CVE-2022-42977

Name of the Vulnerable Software and Affected Versions Netic User Export add-on for Atlassian Confluence versions prior to 1.3.5

Description The issue allows an HTTP request to download any file on the system, including sensitive files like SSH private keys, due to the fileName parameter accepting any file. This is related to the functionality of generating and exporting a list of users in the application.

Recommendations For versions prior to 1.3.5, update to version 1.3.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the export functionality to minimize the risk of exploitation. Avoid using the fileName parameter in the affected HTTP request until the issue is resolved.