CVE-2019-3394

Name of the Vulnerable Software and Affected Versions Confluence Server versions 6.1.0 through 6.6.15 Confluence Server versions 6.7.0 through 6.13.6 Confluence Server versions 6.14.0 through 6.15.7 Confluence Data Center versions 6.1.0 through 6.6.15 Confluence Data Center versions 6.7.0 through 6.13.6 Confluence Data Center versions 6.14.0 through 6.15.7

Description A local file disclosure issue exists via page exporting, allowing an attacker with page editing permission to read arbitrary files on the server under the /confluence/WEB-INF directory. This may lead to the leakage of sensitive information, including configuration files for integrating with other services and potentially LDAP credentials if the Confluence server is configured to use LDAP as a user repository.

Recommendations For Confluence Server versions 6.1.0 through 6.6.15, update to version 6.6.16 or later. For Confluence Server versions 6.7.0 through 6.13.6, update to version 6.13.7 or later. For Confluence Server versions 6.14.0 through 6.15.7, update to version 6.15.8 or later. For Confluence Data Center versions 6.1.0 through 6.6.15, update to version 6.6.16 or later. For Confluence Data Center versions 6.7.0 through 6.13.6, update to version 6.13.7 or later. For Confluence Data Center versions 6.14.0 through 6.15.7, update to version 6.15.8 or later.