First published: Wed Mar 20 2019(Updated: )
The Widget Connector macro in Atlassian Confluence Server before version 6.6.12 (the fixed version for 6.6.x), from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before 6.13.3 (the fixed version for 6.13.x), and from version 6.14.0 before 6.14.2 (the fixed version for 6.14.x), allows remote attackers to achieve path traversal and remote code execution on a Confluence Server or Data Center instance via server-side template injection.
Credit: security@atlassian.com security@atlassian.com
Affected Software | Affected Version | How to fix |
---|---|---|
Atlassian Confluence | <6.6.12 | |
Atlassian Confluence | >=6.7.0<6.12.3 | |
Atlassian Confluence Server | >=6.13.0<6.13.3 | |
Atlassian Confluence Server | >=6.14.0<6.14.2 | |
Atlassian Confluence Server and Data Server | ||
<6.6.12 | ||
>=6.7.0<6.12.3 | ||
>=6.13.0<6.13.3 | ||
>=6.14.0<6.14.2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2019-3396 is a vulnerability in Atlassian Confluence Server and Data Center that allows server-side template injection.
CVE-2019-3396 has a severity rating of 9.8, which is considered critical.
Versions up to and including 6.6.12, between 6.7.0 and 6.12.3, between 6.13.0 and 6.13.3, and between 6.14.0 and 6.14.2 of Atlassian Confluence Server and Data Center are affected.
To fix CVE-2019-3396, you should upgrade Atlassian Confluence Server and Data Center to version 6.6.12 or higher, 6.12.3 or higher, 6.13.3 or higher, or 6.14.2 or higher.
You can find more information about CVE-2019-3396 at the following references: [http://packetstormsecurity.com/files/152568/Atlassian-Confluence-Widget-Connector-Macro-Velocity-Template-Injection.html](http://packetstormsecurity.com/files/152568/Atlassian-Confluence-Widget-Connector-Macro-Velocity-Template-Injection.html), [http://packetstormsecurity.com/files/161065/Atlassian-Confluence-6.12.1-Template-Injection.html](http://packetstormsecurity.com/files/161065/Atlassian-Confluence-6.12.1-Template-Injection.html), and [http://www.rapid7.com/db/modules/exploit/multi/http/confluence_widget_connector](http://www.rapid7.com/db/modules/exploit/multi/http/confluence_widget_connector).