Name of the Vulnerable Software and Affected Versions:

Confluence Server versions 2.0.0 through 6.6.12

Confluence Server versions 6.7.0 through 6.12.3

Confluence Server versions 6.13.0 through 6.13.3

Confluence Server versions 6.14.0 through 6.14.2

Confluence Server versions 6.15.0 through 6.15.1

Confluence Data Center versions 2.0.0 through 6.6.12

Confluence Data Center versions 6.7.0 through 6.12.3

Confluence Data Center versions 6.13.0 through 6.13.3

Confluence Data Center versions 6.14.0 through 6.14.2

Confluence Data Center versions 6.15.0 through 6.15.1

Description:

A path traversal vulnerability exists in the downloadallattachments resource of Confluence Server and Data Center. This vulnerability can be exploited by a remote attacker who has permission to add attachments to pages and/or blogs, create a new space or personal space, or has 'Admin' permissions for a space. The attacker can write files to arbitrary locations, potentially leading to remote code execution on systems running a vulnerable version of Confluence Server or Data Center.

Recommendations:

For Confluence Server versions 2.0.0 through 6.6.12, update to version 6.6.13 or later.

For Confluence Server versions 6.7.0 through 6.12.3, update to version 6.12.4 or later.

For Confluence Server versions 6.13.0 through 6.13.3, update to version 6.13.4 or later.

For Confluence Server versions 6.14.0 through 6.14.2, update to version 6.14.3 or later.

For Confluence Server versions 6.15.0 through 6.15.1, update to version 6.15.2 or later.

For Confluence Data Center versions 2.0.0 through 6.6.12, update to version 6.6.13 or later.

For Confluence Data Center versions 6.7.0 through 6.12.3, update to version 6.12.4 or later.

For Confluence Data Center versions 6.13.0 through 6.13.3, update to version 6.13.4 or later.

For Confluence Data Center versions 6.14.0 through 6.14.2, update to version 6.14.3 or later.

For Confluence Data Center versions 6.15.0 through 6.15.1, update to version 6.15.2 or later.