| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 26 Apr 2017 10:55:21 +1000 From: David Black <dblack@...assian.com> To: bugtraq@...urityfocus.com Subject: April 2017 - Confluence - Security Advisory -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 CVE ID: * CVE-2017-7415. Product: Confluence. Affected Confluence product versions: 6.0.0 <= version < 6.0.7 Fixed Confluence product versions: * for 6.0.x, Confluence 6.0.7 has been released with a fix for this issue. Summary: This advisory discloses a critical severity security vulnerability that was introduced in version 6.0.0 of Confluence. Versions of Confluence starting with version 6.0.0 but less than 6.0.7 (the fixed version for 6.0.x) are affected by this vulnerability. Cloud instances have already been upgraded to a version of Confluence that does not have the issue described in this email. Customers who have upgraded Confluence to version 6.0.7 or 6.1.0 or 6.1.1 are not affected. Customers who have downloaded and installed Confluence >= 6.0.0 but less than 6.0.7 (the fixed version for 6.0.x) please upgrade your Confluence installations immediately to fix this vulnerability. Unauthenticated users can view the content of Confluence blogs and pages (CVE-2017-7415) Severity: Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low. This is an independent assessment and you should evaluate its applicability to your own IT environment. Description: The Confluence drafts diff rest resource made the current content of all blogs and pages in Confluence available without authentication. Attackers who can access the Confluence web interface of a vulnerable version can use this vulnerability to obtain the content of all blogs and pages inside Confluence. All versions of Confluence starting with version 6.0.0 but less than 6.0.7 (the fixed version for 6.0.x) are affected by this vulnerability. This issue can be tracked at: https://jira.atlassian.com/browse/CONFSERVER-52222 . Fix: To address this issue, we've released the following versions containing a fix: * Confluence version 6.0.7 * Confluence version 6.1.0 * Confluence version 6.1.1 Remediation: Upgrade Confluence to version 6.1.1 or higher. The vulnerabilities and fix versions are described above. If affected, you should upgrade to the latest version immediately. For a full description of the latest version of Confluence, see the release notes found at https://confluence.atlassian.com/display/DOC/Confluence+Release+Notes. You can download the latest version of Confluence from the download centre found at https://www.atlassian.com/software/confluence/download. Support: If you have questions or concerns regarding this advisory, please raise a support request at https://support.atlassian.com/. -----BEGIN PGP SIGNATURE----- iQI0BAEBCgAeBQJY/+/NFxxzZWN1cml0eUBhdGxhc3NpYW4uY29tAAoJECQgl6K8 UnagafUP/3VspFiWwYeF5IzWlpGJxc9ssJHwTwTeCBN6axpqdOhiCYf/7GIWa7n3 eSLTgtdHyFhYQdxLeA0N/9IZCYEwc3aqs6w+pbOPRMNVYi0Br28XT9Nh4kkuPPe+ Yu/NZpMl8xAZTOa31JUWK16Akqs8FgI/BiiXUj+Ynb2vf838ZfAfdjH/nVKHqkeT Js32/bgk544Ov/hHWJXeAgdy7FwrocWlmM4S3v4AYs1mbsFVEP1b7pZAEZdEzGig yUxqSkx2hJ4JaJcvEq1+X96m3O0WJF2TLtnl8vwkCqm7AIryyl/1SVsuNlwog/3z pzt+kwQVWkLiRhAbTtLPujKMMH97CEbqHIn8bJw1FJCOuIyy583v+S+xxwNLLKgX 0QvVFQ8R+qJvJ2j2lZ0N5v8kZFc2tddMU08CDwq0iiKbuGNNF+pCkhkWP9+Z6CT6 Fq+dLXiQ76ep1wDpW9wvZsn4TU1766GI2kUhw5XVp8JfbkLceLBJwspW8r/08vO8 ++wWmh6uTv8MjzuCF2Z+VOPERInyF6VXNJZsjREiEqWMqXkjPOitI8WLd82c++3c idXEHpn41DO9jTp+3QYEAz1q8KFpH1R8wqf1Gcc8bjoHz6VTwnZJn9VIJjNHGvLV Cu7WefWbv55nsx2bi6vqb6LBq9U7X6+lU2OFy7XW1WC+/t/flgbv =6xjG -----END PGP SIGNATURE-----
Powered by blists - more mailing lists