Abstract Advisory Information
Atlassian Confluence Server and Data Center before version 6.13.1 allows an authenticated user to download a deleted page via the word export feature.
Authors: Jean-Marie Bourbon from Excellium-Services company
Version affected
Name: Confluence
Versions: 6.12.0
Common Vulnerability Scoring System
3.1
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
Patches
Fixed on 6.14.0 or 6.13.1
References
https://jira.atlassian.com/browse/CONFSERVER-57814
Vulnerability Disclosure Timeline
- 18/09/2018 – Vulnerability discovered.
- 19/09/2018 – BugCrowds Submission.
- 20/09/2018 – Atlassian psirt notificiation
- 24/09/2018 – Atlassian support notificatinon
- 25/09/2018 – Issue acknowledged by support -> Long Term backlog.
- 29/01/2019 – Published on Atlassian’s public issue tracke
- 28/02/2019 – Public disclosure