Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Next challenges

Recent achievements

  • Global
  • Personal

Recognition

  • Give kudos
  • Received
  • Given

Leaderboard

  • Global

Trophy case

Kudos (beta program)

Kudos logo

You've been invited into the Kudos (beta program) private group. Chat with others in the program, or give feedback to Atlassian.

View group

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

What are the steps to execute the vulnerabilty in Confluence outlined in CVE-2019-3394?

Atlassian released the following advisory last month: 

CVE-2019-3394 

Under the "Acknowledgement" section it says user "Magic Ice Cream Shop" discovered this vulnerability.  There is no information on how Magic Ice Cream Shop did it (i.e. how a user with "Add Page" space permission can view files in <install-directory>/confluence/WEB-INF).  

Would appreciate if Atlassian can release steps to reproduce this vulnerability so that we can make a determination as to whether an upgrade to fixed version is necessary. 

1 answer

0 votes
Fazila Ashraf Community Leader Sep 07, 2019

@P  , i would not want Atlassian give out the recipe to hack the application while the vulnerability is still a problem. 

It is not better to apply the workaround or fix by just understanding that somewhere someone could hack your system?

I think if you are a paying customer (which I am) then Atlassian should inform us at least privately (i.e. does not have to be through this forum). 

Knowing how the attack works and trying it on my system is far less work than the upgrading to the nearest fixed version. 

If Atlassian prefers, I can launch an actual support ticket. But either way, it is really important for me to know how this vulnerability can be exploited.

Fazila Ashraf Community Leader Sep 14, 2019

Still, as a customer of atlassian, if i got the recipe from atlassian, i could happily exploit the other customers instances. Why would atlassian or any company for that matter do such a thing with their product customers?!

 

A support ticket or even if i am ready to pay extra money to a company to know how to hack their product, they would (and should) never do that..

Yes I understand, but this can be taken care of easily by simply signing an agreement identifying  myself to Atlassian as a paying customer who has no malicious intent and will not pass this information on to anyone.  Kind of like how paying customers have agreed to not pass Atlassian Confluence source code to others.  

Suggest an answer

Log in or Sign up to answer
TAGS
Community showcase
Posted in Confluence

What do you think is the most *delightful* Confluence feature? Comment for a prize!

- Create your own custom emoji 🔥 - "Shake for Feedback" on mobile 📱 - An endless supply of GIFs via GIPHY 🤩 Is there anything quite as nice as a pleasant surprise? Comment below with what...

415 views 23 8
Join discussion

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you