Confluence Server Advisory - WebDAV and Widget Connector Vulnerabilities (CVE-2019-3395 | CVE-2019-3396)

About vulnerability

The critical vulnerability proliferates to Confluence Server and the Confluence Data Center, but does not affect users of Confluence Server or Data Center, which have been updated to versions 6.6.12, 6.12.3, 6.13.3, 6.14.2 or higher, and to users using Confluence Cloud .

This vulnerability applies to users who have the following versions of Confluence Server or Data Center installed:

All versions 1.xx, 2.xx, 3.xx, 4.xx and 5.xx

All versions 6.0.x, 6.1.x, 6.2.x, 6.3.x, 6.4.x and 6.5.x

All versions 6.6.x to 6.6.12

All versions 6.7.x, 6.8.x, 6.9.x, 6.10.x and 6.11.x

All versions 6.12.x to 6.12.3

All versions 6.13.x to 6.13.3

All versions 6.14.x to 6.14.2

To fix this vulnerability, users need to update the Confluence server or Data Center patch.

WebDAV Vulnerability - CVE- 2019-3395

Vulnerable are versions of the server Confluence and Data Center that were released before June 18, 2018. The attacker can remotely distort server-side requests (SSRF). Vulnerability in WebDAV is a plugin for sending arbitrary HTTP and WebDAV requests from a Confluence server or Data Center.

Widget connector vulnerability CVE-2019-3396

This vulnerability is related to the implementation of server-side templates in the Confluence Server and Data Center in the Widget Connector. The attacker could exploit this vulnerability to allow server-side template deployment, path traversal, and remote code execution on systems running the vulnerable version of the Confluence server or Data Center.

Decision:

Version 6.15.1 Server and Data Center Confluence has been released, which contains fixes for these vulnerabilities, at the following links: https://www.atlassian.com/software/confluence/down... and https://atlassian.com/software/confluence / download / data-center

In addition, Confluence and Data Center server versions 6.6.12, 6.12.3, 6.13.3 and 6.14.2 have been released, which contain fixes for these vulnerabilities, via the link https://www.atlassian.com/software/confluence/down... -archives.

IN CASE OF DETECTION OF SUSPICIOUS ACTIVITY ON AN INTERNET RESOURCE, DOWNLOADING UNKNOWN FILES ON YOUR PC OR THE NEED TO ENTER PERSONAL DATA AND BANK CARDS AT THIRD PARTY ONLINE, WE ARE SURE TO BE VIGILANT AND TO REPORT SUCH BY CALLING FREE ONE SHORT NUMBER 1400 OR E-MAIL INCIDENT@KZ-CERT.KZ