
  • Access Complexity: LOW
  • Authentication: SINGLE
  • Confidentiality Impact: COMPLETE
  • Integrity Impact: COMPLETE
  • Availability Impact: COMPLETE
Exploitability Score

8.0

Impact Score

10.0

Weaknesses
  • Type: Primary
    CWE-22
  • Type: Secondary
    CWE-22

Affected Vendors & Products
Type Vendor Product Version/Range Vulnerable?
Application atlassian confluence_server < 6.6.13 Yes
Application atlassian confluence_server < 6.12.4 Yes
Application atlassian confluence_server < 6.13.4 Yes
Application atlassian confluence_server < 6.14.3 Yes
Application atlassian confluence_server < 6.15.2 Yes

References