PT-2021-11667 · Atlassian · Confluence

Amit Laish

Published

2021-02-18

Updated

2022-07-27

CVE-2020-29448

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions: Confluence Server versions prior to 6.13.18 Confluence Server versions 6.14.0 through 7.4.5 Confluence Server versions 7.5.0 through 7.8.2 Confluence Data Center versions prior to 6.13.18 Confluence Data Center versions 6.14.0 through 7.4.5 Confluence Data Center versions 7.5.0 through 7.8.2

Description: The issue allowed unauthenticated remote attackers to read arbitrary files within WEB-INF and META-INF directories via an incorrect path access check. This was due to a problem in the ConfluenceResourceDownloadRewriteRule class.

Recommendations: For Confluence Server versions prior to 6.13.18, update to version 6.13.18 or later. For Confluence Server versions 6.14.0 through 7.4.5, update to version 7.4.6 or later. For Confluence Server versions 7.5.0 through 7.8.2, update to version 7.8.3 or later. For Confluence Data Center versions prior to 6.13.18, update to version 6.13.18 or later. For Confluence Data Center versions 6.14.0 through 7.4.5, update to version 7.4.6 or later. For Confluence Data Center versions 7.5.0 through 7.8.2, update to version 7.8.3 or later.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CVE-2020-29448

Affected Products

Confluence

PT-2021-11667 · Atlassian · Confluence

CVE-2020-29448

Related Identifiers

Affected Products

References · 5