Attacker Value
High
(3 users assessed)
Exploitability
High
(3 users assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
0

Confluence Unauthorized RCE Vulnerability

Disclosure Date: March 25, 2019
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

The Widget Connector macro in Atlassian Confluence Server before version 6.6.12 (the fixed version for 6.6.x), from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before 6.13.3 (the fixed version for 6.13.x), and from version 6.14.0 before 6.14.2 (the fixed version for 6.14.x), allows remote attackers to achieve path traversal and remote code execution on a Confluence Server or Data Center instance via server-side template injection.

Add Assessment

4
Ratings
Technical Analysis

Due to many enterprise environments using Confluence, and many of them exposing it to the internet, this vulnerability is incredibly useful.

There is a public POC available:https://github.com/Yt1g3r/CVE-2019-3396_EXP from which you could base other attacks.

3
Ratings
  • Attacker Value
    High
  • Exploitability
    High
Technical Analysis

This vulnerability is important to patch given the ease by which an attacker can exploit a Confluence server.

2
Ratings
  • Attacker Value
    High
  • Exploitability
    High
Technical Analysis

A vulnerability in the installed-by-default Widget Connector macro within Atlassian Confluence provides for unauthenticated remote code execution via a network-listening web service. The attacker sends crafted JSON via an HTTP POST request to the rest/tinymce/1/macro/preview endpoint, including a malicious _template variable which triggers the vulnerable server to callback to the client on an arbitrary IP address and port.

The vulnerability affects Confluence Server before version 6.6.12, from version 6.7.0 before 6.12.3, from version 6.13.0 before 6.13.3, and from version 6.14.0 before 6.14.2.

A pull request for this exploit was submitted to the Metasploit Framework on 12 April 2019. The Metasploit exploit module did not work when tested against 6.13.0.

Analysis

The nature of this exploit provides a reliable exploit onto a vulnerable server, with minimal downside of detection or crashing the target. In additon, the attacker can leverage HTTPS to encrypt the exploit attempt, bypassing network intrusion detection.

Overall, I think this exploit is going to be in high use. Given the popularity of Confluence, the tendency for organizations to self-host Confluence, and the lack of downsides for an attacker to try this exploit, I think we’ll see a lot of use out of this one.

CVSS V3 Severity and Metrics
Base Score:
9.8 Critical
Impact Score:
5.9
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • Atlassian

Products

  • Confluence Server
Technical Analysis