External risk intelligence

Confluence Server Path Traversal Leading to Code Execution

CVE advisoryKnown Exploit

CVE-2019-3398

A vulnerability in Confluence Server and Data Center allows attackers to write files to arbitrary locations, potentially leading to code execution. This poses a business risk to affected organizations by impacting system integrity and data availability. The vulnerability is listed on the CISA Known Exploited Vulnerabil

4Halo Surface Signal

Path Traversal

Atlassian Confluence Server

2.0 to before 6.6.136.7.0 to before 6.12.46.13.0 to before 6.13.46.14.0 to before 6.14.36.15.0 to before 6.15.2

External exposure likelihood

Halo Surface Signal score for CVE-2019-3398

Confluence Server and Data Center are commonly deployed as internet-facing enterprise collaboration and document management web applications, making their web interfaces and associated features accessible to remote users and often exposed to the public internet.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

Confluence Server and Data Center contain a vulnerability that could allow unauthorized file writing. This flaw exists in the downloadallattachments resource. Successful exploitation could lead to the execution of arbitrary code on the affected systems.

  • Confluence Server and Data Center
  • Path traversal in attachments download
  • Remote code execution

Attack Path

How an attacker could exploit the issue

This vulnerability allows an attacker to write files to arbitrary locations on a Confluence server. Successful exploitation can lead to the execution of remote code. The attack requires the attacker to have specific permissions within Confluence, such as the ability to add attachments, create new spaces, or have administrative privileges for a space.

  • Requires specific user permissions.
  • Attacker writes files.
  • Leads to code execution.

Live Threat

Current exploitation, exposure, and threat context

A path traversal vulnerability in Confluence Server and Data Center could allow an attacker to write files to arbitrary locations on affected systems. This could potentially lead to remote code execution, posing a significant risk to business operations and data. The vulnerability is listed on the Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities catalog, indicating active exploitation.

  • Attackers with low skill levels.
  • Requires authenticated access.
  • High business risk and urgency.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Organizations using Confluence Server and Data Center should address a path traversal vulnerability that could allow remote code execution. This vulnerability impacts systems with specific version ranges and has been publicly documented and exploited. The potential business risk includes unauthorized access and control of affected systems, impacting data integrity and availability.

  • Identify all Confluence instances and versions.
  • Restrict network access to Confluence.
  • Apply vendor updates and validate.
  • Monitor for related suspicious activity.

Frequently asked questions

What is Atlassian Confluence Server and Data Center used for?

Atlassian Confluence Server and Data Center are used as collaboration tools by organizations to create and share documents for various purposes, including marketing, design specifications, and project planning. It functions as an on-premise enterprise software solution for managing team and project work through spaces and pages.

What kind of vulnerability is CVE-2019-3398?

CVE-2019-3398 is a path traversal vulnerability that affects the downloadallattachments resource in Confluence Server and Data Center. This weakness (CWE-22) allows an attacker to write files to arbitrary locations on the server, potentially leading to remote code execution.

What are the conditions needed to exploit CVE-2019-3398?

An attacker needs specific permissions within Confluence to exploit this vulnerability. These include the ability to add attachments to pages or blogs, create new spaces, or possess 'Admin' permissions for a space. The vulnerability is not triggered if these preconditions are not met.

Who should be concerned about CVE-2019-3398 exposure?

Organizations using Confluence Server or Data Center should be concerned. Since Confluence is often deployed as an internet-facing collaboration tool, instances accessible from the internet pose a higher risk. Internal instances may also be at risk if an attacker gains initial access.

What is the first step to respond to CVE-2019-3398?

The primary response is to upgrade affected Confluence Server and Data Center instances to a fixed version, such as 6.15.2 or later, as recommended by Atlassian. This addresses the path traversal vulnerability and mitigates the risk of remote code execution.

References

Sources and related resources

Primary sources: NVD, CVE.org, CISA KEV.

NVDPublished Modified