In this advisory:

Office コネクタ プラグインのコンテンツ上書きの脆弱性

深刻度

Atlassian rates this vulnerability as high, according to the scale published in Confluence Security. The scale allows us to rank a vulnerability as critical, high, moderate or low.

Risk Assessment

We have identified a risk that makes it possible for users with read-only access to a Confluence wiki space to modify its contents via the document import feature of the Office Connector plugin. This issue, however, does not expose restricted content on a Confluence wiki space to unauthorised users.

Risk Mitigation

以下の「修正」セクションを参照してください。すぐに修正を適用できない場合は、次の手順の 1 つ以上を実行することを検討できます。

  • Disable the whole Office Connector plugin, as explained in Disabling and enabling apps.
  • If you judge it necessary, you can disable public access (e.g. anonymous access and public signup) to your wiki until you have applied the necessary patch or upgrade.
  • For even tighter control, you could restrict access to trusted groups.

Vulnerability

Office コネクタ プラグインは、Confluence バージョン 2.10.0 で最初にバンドルされました。したがって、この脆弱性は Office コネクタ プラグインが有効になっている Confluence 2.10.0 に影響します。さらに、このプラグインは、Confluence 2.3.0 以降のすべてのバージョンと互換性があります。したがって、プラグインをインストールした場合、この脆弱性は Confluence インスタンスに影響します。

修正

Please download and install the latest version of the Office Connector plugin using the Universal Plugin Manager (instructions here). If you wish to install this plugin manually, you can download it from here

Alternatively, install or upgrade to Confluence version 2.10.1. (See the release notes.) The Confluence 2.10.1 installation files can be downloaded from the download centre.

For more information, please refer to CONF-14014.

Our thanks to Justin Wong, who reported this vulnerability. We fully support the reporting of vulnerabilities and we appreciate it when people work with us to identify and solve the problem.

  • ラベルなし

Except where otherwise noted, content in this space is licensed under a Creative Commons Attribution 2.5 Australia License.