Multiple vulnerabilities in Confluence Data Center and Server
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 4 |
| CVE-ID | CVE-2022-42890 CVE-2022-40146 CVE-2022-41704 CVE-2022-42252 |
| CWE-ID | CWE-94 CWE-918 CWE-444 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #2 is available. |
| Vulnerable software Subscribe |
Atlassian Confluence Server Server applications / Web servers Confluence Data Center Server applications / Other server solutions |
| Vendor | Atlassian |
Security Bulletin
This security bulletin contains information about 4 vulnerabilities.
1) Code Injection
EUVDB-ID: #VU68827
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-42890
CWE-ID:
CWE-94 - Improper Control of Generation of Code ('Code Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote user to gain access to sensitive information.
The vulnerability exists due to the application allows running Java classes via JavaScript. A remote user can use JavaScript to execute a Java class on the system and obtain its execution results.
Example:
Runtime.getRuntime().exec("xxx");
MitigationInstall update from vendor's website.
Vulnerable software versionsAtlassian Confluence Server: 7.13.0 - 7.19.15
Confluence Data Center: 7.13.0 - 7.19.15
CPE2.3- cpe:2.3:a:atlassian:atlassian_confluence_server:7.19.15:*:*:*:*:*:*:
- cpe:2.3:a:atlassian:atlassian_confluence_server:7.13.20:*:*:*:*:*:*:
- cpe:2.3:a:atlassian:atlassian_confluence_server:7.18.3:*:*:*:*:*:*:
- cpe:2.3:a:atlassian:atlassian_confluence_server:7.16.5:*:*:*:*:*:*:
- cpe:2.3:a:atlassian:atlassian_confluence_server:7.15.3:*:*:*:*:*:*:
- cpe:2.3:a:atlassian:atlassian_confluence_server:7.14.4:*:*:*:*:*:*:
- cpe:2.3:a:atlassian:atlassian_confluence_server:7.17.5:*:*:*:*:*:*:
- cpe:2.3:a:atlassian:confluence_data_center:7.19.15:*:*:*:*:*:*:
- cpe:2.3:a:atlassian:confluence_data_center:7.13.20:*:*:*:*:*:*:
- cpe:2.3:a:atlassian:confluence_data_center:7.18.3:*:*:*:*:*:*:
- cpe:2.3:a:atlassian:confluence_data_center:7.17.5:*:*:*:*:*:*:
- cpe:2.3:a:atlassian:confluence_data_center:7.16.5:*:*:*:*:*:*:
- cpe:2.3:a:atlassian:confluence_data_center:7.15.3:*:*:*:*:*:*:
- cpe:2.3:a:atlassian:confluence_data_center:7.14.4:*:*:*:*:*:*:
http://jira.atlassian.com/browse/CONFSERVER-93175
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Server-Side Request Forgery (SSRF)
EUVDB-ID: #VU67585
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N/E:P/RL:O/RC:C]
CVE-ID: CVE-2022-40146
CWE-ID:
CWE-918 - Server-Side Request Forgery (SSRF)
Exploit availability: Yes
DescriptionThe disclosed vulnerability allows a remote attacker to perform SSRF attacks.
The vulnerability exists due to insufficient validation of URLs in jar files. A remote attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.
Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsAtlassian Confluence Server: 7.13.0 - 7.19.15
Confluence Data Center: 7.13.0 - 7.19.15
CPE2.3- cpe:2.3:a:atlassian:atlassian_confluence_server:7.19.15:*:*:*:*:*:*:
- cpe:2.3:a:atlassian:atlassian_confluence_server:7.13.20:*:*:*:*:*:*:
- cpe:2.3:a:atlassian:atlassian_confluence_server:7.18.3:*:*:*:*:*:*:
- cpe:2.3:a:atlassian:atlassian_confluence_server:7.16.5:*:*:*:*:*:*:
- cpe:2.3:a:atlassian:atlassian_confluence_server:7.15.3:*:*:*:*:*:*:
- cpe:2.3:a:atlassian:atlassian_confluence_server:7.14.4:*:*:*:*:*:*:
- cpe:2.3:a:atlassian:atlassian_confluence_server:7.17.5:*:*:*:*:*:*:
- cpe:2.3:a:atlassian:confluence_data_center:7.19.15:*:*:*:*:*:*:
- cpe:2.3:a:atlassian:confluence_data_center:7.13.20:*:*:*:*:*:*:
- cpe:2.3:a:atlassian:confluence_data_center:7.18.3:*:*:*:*:*:*:
- cpe:2.3:a:atlassian:confluence_data_center:7.17.5:*:*:*:*:*:*:
- cpe:2.3:a:atlassian:confluence_data_center:7.16.5:*:*:*:*:*:*:
- cpe:2.3:a:atlassian:confluence_data_center:7.15.3:*:*:*:*:*:*:
- cpe:2.3:a:atlassian:confluence_data_center:7.14.4:*:*:*:*:*:*:
http://jira.atlassian.com/browse/CONFSERVER-93178
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
3) Code Injection
EUVDB-ID: #VU68826
Risk: High
CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-41704
CWE-ID:
CWE-94 - Improper Control of Generation of Code ('Code Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure processing links to .jar files inside .svg images. A remote attacker can upload a malicious .svg image that contains links to .jar files and execute arbitrary Java code on the system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Code injection example:
<script type="application/java-archive" xlink:href="file.jar"/>
Install update from vendor's website.
