Atlassian’s Confluence collaboration server blighted by critical RCE bug

Pesky widgets pose a critical risk

Enterprises are urged to patch a newly-discovered vulnerability in Atlassian’s content collaboration tool, Confluence Server, that poses a remote code execution (RCE) risk.

Left unresolved, the bug creates a means for hackers to achieve path traversal and RCE on a Confluence Server via a server-side template injection exploit.

Cloud-based instances of the technology are similarly vulnerable to the flaws, which merit a CVSS score of 9.8 – close to the maximum possible value of 10.

The bugs stem from coding flaws in the Widget Connector macro in Atlassian Confluence Server.

The Widget Connector vulnerability (CVE-2019-3396) poses a variety of risks including –  but not limited to – unauthorized disclosure of information, unauthorized modification, and service disruption.

A related Server Side Request Forgery (SSRF) vulnerability in the WebDAV plugin (CVE-2019-3395) creates a mechanism for hackers to send arbitrary HTTP and WebDAV requests from an unpatched Confluence Server or Data Center instance.

Confluence is a collaboration server package written in Java and developed by Australia-based Atlassian. A security advisory from the firm explains the scope of the Widget Connector vulnerability on unpatched systems.

“An attacker is able to exploit this issue to achieve server-side template injection (SSTI), path traversal, and remote code execution on systems that run a vulnerable version of Confluence Server or Data Center,” it explains.

Affected versions of Confluence Server and Confluence Data Center are before version 6.6.12, from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before 6.13.3 (the fixed version for 6.13.x), and from version 6.14.0 before 6.14.2 (the fixed version for 6.14.x).

Credit for discovering the Widget Connector bug goes to Daniil Dmitriev, while the WebDAV vulnerability was found by Shubham Shah from Assetnote and Orange Tsai from DEVCORE.

KnownSec 404 Team has released a video demonstrating a proof of concept exploit of the Widget Connector vulnerability alongside a paper on the security flaw.

Atlassian told The Daily Swig that, to the company’s knowledge, none of its other products were affected by the recent security issues. It nonetheless planned to update its internal security processes in light of the vulnerability.

“As part of every report, we review surrounding code for similar patterns to proactively identify and fix related issues (if we find them),” a spokesperson explained.

“All security issues go through our standard vulnerability management process, which includes (amongst many things), regularly reviewing how we can systemically eliminate classes of vulnerabilities.”