Rojan Rijal

**Name of the Vulnerable Software and Affected Versions** Atlassian Confluence Server (affected versions not specified) **Description** The issue allows remote attackers with read permissions to a page, but not write permissions, to upload attachments. This is due to a Broken Access Control vulnerability in the attachments feature. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Atlassian Confluence Server versions prior to 7.13.15 Atlassian Confluence Server versions 7.14.0 through 7.19.7 Atlassian Confluence Server versions 7.20.0 through 8.2.0 Atlassian Confluence Data Center versions prior to 7.13.15 Atlassian Confluence Data Center versions 7.14.0 through 7.19.7 Atlassian Confluence Data Center versions 7.20.0 through 8.2.0 **Description** The issue is related to insufficient protection of service data in the macro preview feature of Atlassian Confluence Server and Data Center. This allows anonymous remote attackers to view the names of attachments and labels in a private Confluence space via an Information Disclosure vulnerability. The vulnerability was reported by Rojan Rijal of the Tinder Security Engineering team. **Recommendations** For versions prior to 7.13.15, update to version 7.13.15 or later. For versions 7.14.0 through 7.19.7, update to version 7.19.7 or later. For versions 7.20.0 through 8.2.0, update to version 8.2.0 or later. As a temporary workaround, consider restricting access to the macro preview feature until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Rundeck versions prior to 3.3.14 Rundeck versions prior to 3.4.3 **Description** An authorized user can upload a zip-format plugin with a crafted `plugin.yaml`, or a crafted `aclpolicy` yaml file, or upload an untrusted project archive with a crafted `aclpolicy` yaml file, that can cause the server to run untrusted code on Rundeck Community or Enterprise Edition. An authenticated user can make a POST request, that can cause the server to run untrusted code on Rundeck Enterprise Edition. The zip-format plugin issues require authentication and authorization to these access levels, and affect all Rundeck editions: `admin` level access to the `system` resource type. The ACL Policy yaml file upload issues require authentication and authorization to these access levels, and affect all Rundeck editions: `create`, `update`, or `admin` level access to a `project acl` resource, and/or `create`, `update`, or `admin` level access to the `system acl` resource. **Recommendations** To resolve the issue for versions prior to 3.3.14, update to version 3.3.14 or later. To resolve the issue for versions prior to 3.4.3, update to version 3.4.3 or later. As a temporary workaround, consider disabling the upload of zip-format plugins and `aclpolicy` yaml files until a patch is available. Restrict access to the `system` resource type and `project acl` and `system acl` resources to minimize the risk of exploitation. Avoid making unauthenticated POST requests to the affected API endpoints until the issue is resolved.