CVE-2019-3398
Published: 18 April 2019
Summary
CVE-2019-3398 is a high-severity Path Traversal (CWE-22) vulnerability in Atlassian Confluence Server. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
Confluence Server and Data Center contain a path traversal vulnerability in the downloadallattachments resource, tracked as CVE-2019-3398 and assigned CWE-22. The flaw affects all versions from 2.0.0 through 6.6.12, 6.7.0 through 6.12.3, 6.13.0 through 6.13.3, 6.14.0 through 6.14.2, and 6.15.0 through 6.15.1, carrying a CVSS 3.1 score of 8.8.
A remote attacker who already holds permission to add attachments to pages or blogs, create a space or personal space, or administer a space can supply crafted input to the affected resource. Successful exploitation allows the attacker to write files to arbitrary locations on the server, which can be leveraged to achieve remote code execution.
Publicly available advisories and exploit references indicate that the issue is resolved by upgrading to Confluence Server and Data Center 6.6.13, 6.12.4, 6.13.4, 6.14.3, or 6.15.2. Multiple proof-of-concept artifacts have been published that demonstrate directory traversal and file-write primitives against the listed vulnerable releases.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-13037
Vulnerability details
Confluence Server and Data Center had a path traversal vulnerability in the downloadallattachments resource. A remote attacker who has permission to add attachments to pages and / or blogs or to create a new space or a personal space or…
more
who has 'Admin' permissions for a space can exploit this path traversal vulnerability to write files to arbitrary locations which can lead to remote code execution on systems that run a vulnerable version of Confluence Server or Data Center. All versions of Confluence Server from 2.0.0 before 6.6.13 (the fixed version for 6.6.x), from 6.7.0 before 6.12.4 (the fixed version for 6.12.x), from 6.13.0 before 6.13.4 (the fixed version for 6.13.x), from 6.14.0 before 6.14.3 (the fixed version for 6.14.x), and from 6.15.0 before 6.15.2 are affected by this vulnerability.
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces validation of user-supplied path parameters in the downloadallattachments resource, blocking the traversal sequences that enable arbitrary file writes.
Requires timely application of the vendor patches that eliminate the path-traversal flaw in the affected Confluence versions.
Limits assignment of the attachment-add, space-create, and space-admin permissions that are required to reach the vulnerable resource.