CVE-2017-9505
First published: Thu Jun 15 2017(Updated: )
Atlassian Confluence starting with 4.3.0 before 6.2.1 did not check if a user had permission to view a page when creating a workbox notification about new comments. An attacker who can login to Confluence could receive workbox notifications, which contain the content of comments, for comments added to a page after they started watching it even if they do not have permission to view the page itself.
Credit: security@atlassian.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Atlassian Confluence | >=4.3<6.2.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2017-9505?
CVE-2017-9505 has a severity rating of medium as it allows unauthorized users to view comments they shouldn't have access to.
How do I fix CVE-2017-9505?
To fix CVE-2017-9505, upgrade Atlassian Confluence to version 6.2.1 or later.
Who is affected by CVE-2017-9505?
All users of Atlassian Confluence versions between 4.3.0 and 6.2.1 are affected by CVE-2017-9505.
What is the impact of CVE-2017-9505?
The impact of CVE-2017-9505 is that unauthorized users can receive notifications containing potentially sensitive comments.
Can CVE-2017-9505 be exploited remotely?
CVE-2017-9505 requires an attacker to have valid login credentials for Confluence to exploit the vulnerability.
- collector/nvd-index
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/weakness
- agent/last-modified-date
- agent/references
- agent/first-publish-date
- agent/tags
- agent/author
- agent/description
- agent/event
- agent/source
- vendor/atlassian
- canonical/atlassian confluence
- version/atlassian confluence/4.3