On Wednesday August 28, 2019, Atlassian announced a critical “Confluence Local File Disclosure.” In certain cases, this vulnerability allows a remote user to view the contents of files on the Confluence server file system. Some configurations of Confluence may have files with credentials embedded in that can be exposed to a remote attacker. Atlassian views this as a critical vulnerability, requiring immediate attention.
What you need to know…
- Versions affected: This vulnerability affects all Confluence 6.X versions except for 6.6.16, 6.13.7 and 6.15.8.
- Versions already fixed: 6.6.16, 6.13.7 and 6.15.8.
- Location and description of vulnerability: This vulnerability allows an attacker with login access and “Add Page” permission to read files contained in the /confluence/WEB-INF directory tree. There may be files within this directory structure that contain credentials and other information useful in malicious activities.
Recommended action: Implement the short term workaround immediately and upgrade to a non-vulnerable version as soon as possible.
Short-term workaround: If you can’t upgrade immediately, we recommend that you do the following as a workaround until an upgrade can be performed.
- Stop Confluence
- Add the following to your Java options: -Datlassian.confluence.export.word.max.embedded.images=0 system property to set the maximum number of images to include in Word exports to zero. This will prevent images from being embedded in Word exports.
- Restart Confluence
For more information and detailed instructions please consult the Atlassian Confluence Local File Disclosure announcement.
Need help with this?
Give us a call. As an Atlassian Platinum Solution Partner, we’re here to help you keep all your Atlassian products running smoothly.