CVE-2019-3398

Basic Information

CVE State

PUBLISHED

Reserved Date

December 19, 2018

Published Date

April 18, 2019

Last Updated

February 07, 2025

Vendor

Atlassian

Product

Confluence

Description

Confluence Server and Data Center had a path traversal vulnerability in the downloadallattachments resource. A remote attacker who has permission to add attachments to pages and / or blogs or to create a new space or a personal space or who has 'Admin' permissions for a space can exploit this path traversal vulnerability to write files to arbitrary locations which can lead to remote code execution on systems that run a vulnerable version of Confluence Server or Data Center. All versions of Confluence Server from 2.0.0 before 6.6.13 (the fixed version for 6.6.x), from 6.7.0 before 6.12.4 (the fixed version for 6.12.x), from 6.13.0 before 6.13.4 (the fixed version for 6.13.x), from 6.14.0 before 6.14.3 (the fixed version for 6.14.x), and from 6.15.0 before 6.15.2 are affected by this vulnerability.

CVSS Scores

SSVC Information

Exploitation

active

Technical Impact

total

Exploit Status

Exploited in the Wild

Yes (added 2021-11-03 00:00:00 UTC) Source

Proof of Concept Available

Yes (added 2024-01-28 09:40:35 UTC) Source