Vulnerable software versionsAtlassian Confluence Server: 7.13.0 - 7.19.15
Confluence Data Center: 7.13.0 - 7.19.15
CPE2.3- cpe:2.3:a:atlassian:atlassian_confluence_server:7.19.15:*:*:*:*:*:*:
- cpe:2.3:a:atlassian:atlassian_confluence_server:7.13.20:*:*:*:*:*:*:
- cpe:2.3:a:atlassian:atlassian_confluence_server:7.18.3:*:*:*:*:*:*:
- cpe:2.3:a:atlassian:atlassian_confluence_server:7.16.5:*:*:*:*:*:*:
- cpe:2.3:a:atlassian:atlassian_confluence_server:7.15.3:*:*:*:*:*:*:
- cpe:2.3:a:atlassian:atlassian_confluence_server:7.14.4:*:*:*:*:*:*:
- cpe:2.3:a:atlassian:atlassian_confluence_server:7.17.5:*:*:*:*:*:*:
- cpe:2.3:a:atlassian:confluence_data_center:7.19.15:*:*:*:*:*:*:
- cpe:2.3:a:atlassian:confluence_data_center:7.13.20:*:*:*:*:*:*:
- cpe:2.3:a:atlassian:confluence_data_center:7.18.3:*:*:*:*:*:*:
- cpe:2.3:a:atlassian:confluence_data_center:7.17.5:*:*:*:*:*:*:
- cpe:2.3:a:atlassian:confluence_data_center:7.16.5:*:*:*:*:*:*:
- cpe:2.3:a:atlassian:confluence_data_center:7.15.3:*:*:*:*:*:*:
- cpe:2.3:a:atlassian:confluence_data_center:7.14.4:*:*:*:*:*:*:
http://jira.atlassian.com/browse/CONFSERVER-93179
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Inconsistent interpretation of HTTP requests
EUVDB-ID: #VU68859
Risk: Medium
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-42252
CWE-ID:
CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform HTTP request smuggling attacks.
The vulnerability exists due to improper validation of HTTP requests. A remote attacker can send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers via an invalid
Content-Length header.
Successful exploitation of vulnerability may allow an attacker to poison HTTP cache and perform phishing attacks but requires Tomcat to be configured to ignore invalid HTTP headers via setting
rejectIllegalHeader to false (not the default configuration).
Install update from vendor's website.
Vulnerable software versionsAtlassian Confluence Server: 7.13.0 - 7.19.15
Confluence Data Center: 7.13.0 - 7.19.15
CPE2.3- cpe:2.3:a:atlassian:atlassian_confluence_server:7.19.15:*:*:*:*:*:*:
- cpe:2.3:a:atlassian:atlassian_confluence_server:7.13.20:*:*:*:*:*:*:
- cpe:2.3:a:atlassian:atlassian_confluence_server:7.18.3:*:*:*:*:*:*:
- cpe:2.3:a:atlassian:atlassian_confluence_server:7.16.5:*:*:*:*:*:*:
- cpe:2.3:a:atlassian:atlassian_confluence_server:7.15.3:*:*:*:*:*:*:
- cpe:2.3:a:atlassian:atlassian_confluence_server:7.14.4:*:*:*:*:*:*:
- cpe:2.3:a:atlassian:atlassian_confluence_server:7.17.5:*:*:*:*:*:*:
- cpe:2.3:a:atlassian:confluence_data_center:7.19.15:*:*:*:*:*:*:
- cpe:2.3:a:atlassian:confluence_data_center:7.13.20:*:*:*:*:*:*:
- cpe:2.3:a:atlassian:confluence_data_center:7.18.3:*:*:*:*:*:*:
- cpe:2.3:a:atlassian:confluence_data_center:7.17.5:*:*:*:*:*:*:
- cpe:2.3:a:atlassian:confluence_data_center:7.16.5:*:*:*:*:*:*:
- cpe:2.3:a:atlassian:confluence_data_center:7.15.3:*:*:*:*:*:*:
- cpe:2.3:a:atlassian:confluence_data_center:7.14.4:*:*:*:*:*:*:
http://jira.atlassian.com/browse/CONFSERVER-93168
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
