This advisory announces a security vulnerability in Confluence 3.3 that we have found and fixed in Confluence 3.3.1. We recommend that you upgrade to Confluence 3.3.1 to fix this vulnerability.

In this advisory:

セキュアな管理者セッションの脆弱性

深刻度

Atlassian rates this vulnerability as high, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank a vulnerability as critical, high, moderate or low.

Risk Assessment

迂回を可能にする Confluence 3.3 で導入されたセキュア管理者セッション機能の脆弱性を、特定して修正しました。

Vulnerability

攻撃者が管理者権限によってセッションにアクセスできる場合は、再認証なしですべての管理者機能にアクセスできます。

この脆弱性は Confluence 3.3 のみに存在します。

See CONF-20508 for more details.

Risk Mitigation

We recommend upgrading your Confluence installation to fix these vulnerabilities. Please see the 'fix' section below.

Alternatively, if you are not in a position to upgrade immediately and you judge it necessary, you can disable public access (such as anonymous access and public sign-on) to your wiki until you have applied the necessary upgrade. For even tighter control, you could restrict access to trusted groups.

修正

Confluence 3.3.1 fixes this issue. See the release notes. You can download Confluence 3.3.1 from the download centre.

  • ラベルなし

Except where otherwise noted, content in this space is licensed under a Creative Commons Attribution 2.5 Australia License.