A flaw has been found in Confluence by which attackers can bypass Confluence security and change content on the site. Atlassian STRONGLY recommends that all Confluence customers apply the fix described below immediately, or upgrade to Confluence 1.3.3
By crafting custom URLs, any person with the ability to browse Confluence can modify content on the site, bypassing security settings. This vulnerability does not allow users to view content they would not normally be able to view, or escalate their privileges in other ways.
This flaw affects all versions of Confluence prior to 1.3.3, including the 1.4-DR development releases.
This vulnerability is fixed in Confluence 1.3.3 and later. Customers who do not wish to migrate to 1.3.3 can fix this bug using the procedure below:
- Edit the file confluence/WEB-INF/classes/xwork.xml
- Find the following section near the top of the file (around line 34):
- Locate the "autowire" and "params" entries:
- Swap the two lines around. The whole stack should now look like this:
- Restart Confluence.