CVE-2019-3396: Atlassian Confluence Server and Data Center Server-Side Template Injection Vulnerability
First published: Wed Mar 20 2019(Updated: )
The Widget Connector macro in Atlassian Confluence Server before version 6.6.12 (the fixed version for 6.6.x), from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before 6.13.3 (the fixed version for 6.13.x), and from version 6.14.0 before 6.14.2 (the fixed version for 6.14.x), allows remote attackers to achieve path traversal and remote code execution on a Confluence Server or Data Center instance via server-side template injection.
Credit: security@atlassian.com security@atlassian.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Atlassian Confluence | <6.6.12 | |
| Atlassian Confluence | >=6.7.0<6.12.3 | |
| Atlassian Confluence Server | >=6.13.0<6.13.3 | |
| Atlassian Confluence Server | >=6.14.0<6.14.2 | |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://packetstormsecurity.com/files/152568/Atlassian-Confluence-Widget-Connector-Macro-Velocity-Template-Injection.html
- http://packetstormsecurity.com/files/161065/Atlassian-Confluence-6.12.1-Template-Injection.html
- http://www.rapid7.com/db/modules/exploit/multi/http/confluence_widget_connector
- https://jira.atlassian.com/browse/CONFSERVER-57974
- https://www.exploit-db.com/exploits/46731/
- https://nvd.nist.gov/vuln/detail/CVE-2019-3396
Frequently Asked Questions
What is CVE-2019-3396?
CVE-2019-3396 is a vulnerability in Atlassian Confluence Server and Data Center that allows server-side template injection.
How severe is CVE-2019-3396?
CVE-2019-3396 has a severity rating of 9.8, which is considered critical.
Which versions of Atlassian Confluence are affected by CVE-2019-3396?
Versions up to and including 6.6.12, between 6.7.0 and 6.12.3, between 6.13.0 and 6.13.3, and between 6.14.0 and 6.14.2 of Atlassian Confluence Server and Data Center are affected.
How can I fix CVE-2019-3396?
To fix CVE-2019-3396, you should upgrade Atlassian Confluence Server and Data Center to version 6.6.12 or higher, 6.12.3 or higher, 6.13.3 or higher, or 6.14.2 or higher.
Where can I find more information about CVE-2019-3396?
You can find more information about CVE-2019-3396 at the following references: [http://packetstormsecurity.com/files/152568/Atlassian-Confluence-Widget-Connector-Macro-Velocity-Template-Injection.html](http://packetstormsecurity.com/files/152568/Atlassian-Confluence-Widget-Connector-Macro-Velocity-Template-Injection.html), [http://packetstormsecurity.com/files/161065/Atlassian-Confluence-6.12.1-Template-Injection.html](http://packetstormsecurity.com/files/161065/Atlassian-Confluence-6.12.1-Template-Injection.html), and [http://www.rapid7.com/db/modules/exploit/multi/http/confluence_widget_connector](http://www.rapid7.com/db/modules/exploit/multi/http/confluence_widget_connector).
- collector/nvd-index
- agent/type
- agent/softwarecombine
- agent/description
- agent/title
- agent/remedy
- agent/author
- agent/severity
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- exploited/true
- ransomware/true
- collector/cisa-known-exploited
- source/CISA
- agent/software-canonical-lookup
- agent/references
- agent/tags
- collector/nvd-cve
- source/NVD
- vendor/atlassian
- canonical/atlassian confluence
- version/atlassian confluence/6.7.0
- canonical/atlassian confluence server
- version/atlassian confluence server/6.13.0
- version/atlassian confluence server/6.14.0
- canonical/atlassian confluence server and data server