Confluence セキュリティ勧告 - 2008-10-14

Confluence のセキュリティの概要とアドバイザリ

このページの内容

お困りですか?

アトラシアン コミュニティをご利用ください。

コミュニティに質問

In this advisory:

Confluence におけるパラメータ インジェクションの脆弱性

重大度

Atlassian rates this vulnerability as critical, according to the scale published in Confluence Security. The scale allows us to rank a vulnerability as critical, high, moderate or low.

Risk Assessment

We have identified and fixed a flaw which would allow a malicious user (hacker) to inject their own values into a Confluence request by adding parameters to the URL string. This would allow a hacker to bypass Confluence's security checks and perform actions that they are not authorised to perform.

Risk Mitigation

To address the issue, you should upgrade Confluence as soon as possible or follow the patch instructions below. If you judge it necessary, you can block all untrusted IP addresses from accessing Confluence.

Vulnerability

ハッカーは Confluence サーバーで、Confluence のセキュリティ チェックをバイパスし、特定のアクションを実施するパラメータを含む URL 文字列を設計することができます。この原因は、Confluence がサーバーでアクションを適用する前に、ユーザー入力を適切にサニタイズしていないことです。

Exploiting this issue could allow an attacker to access or modify data and compromise the Confluence application.

The following Confluence versions are vulnerable: All versions from 1.3 to 2.9.1.

Fix

This issue has been fixed in Confluence 2.9.2 (see the release notes), which you can download from the download centre.

If you do not wish to upgrade to Confluence 2.9.2, a patch is available that will work with any affected version of Confluence. You can download and install the patch from on our JIRA site. For more information, please refer to CONF-13092.

XSS Vulnerability in Various Confluence Actions and Plugins

重大度

Atlassian rates these vulnerabilities as high, according to the scale published in Confluence Security. The scale allows us to rank a vulnerability as critical, high, moderate or low.

Risk Assessment

We have identified and fixed a number of security flaws which may affect Confluence instances in a public environment. The flaws are all XSS (cross-site scripting) vulnerabilities in various Confluence actions. Each vulnerability potentially allows a malicious user (hacker) to embed their own JavaScript into a Confluence page.

  • The hacker might take advantage of the flaw to steal other users' session cookies or other credentials, by sending the credentials back to the hacker's own web server.
  • The hacker's text and script might be displayed to other people viewing the Confluence page. This is potentially damaging to your company's reputation.

You can read more about XSS attacks at cgisecurity, CERT and other places on the web.

Risk Mitigation

If you judge it necessary, you can disable public access (e.g. anonymous access and public signup) to your wiki until you have applied the necessary patch or upgrade. For even tighter control, you could restrict access to trusted groups.

Vulnerability

A hacker can inject their own JavaScript into the Confluence actions listed in the table below. Each of the actions is invoked when a user performs a specific function in Confluence, such as clicking a link or a button. The actions can also be invoked by simply entering the URL into the browser address bar. The rogue JavaScript will be executed when a user invokes the URL.

For more details please refer to the related JIRA issue, also shown in the table below.

Confluence アクション

影響する Confluence バージョン

More Details

Reporter
(If Not Atlassian)

View children via the Pagetree plugin (bundled with Confluence)

2.8.0 to 2.9.1 inclusive

CONF-13043

Thomas Jaehnel

Update bookmark via the Social Bookmarking plugin (bundled with Confluence)

2.6.0 to 2.9.1 inclusive

CONF-13041

Thomas Jaehnel

Build RSS feed

2.0 to 2.9.1 inclusive

CONF-13042

Thomas Jaehnel

検索マクロを使用した検索

All versions from 1.0 to 2.9.1 inclusive

CONF-13040

Thomas Jaehnel

検索

All versions from 1.0 to 2.9.1 inclusive

CONF-12944

 

Fix

These issues have been fixed in Confluence 2.9.2 (see the release notes), which you can download from the download centre.

If you do not wish to upgrade to Confluence 2.9.2, you can download and install the patches provided on our JIRA site. For more information, please refer to the specific JIRA issues shown in the table of vulnerabilities above.

上記の XSS 脆弱性の大半を報告してくださった OPTIMAbitThomas Jaehnel 様に感謝いたします。当社では脆弱性の報告を完全にサポートしており、問題の特定と解決に対する皆様の協力に感謝しています。

Privilege Escalation Vulnerability in Confluence Watches

重大度

Atlassian rates this vulnerability as high, according to the scale published in Confluence Security. The scale allows us to rank a vulnerability as critical, high, moderate or low.

Risk Assessment

We have identified and fixed a flaw which would allow an unauthorised user to add a Confluence page to the list of pages they are watching, even if the user does not have permission to view that page. Under some circumstances, the unauthorised user may thus have access to information they are not authorised to see.

Risk Mitigation

This flaw does not allow the unauthorised user to update the page, but it may give the user access to information that they do not have permission to see.

Vulnerability

An unauthorised user can manipulate the HTTP request, so that it adds a watch to a page which the user does not have permission to view. The page then appears in the user's list of watched pages, displaying the page title and the corresponding space name. In this way, the user can bypass Confluence's permission checks and gain access to information they are not authorised to see.

The following Confluence versions are vulnerable: All versions from 1.0 to 2.9.1.

Fix

This issue has been fixed in Confluence 2.9.2 (see the release notes), which you can download from the download centre.

Confluence 2.9.2 にアップグレードしたくない場合、JIRA サイトで提供されているパッチをダウンロードしてインストールすることができます。詳細については、CONF-13039 を参照してください。

Our thanks to Thomas Jaehnel of OPTIMAbit, who reported the vulnerability listed above. We fully support the reporting of vulnerabilities and we appreciate it when people work with us to identify and solve the problem.

Privilege Escalation Vulnerability in Confluence Favourites

重大度

Atlassian は、この脆弱性を中規模と評価しています。これはConfluence セキュリティで公開されているスケールに従って決定されます。スケールによって、脆弱性を重大、高度、中規模、低度として評価することができます。

Risk Assessment

We have identified and fixed a flaw which would allow an unauthorised user to add a Confluence page to their list of favourites, even if the user does not have permission to view that page. Under some circumstances, the unauthorised user may thus have access to information they are not authorised to see.

Risk Mitigation

This flaw does not allow the unauthorised user to update the page, and it gives the user only very limited access to the information they do not have permission to see.

Vulnerability

An unauthorised user can manipulate the HTTP request, so that it marks as 'favourite' a page which the user does not have permission to view. The page is then added to the number of favourites for the user. The user cannot see the page title or content, but can see that the favourite count has been incremented.

The following Confluence versions are vulnerable: All versions from 1.0 to 2.9.1.

Fix

This issue has been fixed in Confluence 2.9.2 (see the release notes), which you can download from the download centre.

Confluence 2.9.2 にアップグレードしたくない場合、JIRA サイトで提供されているパッチをダウンロードしてインストールすることができます。詳細については、CONF-13044 を参照してください。

Our thanks to Thomas Jaehnel of OPTIMAbit, who reported the vulnerability listed above. We fully support the reporting of vulnerabilities and we appreciate it when people work with us to identify and solve the problem.

最終更新日 2013 年 9 月 13 日

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する
Powered by Confluence and Scroll Viewport.