First published: Mon Mar 25 2019(Updated: )
The WebDAV endpoint in Atlassian Confluence Server and Data Center before version 6.6.7 (the fixed version for 6.6.x), from version 6.7.0 before 6.8.5 (the fixed version for 6.8.x), and from version 6.9.0 before 6.9.3 (the fixed version for 6.9.x) allows remote attackers to send arbitrary HTTP and WebDAV requests from a Confluence Server or Data Center instance via Server-Side Request Forgery.
Credit: security@atlassian.com security@atlassian.com
Affected Software | Affected Version | How to fix |
---|---|---|
Atlassian Confluence | <6.6.12 | |
Atlassian Confluence | >=6.7.0<6.12.3 | |
Atlassian Confluence Server | >=6.13.0<6.13.3 | |
Atlassian Confluence Server | >=6.14.0<6.14.2 | |
<6.6.12 | ||
>=6.7.0<6.12.3 | ||
>=6.13.0<6.13.3 | ||
>=6.14.0<6.14.2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2019-3395 is a vulnerability in Atlassian Confluence Server and Data Center that allows remote attackers to send arbitrary HTTP and WebDAV requests.
The severity of CVE-2019-3395 is critical, with a CVSS score of 9.8.
Atlassian Confluence versions 6.6.12 and earlier, 6.7.0 to 6.8.5, and 6.9.0 to 6.9.3 are affected by CVE-2019-3395.
Remote attackers can exploit CVE-2019-3395 by sending arbitrary HTTP and WebDAV requests to the vulnerable WebDAV endpoint in Atlassian Confluence.
Yes, the fixed versions for CVE-2019-3395 are 6.6.7 for 6.6.x, 6.8.5 for 6.8.x, and 6.9.3 for 6.9.x of Atlassian Confluence.