It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

What are the steps to execute the vulnerabilty in Confluence outlined in CVE-2019-3394?

Atlassian released the following advisory last month: 

CVE-2019-3394 

Under the "Acknowledgement" section it says user "Magic Ice Cream Shop" discovered this vulnerability.  There is no information on how Magic Ice Cream Shop did it (i.e. how a user with "Add Page" space permission can view files in <install-directory>/confluence/WEB-INF).  

Would appreciate if Atlassian can release steps to reproduce this vulnerability so that we can make a determination as to whether an upgrade to fixed version is necessary. 

1 answer

0 votes
Fazila_Ashraf Community Leader Sep 07, 2019

@P  , i would not want Atlassian give out the recipe to hack the application while the vulnerability is still a problem. 

It is not better to apply the workaround or fix by just understanding that somewhere someone could hack your system?

I think if you are a paying customer (which I am) then Atlassian should inform us at least privately (i.e. does not have to be through this forum). 

Knowing how the attack works and trying it on my system is far less work than the upgrading to the nearest fixed version. 

If Atlassian prefers, I can launch an actual support ticket. But either way, it is really important for me to know how this vulnerability can be exploited.

Fazila_Ashraf Community Leader Sep 14, 2019

Still, as a customer of atlassian, if i got the recipe from atlassian, i could happily exploit the other customers instances. Why would atlassian or any company for that matter do such a thing with their product customers?!

 

A support ticket or even if i am ready to pay extra money to a company to know how to hack their product, they would (and should) never do that..

Yes I understand, but this can be taken care of easily by simply signing an agreement identifying  myself to Atlassian as a paying customer who has no malicious intent and will not pass this information on to anyone.  Kind of like how paying customers have agreed to not pass Atlassian Confluence source code to others.  

Suggest an answer

Log in or Sign up to answer
TAGS
Community showcase
Posted in Confluence

What project did you transition or start on Confluence with the shift to remote work?

It’s been great to hear from fellow users over the last few weeks about the best tips and fun moments you’ve had working on Confluence since the transition to working remote. I’d love to keep the c...

397 views 11 11
Join discussion

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you