Attacker Value

High

Confluence Unauthorized RCE Vulnerability

Attacker Value

High

(3 users assessed)

Exploitability

High

(3 users assessed)

User Interaction

Confluence Unauthorized RCE Vulnerability

Disclosure Date: March 25, 2019 •

CVE-2019-3396 CVSS v3 Base Score: 9.8

Exploited in the Wild

Reported by gwillcox-r7
View Source Details

Description

The Widget Connector macro in Atlassian Confluence Server before version 6.6.12 (the fixed version for 6.6.x), from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before 6.13.3 (the fixed version for 6.13.x), and from version 6.14.0 before 6.14.2 (the fixed version for 6.14.x), allows remote attackers to achieve path traversal and remote code execution on a Confluence Server or Data Center instance via server-side template injection.

Add Assessment

J3rryBl4nks (83)

March 03, 2020 3:30pm UTC (2 years ago)•Edited 1 year ago

Ratings

Common in enterprise Difficult to patch Easy to weaponize Vulnerable in default configuration

Technical Analysis

Due to many enterprise environments using Confluence, and many of them exposing it to the internet, this vulnerability is incredibly useful.

There is a public POC available:https://github.com/Yt1g3r/CVE-2019-3396_EXP from which you could base other attacks.

space-r7 (127)

May 22, 2019 1:34pm UTC (3 years ago)•Edited 1 year ago

Ratings

Attacker Value

High

Exploitability

High

Technical Analysis

This vulnerability is important to patch given the ease by which an attacker can exploit a Confluence server.

asoto-r7 (33)

May 09, 2019 5:57pm UTC (3 years ago)•Edited 1 year ago

Ratings

Attacker Value

High

Exploitability

High

Technical Analysis

A vulnerability in the installed-by-default Widget Connector macro within Atlassian Confluence provides for unauthenticated remote code execution via a network-listening web service. The attacker sends crafted JSON via an HTTP POST request to the rest/tinymce/1/macro/preview endpoint, including a malicious _template variable which triggers the vulnerable server to callback to the client on an arbitrary IP address and port.

The vulnerability affects Confluence Server before version 6.6.12, from version 6.7.0 before 6.12.3, from version 6.13.0 before 6.13.3, and from version 6.14.0 before 6.14.2.

A pull request for this exploit was submitted to the Metasploit Framework on 12 April 2019. The Metasploit exploit module did not work when tested against 6.13.0.

Analysis

The nature of this exploit provides a reliable exploit onto a vulnerable server, with minimal downside of detection or crashing the target. In additon, the attacker can leverage HTTPS to encrypt the exploit attempt, bypassing network intrusion detection.

Overall, I think this exploit is going to be in high use. Given the popularity of Confluence, the tendency for organizations to self-host Confluence, and the lack of downsides for an attacker to try this exploit, I think we’ll see a lot of use out of this one.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

9.8 Critical

Impact Score:

5.9

Exploitability Score:

3.9

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV):

Network

Attack Complexity (AC):

Low

Privileges Required (PR):

None

User Interaction (UI):

None

Scope (S):

Unchanged

Confidentiality (C):

High

Integrity (I):

High

Availability (A):

High

Vendors

Atlassian

Products

Confluence Server

Metasploit Modules

exploit/multi/http/confluence_widget_connector (https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/confluence_widget_connector.rb)

Exploited in the Wild

Reported by:

gwillcox-r7 indicated source as Government or Industry Alert (https://us-cert.cisa.gov/ncas/alerts/aa21-209a)

Reported: July 28, 2021 3:34pm UTC (1 year ago)

References

Rapid7

High