--------------------

This problem refers to the advisory found at https://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+-+2019-03-20

CVE ID:

* CVE-2019-3395.

* CVE-2019-3396.

Product:

Confluence Server and Confluence Data Center.

Affected Confluence Server and Confluence Data Center product versions:

6.6.0 <= version < 6.6.12

6.12.0 <= version < 6.12.3
6.13.0 <= version < 6.13.3
6.14.0 <= version < 6.14.2

Fixed Confluence Server and Confluence Data Center product versions:

* for 6.6.x, Confluence Server and Data Center 6.6.12 have been released with a fix for these issues.

* for 6.12.x, Confluence Server and Data Center 6.12.3 have been released with a fix for these issues.

* for 6.13.x, Confluence Server and Data Center 6.13.3 have been released with a fix for these issues.

* for 6.14.x, Confluence Server and Data Center 6.14.2 have been released with a fix for these issues.

Summary:

This advisory discloses critical severity security vulnerabilities. Versions of Confluence Server and Data Center before 6.6.12 (the fixed version for 6.6.x),  from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before 6.13.3 (the fixed version for 6.13.x) and from version 6.14.0 before 6.14.2 (the fixed version for 6.14.x) are affected by these vulnerabilities.

Customers who have upgraded Confluence to version 6.6.12 or 6.12.3 or 6.13.3 or 6.14.2 are not affected.

Customers who have downloaded and installed Confluence >= 6.6.0 but less than 6.6.12 (the fixed version for 6.6.x) or who have downloaded and installed Confluence >= 6.12.0 but less than 6.12.3(the fixed version for 6.12.x) or who have downloaded and installed Confluence >= 6.13.0 but less than 6.13.3 (the fixed version for 6.13.x) or who have downloaded and installed Confluence >=  6.14.0 but less than 6.14.2 (the fixed version for 6.14.x) please upgrade your Confluence installations immediately to fix these vulnerabilities.

WebDAV vulnerability (CVE-2019-3395)
Severity:
Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low. This is our assessment and you should evaluate its applicability to your own IT environment.

Description:
A remote attacker is able to exploit a Server-Side Request Forgery (SSRF) vulnerability via the WebDAV plugin to send arbitrary HTTP and WebDAV requests from a Confluence Server or Data Center instance. Versions of Confluence before version 6.6.7 (the fixed version for 6.6.x), from version 6.7.0 before 6.7.3 (the fixed version for 6.7.x), from version 6.8.0 before 6.8.5 (the fixed version for 6.8.x) and from version 6.9.0 before 6.9.3 (the fixed version for 6.9.x) are affected by this vulnerability. This issue can be tracked at: https://jira.atlassian.com/browse/CONFSERVER-57971

Remote code execution via Widget Connector macro (CVE-2019-3396)

Severity:

Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low. This is our assessment and you should evaluate its applicability to your own IT environment.

Description:
There was a server-side template injection vulnerability in Confluence via Widget Connector. An attacker is able to exploit this issue to achieve path traversal and remote code execution on systems that run a vulnerable version of Confluence.

Versions of Confluence before version 6.6.12 (the fixed version for 6.6.x), from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before 6.13.3 (the fixed version for 6.13.x) and from version 6.14.0 before 6.14.2 (the fixed version for 6.14.x) are affected by this vulnerability. This issue can be tracked at:https://jira.atlassian.com/browse/CONFSERVER-57974 .

Fix:

To address these issues, we have released the following versions of
Confluence Server and Data Center containing a fix:

* version 6.6.12
* version 6.12.3
* version 6.13.3
* version 6.14.2

Remediation:

Upgrade Confluence Server and Data Center to version 6.14.2 or higher.

The vulnerabilities and fix versions are described above. If affected, you should upgrade to the latest version immediately.

If you are running Confluence Server and or Data Center 6.6.x and cannot upgrade to 6.14.2, upgrade to version 6.6.12.

If you are running Confluence Server and or Data Center 6.12.x and cannot upgrade to 6.14.2, to version 6.12.3.

If you are running Confluence Server and or Data Center 6.13.x and cannot upgrade to 6.14.2, upgrade to version 6.13.3.

For a full description of the latest version of Confluence Server and Data Center, see the release notes found at https://confluence.atlassian.com/display/DOC/Confluence+Release+Notes. You can download the latest version of Confluence Server and Confluence Data Center from the download centre found at https://www.atlassian.com/software/confluence/download.

Support:
If you have questions or concerns regarding this advisory, please raise a
support request at https://support.atlassian.com/.

Atlassian - Confluence Security Advisory - 2019-03-20的更多相关文章

  1. 2019.03.20 mvt,Django分页

    MVT模式   MVT各部分的功能:   M全拼为Model,与MVC中的M功能相同,负责和数据库交互,进行数据处理.       V全拼为View,与MVC中的C功能相同,接收请求,进行业务处理,返 ...

  2. [2019.03.20]Linux Shell 执行传参数和expr

    前不久入职实习生,现在在帮着组里面dalao们跑Case,时不时要上去收一下有木有Dump,每次敲命令太烦人于是逼着自己学写Shell脚本.一开始真的是很痛苦啊,也没能搞到书,只能凭网上半真半假的消息 ...

  3. 2019.03.20 读书笔记 as is 以及重写隐式/显示

    强转.as is 的用法 强制转换类型有两种:子类转基类,重写隐式(implicit )\显示(explicit) 转换操作符 class myclass { private int value; p ...

  4. 2019.03.20 读书笔记 关于Reflect与Emit的datatable转list的效率对比

    Reflect public static List<T> ToListByReflect<T>(this DataTable dt) where T : new() { Li ...

  5. Debian Security Advisory(Debian安全报告) DSA-4414-1 libapache2-mod-auth-mellon security update

    Debian Security Advisory(Debian安全报告) DSA-4414-1 libapache2-mod-auth-mellon security update Package:l ...

  6. [2019.03.25]Linux中的查找

    TMUX天下第一 全世界所有用CLI Linux的人都应该用TMUX,我爱它! ======================== 以下是正文 ======================== Linu ...

  7. Debian Security Advisory DSA-4421-1 chromium security update

    Debian Security Advisory DSA-4421-1 chromium security update Package        : chromiumCVE ID         ...

  8. 2019.03.03 - Linux搭建go语言交叉环境

    编译GO 1.6版本以上的需要依赖GO 1.4版本的二进制,并且需要把GOROOT_BOOTSTRAP的路径设置为1.4版本GO的根目录,这样它的bin目录就可以直接使用到1.4版本的GO 搭建go语 ...

  9. Debian Security Advisory(Debian安全报告) DSA-4416-1 wireshark security update

    Debian Security Advisory(Debian安全报告) DSA-4416-1 wireshark security update Package:wireshark CVE ID : ...

随机推荐

  1. 构造器引用和直接用new创建对象区别

    万事用事实说话 package cn.lonecloud; /** * @author lonecloud * @version v1.0 * @date 上午11:22 2018/4/30 */ p ...

  2. CodeForces - 589A(二分+贪心)

    题目链接:http://codeforces.com/problemset/problem/589/F 题目大意:一位美食家进入宴会厅,厨师为客人提供了n道菜.美食家知道时间表:每个菜肴都将供应. 对 ...

  3. Python3 与 C# 面向对象之~异常相关

      周末多码文,昨天晚上一篇,今天再来一篇: 在线编程:https://mybinder.org/v2/gh/lotapp/BaseCode/master 在线预览:http://github.les ...

  4. Ubuntu18.04搜狗输入法最新版本2.2.0.0108经常乱码的解决方案

    图示 解决 旧版 可以安装旧版(我只在新版sogoupinyin_2.2.0.0108_amd64才遇到这个问题) 旧版安装指南:http://www.cnblogs.com/dunitian/p/6 ...

  5. ftp sun jdk自带

    package com.italktv.colnv.stat.util; import java.io.File; import java.io.FileInputStream; import jav ...

  6. js 获取随机数 Math.random()

    js 获取随机数 Math.random() // 结果为0-1间的一个随机数(包括0,不包括1) var randomNum1 = Math.random(); //console.log(rand ...

  7. python datetime 字符串 时间戳

    #把datetime转成字符串 def datetime_toString(dt): return dt.strftime("%Y-%m-%d-%H") #把字符串转成dateti ...

  8. CF Educational Codeforces Round 57划水记

    因为是unrated于是就叫划水记了,而且本场也就用了1h左右. A.B:划水去了,没做 C:大水题,根据初三课本中圆的知识,可以把角度化成弧长,而这是正多边形,所以又可以化成边数,于是假设读入为a, ...

  9. isinstance,issubclass,内置函数__str__和__repr__,__format__,dir()函数

    isinstance(obj,cls) 检查是否obj是否是类 cls 的对象 #对象与类之间的关系 判断第一个参数是否是第二个参数的实例 # 身份运算 # 2 == 3 # 值是否相等# 2 is ...

  10. iis8.0 https配置教程

    打开iis>选择左侧根>点击右侧服务器证书 打开界面后 空白处点击右键选择导入 成功导入证书 选择需要绑定证书的网站点击选择>编辑绑定>ssl证书请选择您导入的证书 点击SSL ...