Multiple Critical Vulnerabilities in Atlassian Confluence (CVE-2019-3396)

April 17, 2019


Multiple, critical security vulnerabilities have been discovered in Atlassian Confluence Server and Confluence Data Center.   
Information Security & Policy recommends emergency, out-of-band patching of all vulnerable Confluence servers. These flaws are actively being exploited in the wild. 


Attackers can exploit path traversal and other bugs to remotely execute code on vulnerable systems. [1] [2]


Confluence Server & Confluence Data Center:

  • All 2.x.x versions
  •  All 3.x.x versions
  •  All 4.x.x versions
  •  All 5.x.x versions
  •  All 6.1.x versions
  •  All 6.2.x versions
  •  All 6.3.x versions
  •  All 6.4.x versions
  •  All 6.5.x versions
  •  All 6.6.x versions before 6.6.13
  •  All 6.7.x versions
  •  All 6.8.x versions
  •  All 6.9.x versions
  •  All 6.10.x versions
  •  All 6.11.x versions
  •  All 6.12.x versions before 6.12.4
  •  All 6.13.x versions before 6.13.4
  •  All 6.14.x versions before 6.14.3
  •  All 6.15.x versions before 6.15.2


Upgrade to a patched version of Confluence Server or Confluence Data Center immediately.[1] [2]