CyberSec.Space Logo
CVEブラウザに戻る

CVE-2019-3394

HIGH
8.8
CVSS Severity Score
EPSS Score0.0770%
EPSS Percentile12.01th
Published2019年8月29日
Last Modified2024年11月21日

Vulnerability Description

There was a local file disclosure vulnerability in Confluence Server and Confluence Data Center via page exporting. An attacker with permission to editing a page is able to exploit this issue to read arbitrary file on the server under <install-directory>/confluence/WEB-INF directory, which may contain configuration files used for integrating with other services, which could potentially leak credentials or other sensitive information such as LDAP credentials. The LDAP credential will be potentially leaked only if the Confluence server is configured to use LDAP as user repository. All versions of Confluence Server from 6.1.0 before 6.6.16 (the fixed version for 6.6.x), from 6.7.0 before 6.13.7 (the fixed version for 6.13.x), and from 6.14.0 before 6.15.8 (the fixed version for 6.15.x) are affected by this vulnerability.

Affected Platforms (CPE)

📦
Atlassian

Confluence

>= 6.1.0 and < 6.6.16
📦
Atlassian

Confluence

>= 6.7.0 and < 6.13.7
📦
Atlassian

Confluence Server

>= 6.14.0 and < 6.15.8

References & Advisories

🔗 https://confluence.atlassian.com/x/uAsvOg
🔗 https://jira.atlassian.com/browse/CONFSERVER-58734
🔗 https://confluence.atlassian.com/x/uAsvOg
🔗 https://jira.atlassian.com/browse/CONFSERVER-58734

関連する脆弱性情報

CVE-2019-101009.8

In JetBrains YouTrack Confluence plugin versions before 1.8.1.3, it was possible to achieve Server Side Template Injection. The at...

CVE-2019-33959.8

The WebDAV endpoint in Atlassian Confluence Server and Data Center before version 6.6.7 (the fixed version for 6.6.x), from versio...

CVE-2019-33969.8

The Widget Connector macro in Atlassian Confluence Server before version 6.6.12 (the fixed version for 6.6.x), from version 6.7.0 ...

CVE-2021-378439.8

The resolution SAML SSO apps for Atlassian products allow a remote attacker to login to a user account when only the username is k...