Description
The Widget Connector macro in Atlassian Confluence Server before version 6.6.12 (the fixed version for 6.6.x), from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before 6.13.3 (the fixed version for 6.13.x), and from version 6.14.0 before 6.14.2 (the fixed version for 6.14.x), allows remote attackers to achieve path traversal and remote code execution on a Confluence Server or Data Center instance via server-side template injection.
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Affected products
- Atlassian / Confluence Serverunspecified β 6.6.12
- Atlassian / Confluence Server6.7.0 β unspecified
- Atlassian / Confluence Serverunspecified β 6.12.3
- Atlassian / Confluence Servernext of 6.13.0 β unspecified
- Atlassian / Confluence Serverunspecified β 6.13.3
- Atlassian / Confluence Servernext of 6.14.0 β unspecified
- Atlassian / Confluence Serverunspecified β 6.14.2
Exploits & PoCs
- nucleiAtlassian Confluence Server - Path Traversalby harshbothra_
References
- MISChttps://jira.atlassian.com/browse/CONFSERVER-57974
- EXPLOIThttp://packetstormsecurity.com/files/152568/Atlassian-Confluence-Widget-Connector-Macro-Velocity-Template-Injection.html
- MISChttp://www.rapid7.com/db/modules/exploit/multi/http/confluence_widget_connector
- EXPLOIThttps://www.exploit-db.com/exploits/46731/
- EXPLOIThttp://packetstormsecurity.com/files/161065/Atlassian-Confluence-6.12.1-Template-Injection.html