CVE-2019-3395: SSRF
First published: Mon Mar 25 2019(Updated: )
The WebDAV endpoint in Atlassian Confluence Server and Data Center before version 6.6.7 (the fixed version for 6.6.x), from version 6.7.0 before 6.8.5 (the fixed version for 6.8.x), and from version 6.9.0 before 6.9.3 (the fixed version for 6.9.x) allows remote attackers to send arbitrary HTTP and WebDAV requests from a Confluence Server or Data Center instance via Server-Side Request Forgery.
Credit: security@atlassian.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Atlassian Confluence | <6.6.12 | |
| Atlassian Confluence | >=6.7.0<6.12.3 | |
| Atlassian Confluence Server | >=6.13.0<6.13.3 | |
| Atlassian Confluence Server | >=6.14.0<6.14.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2019-3395?
CVE-2019-3395 is a vulnerability in Atlassian Confluence Server and Data Center that allows remote attackers to send arbitrary HTTP and WebDAV requests.
What is the severity of CVE-2019-3395?
The severity of CVE-2019-3395 is critical, with a CVSS score of 9.8.
Which versions of Atlassian Confluence are affected by CVE-2019-3395?
Atlassian Confluence versions 6.6.12 and earlier, 6.7.0 to 6.8.5, and 6.9.0 to 6.9.3 are affected by CVE-2019-3395.
How can remote attackers exploit CVE-2019-3395?
Remote attackers can exploit CVE-2019-3395 by sending arbitrary HTTP and WebDAV requests to the vulnerable WebDAV endpoint in Atlassian Confluence.
Is there a fix available for CVE-2019-3395?
Yes, the fixed versions for CVE-2019-3395 are 6.6.7 for 6.6.x, 6.8.5 for 6.8.x, and 6.9.3 for 6.9.x of Atlassian Confluence.
- collector/nvd-index
- vendor/atlassian
- canonical/atlassian confluence
- version/atlassian confluence/6.7.0
- canonical/atlassian confluence server
- version/atlassian confluence server/6.13.0
- version/atlassian confluence server/6.14.0