CyberSec.Space Logo
Back to CVE Browser

CVE-2019-3398

Known Exploited (CISA KEV)HIGH
8.8
CVSS Severity Score
EPSS Score85.8800%
EPSS Percentile91.82th
PublishedApr 18, 2019
Last ModifiedOct 24, 2025

Vulnerability Description

Confluence Server and Data Center had a path traversal vulnerability in the downloadallattachments resource. A remote attacker who has permission to add attachments to pages and / or blogs or to create a new space or a personal space or who has 'Admin' permissions for a space can exploit this path traversal vulnerability to write files to arbitrary locations which can lead to remote code execution on systems that run a vulnerable version of Confluence Server or Data Center. All versions of Confluence Server from 2.0.0 before 6.6.13 (the fixed version for 6.6.x), from 6.7.0 before 6.12.4 (the fixed version for 6.12.x), from 6.13.0 before 6.13.4 (the fixed version for 6.13.x), from 6.14.0 before 6.14.3 (the fixed version for 6.14.x), and from 6.15.0 before 6.15.2 are affected by this vulnerability.

Affected Platforms (CPE)

πŸ“¦
Atlassian

Confluence Server

>= 2.0 and < 6.6.13
πŸ“¦
Atlassian

Confluence Server

>= 6.7.0 and < 6.12.4
πŸ“¦
Atlassian

Confluence Server

>= 6.13.0 and < 6.13.4
πŸ“¦
Atlassian

Confluence Server

>= 6.14.0 and < 6.14.3
πŸ“¦
Atlassian

Confluence Server

>= 6.15.0 and < 6.15.2

References & Advisories

πŸ”— http://packetstormsecurity.com/files/152616/Confluence-Server-Data-Center-Path-Traversal.html
πŸ”— http://packetstormsecurity.com/files/155235/Atlassian-Confluence-6.15.1-Directory-Traversal.html
πŸ”— http://packetstormsecurity.com/files/155245/Atlassian-Confluence-6.15.1-Directory-Traversal.html
πŸ”— http://www.securityfocus.com/bid/108067
πŸ”— https://jira.atlassian.com/browse/CONFSERVER-58102
πŸ”— https://seclists.org/bugtraq/2019/Apr/33
πŸ”— http://packetstormsecurity.com/files/152616/Confluence-Server-Data-Center-Path-Traversal.html
πŸ”— http://packetstormsecurity.com/files/155235/Atlassian-Confluence-6.15.1-Directory-Traversal.html

Related Vulnerabilities

CVE-2019-33959.8

The WebDAV endpoint in Atlassian Confluence Server and Data Center before version 6.6.7 (the fixed version for 6.6.x), from versio...

CVE-2019-33969.8

The Widget Connector macro in Atlassian Confluence Server before version 6.6.12 (the fixed version for 6.6.x), from version 6.7.0 ...

CVE-2019-101009.8

In JetBrains YouTrack Confluence plugin versions before 1.8.1.3, it was possible to achieve Server Side Template Injection. The at...

CVE-2021-260849.8

In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthentica...