Multiple Critical Vulnerabilities in Atlassian Confluence (CVE-2019-3396)

April 17, 2019

Summary

Multiple, critical security vulnerabilities have been discovered in Atlassian Confluence Server and Confluence Data Center.   
Information Security & Policy recommends emergency, out-of-band patching of all vulnerable Confluence servers. These flaws are actively being exploited in the wild. 

Impact

Attackers can exploit path traversal and other bugs to remotely execute code on vulnerable systems. [1] [2]

Vulnerable

Confluence Server & Confluence Data Center:

  • All 2.x.x versions
  •  All 3.x.x versions
  •  All 4.x.x versions
  •  All 5.x.x versions
  •  All 6.1.x versions
  •  All 6.2.x versions
  •  All 6.3.x versions
  •  All 6.4.x versions
  •  All 6.5.x versions
  •  All 6.6.x versions before 6.6.13
  •  All 6.7.x versions
  •  All 6.8.x versions
  •  All 6.9.x versions
  •  All 6.10.x versions
  •  All 6.11.x versions
  •  All 6.12.x versions before 6.12.4
  •  All 6.13.x versions before 6.13.4
  •  All 6.14.x versions before 6.14.3
  •  All 6.15.x versions before 6.15.2

Recommendations

Upgrade to a patched version of Confluence Server or Confluence Data Center immediately.[1] [2]

References