Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

What are the steps to execute the vulnerabilty in Confluence outlined in CVE-2019-3394?

P
P September 7, 2019

Atlassian released the following advisory last month: 

CVE-2019-3394 

Under the "Acknowledgement" section it says user "Magic Ice Cream Shop" discovered this vulnerability.  There is no information on how Magic Ice Cream Shop did it (i.e. how a user with "Add Page" space permission can view files in <install-directory>/confluence/WEB-INF).  

Would appreciate if Atlassian can release steps to reproduce this vulnerability so that we can make a determination as to whether an upgrade to fixed version is necessary. 

Answer
Watch
Like Be the first to like this
466 views

1 answer

0 votes
Fazila Ashraf
Fazila Ashraf
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
September 7, 2019

@P  , i would not want Atlassian give out the recipe to hack the application while the vulnerability is still a problem. 

It is not better to apply the workaround or fix by just understanding that somewhere someone could hack your system?

View More Comments
P
P September 13, 2019

I think if you are a paying customer (which I am) then Atlassian should inform us at least privately (i.e. does not have to be through this forum). 

Knowing how the attack works and trying it on my system is far less work than the upgrading to the nearest fixed version. 

If Atlassian prefers, I can launch an actual support ticket. But either way, it is really important for me to know how this vulnerability can be exploited.

Like
Fazila Ashraf
Fazila Ashraf
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
September 14, 2019

Still, as a customer of atlassian, if i got the recipe from atlassian, i could happily exploit the other customers instances. Why would atlassian or any company for that matter do such a thing with their product customers?!

 

A support ticket or even if i am ready to pay extra money to a company to know how to hack their product, they would (and should) never do that..

Like
P
P September 14, 2019

Yes I understand, but this can be taken care of easily by simply signing an agreement identifying  myself to Atlassian as a paying customer who has no malicious intent and will not pass this information on to anyone.  Kind of like how paying customers have agreed to not pass Atlassian Confluence source code to others.  

Like
Reply

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
TAGS
AUG Leaders

Atlassian Community Events

    See all events