← Back to CVEs
CVE-2019-3396
CRITICALCISA KEV9.8
Description
The Widget Connector macro in Atlassian Confluence Server before version 6.6.12 (the fixed version for 6.6.x), from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before 6.13.3 (the fixed version for 6.13.x), and from version 6.14.0 before 6.14.2 (the fixed version for 6.14.x), allows remote attackers to achieve path traversal and remote code execution on a Confluence Server or Data Center instance via server-side template injection.
CVE Details
CVSS v3.1 Score9.8
SeverityCRITICAL
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack VectorNETWORK
ComplexityLOW
Privileges RequiredNONE
User InteractionNONE
Published3/25/2019
Last Modified10/24/2025
Sourcekev
Honeypot Sightings0
CISA KEV
VendorAtlassian
ProductConfluence Server and Data Server
Vulnerability NameAtlassian Confluence Server and Data Center Server-Side Template Injection Vulnerability
KEV Date Added2021-11-03
Remediation Due Date2022-05-03
Ransomware UseKnown
Affected Products
atlassian:confluence_server
Weaknesses (CWE)
CWE-22CWE-22
References
http://packetstormsecurity.com/files/152568/Atlassian-Confluence-Widget-Connector-Macro-Velocity-Template-Injection.html(security@atlassian.com)
http://packetstormsecurity.com/files/161065/Atlassian-Confluence-6.12.1-Template-Injection.html(security@atlassian.com)
http://www.rapid7.com/db/modules/exploit/multi/http/confluence_widget_connector(security@atlassian.com)
https://jira.atlassian.com/browse/CONFSERVER-57974(security@atlassian.com)
https://www.exploit-db.com/exploits/46731/(security@atlassian.com)
http://packetstormsecurity.com/files/152568/Atlassian-Confluence-Widget-Connector-Macro-Velocity-Template-Injection.html(af854a3a-2127-422b-91ae-364da2661108)
http://packetstormsecurity.com/files/161065/Atlassian-Confluence-6.12.1-Template-Injection.html(af854a3a-2127-422b-91ae-364da2661108)
http://www.rapid7.com/db/modules/exploit/multi/http/confluence_widget_connector(af854a3a-2127-422b-91ae-364da2661108)
https://jira.atlassian.com/browse/CONFSERVER-57974(af854a3a-2127-422b-91ae-364da2661108)
https://www.exploit-db.com/exploits/46731/(af854a3a-2127-422b-91ae-364da2661108)
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-3396(134c704f-9b21-4f2e-91b3-4a467353bcc0)
IOC Correlations
No correlations recorded
This product uses data from the NVD API but is not endorsed or certified by the NVD.