Cyber Resilience

CVE-2019-3398

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 18 April 2019

Published
18 April 2019
Modified
24 October 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9385 99.9th percentile
Risk Priority 94 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-3398 is a high-severity Path Traversal (CWE-22) vulnerability in Atlassian Confluence Server. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

Confluence Server and Data Center contain a path traversal vulnerability in the downloadallattachments resource, tracked as CVE-2019-3398 and assigned CWE-22. The flaw affects all versions from 2.0.0 through 6.6.12, 6.7.0 through 6.12.3, 6.13.0 through 6.13.3, 6.14.0 through 6.14.2, and 6.15.0 through 6.15.1, carrying a CVSS 3.1 score of 8.8.

A remote attacker who already holds permission to add attachments to pages or blogs, create a space or personal space, or administer a space can supply crafted input to the affected resource. Successful exploitation allows the attacker to write files to arbitrary locations on the server, which can be leveraged to achieve remote code execution.

Publicly available advisories and exploit references indicate that the issue is resolved by upgrading to Confluence Server and Data Center 6.6.13, 6.12.4, 6.13.4, 6.14.3, or 6.15.2. Multiple proof-of-concept artifacts have been published that demonstrate directory traversal and file-write primitives against the listed vulnerable releases.

EU & UK References

Vulnerability details

Confluence Server and Data Center had a path traversal vulnerability in the downloadallattachments resource. A remote attacker who has permission to add attachments to pages and / or blogs or to create a new space or a personal space or…

more

who has 'Admin' permissions for a space can exploit this path traversal vulnerability to write files to arbitrary locations which can lead to remote code execution on systems that run a vulnerable version of Confluence Server or Data Center. All versions of Confluence Server from 2.0.0 before 6.6.13 (the fixed version for 6.6.x), from 6.7.0 before 6.12.4 (the fixed version for 6.12.x), from 6.13.0 before 6.13.4 (the fixed version for 6.13.x), from 6.14.0 before 6.14.3 (the fixed version for 6.14.x), and from 6.15.0 before 6.15.2 are affected by this vulnerability.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

atlassian
confluence server
2.0 — 6.6.13 · 6.7.0 — 6.12.4 · 6.13.0 — 6.13.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces validation of user-supplied path parameters in the downloadallattachments resource, blocking the traversal sequences that enable arbitrary file writes.

prevent

Requires timely application of the vendor patches that eliminate the path-traversal flaw in the affected Confluence versions.

prevent

Limits assignment of the attachment-add, space-create, and space-admin permissions that are required to reach the vulnerable resource.

References