← Back to CVEs

CVE-2019-3398

HIGHCISA KEV

8.8

Description

Confluence Server and Data Center had a path traversal vulnerability in the downloadallattachments resource. A remote attacker who has permission to add attachments to pages and / or blogs or to create a new space or a personal space or who has 'Admin' permissions for a space can exploit this path traversal vulnerability to write files to arbitrary locations which can lead to remote code execution on systems that run a vulnerable version of Confluence Server or Data Center. All versions of Confluence Server from 2.0.0 before 6.6.13 (the fixed version for 6.6.x), from 6.7.0 before 6.12.4 (the fixed version for 6.12.x), from 6.13.0 before 6.13.4 (the fixed version for 6.13.x), from 6.14.0 before 6.14.3 (the fixed version for 6.14.x), and from 6.15.0 before 6.15.2 are affected by this vulnerability.

CVE Details

CVSS v3.1 Score8.8

SeverityHIGH

CVSS VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack VectorNETWORK

ComplexityLOW

Privileges RequiredLOW

User InteractionNONE

Published4/18/2019

Last Modified10/24/2025

Sourcekev

Honeypot Sightings0

CISA KEV

VendorAtlassian

ProductConfluence Server and Data Center

Vulnerability NameAtlassian Confluence Server and Data Center Path Traversal Vulnerability

KEV Date Added2021-11-03

Remediation Due Date2022-05-03

Ransomware UseUnknown

Affected Products

atlassian:confluence_server

Weaknesses (CWE)

CWE-22CWE-22

References

http://packetstormsecurity.com/files/152616/Confluence-Server-Data-Center-Path-Traversal.html(security@atlassian.com)

http://packetstormsecurity.com/files/155235/Atlassian-Confluence-6.15.1-Directory-Traversal.html(security@atlassian.com)

http://packetstormsecurity.com/files/155245/Atlassian-Confluence-6.15.1-Directory-Traversal.html(security@atlassian.com)

http://www.securityfocus.com/bid/108067(security@atlassian.com)

https://jira.atlassian.com/browse/CONFSERVER-58102(security@atlassian.com)

https://seclists.org/bugtraq/2019/Apr/33(security@atlassian.com)

http://packetstormsecurity.com/files/152616/Confluence-Server-Data-Center-Path-Traversal.html(af854a3a-2127-422b-91ae-364da2661108)

http://packetstormsecurity.com/files/155235/Atlassian-Confluence-6.15.1-Directory-Traversal.html(af854a3a-2127-422b-91ae-364da2661108)

http://packetstormsecurity.com/files/155245/Atlassian-Confluence-6.15.1-Directory-Traversal.html(af854a3a-2127-422b-91ae-364da2661108)

http://www.securityfocus.com/bid/108067(af854a3a-2127-422b-91ae-364da2661108)

https://jira.atlassian.com/browse/CONFSERVER-58102(af854a3a-2127-422b-91ae-364da2661108)

https://seclists.org/bugtraq/2019/Apr/33(af854a3a-2127-422b-91ae-364da2661108)

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-3398(134c704f-9b21-4f2e-91b3-4a467353bcc0)

IOC Correlations

No correlations recorded

This product uses data from the NVD API but is not endorsed or certified by the NVD.