Confluence Security Advisory 2010-08-17
Confluence Security Overview and Advisories
- Confluence Community Security Advisory 2006-01-19
- Confluence Security Advisory 2005-02-09
- Confluence Security Advisory 2005-12-05
- Confluence Security Advisory 2006-01-20
- Confluence Security Advisory 2006-01-23
- Confluence Security Advisory 2006-06-14
- Confluence Security Advisory 2007-07-26
- Confluence Security Advisory 2007-08-08
- Confluence Security Advisory 2007-11-19
- Confluence Security Advisory 2007-11-27
- Confluence Security Advisory 2007-12-14
- Confluence Security Advisory 2008-01-24
- Confluence Security Advisory 2008-03-06
- Confluence Security Advisory 2008-03-19
- Confluence Security Advisory 2008-05-21
- Confluence Security Advisory 2008-07-03
- Confluence Security Advisory 2008-09-08
- Confluence Security Advisory 2008-10-14
- Confluence Security Advisory 2008-12-03
- Confluence Security Advisory 2009-01-07
- Confluence Security Advisory 2009-02-18
- Confluence Security Advisory 2009-04-15
- Confluence Security Advisory 2009-06-01
- Confluence Security Advisory 2009-06-16
- Confluence Security Advisory 2009-08-20
- Confluence Security Advisory 2009-10-06
- Confluence Security Advisory 2009-12-08
- Confluence Security Advisory 2010-05-04
- Confluence Security Advisory 2010-06-02
- Confluence Security Advisory 2010-07-06
- Confluence Security Advisory 2010-08-17
- Confluence Security Advisory 2010-09-21
- Confluence Security Advisory 2010-10-12
- Confluence Security Advisory 2010-11-15
- Confluence Security Advisory 2011-01-18
- Confluence Security Advisory 2011-03-24
- Confluence Security Advisory 2011-05-31
- Confluence Security Advisory 2012-05-17
- Confluence Security Advisory 2012-09-04
- Confluence Security Advisory 2012-09-11
- Confluence Security Advisory 2013-08-05
- Confluence Security Advisory 2014-02-26
- Confluence Security Advisory 2014-05-21
- Confluence Security Advisory - 2015-01-21
- Confluence Security Advisory - 2016-09-21
- Confluence Security Advisory - 2017-04-19
- Confluence Security Advisory - 2019-03-20
- Confluence Security Advisory - 2019-04-17
- Confluence Security Advisory - 2019-08-28
- Confluence Security Advisory - 2019-12-18
- Confluence Security Advisory - 2021-08-25
- Multiple Products Security Advisory - Unrendered unicode bidirectional override characters - CVE-2021-42574 - 2021-11-01
- Multiple Products Security Advisory - Hazelcast Vulnerable To Remote Code Execution - CVE-2016-10750
- Confluence Security Advisory 2022-06-02
- Questions For Confluence Security Advisory 2022-07-20
On this page
Related content
- Javascript Error when accessing Issues link in Project Navigation after Upgrade
- JVM Segfault (SIGSEGV) After Plugin Initialisation
- SIGSEGV Segmentation Fault JVM Crash
- Uncaught QuotaExceededError displays in browser using Jira server
- Character Encoding Issues when using JASIG CAS Authenticator
- JIRA Agile error during page load - curl already exists
- How to fetch the Team name from the comments by using Regex
- JIRA Agile is currently unavailable error when Restoring the JIRA Cloud backup to JIRA 6.4.5 with JIRA Agile 6.7.4
- Error "Field with id' xxx' and name 'Team' does not support operation 'add' Supported operation(s) are: 'set'" on Jira Align Connector
- Configure the look and feel of Jira applications
This advisory announces a security vulnerability in Confluence 3.3 that we have found and fixed in Confluence 3.3.1. We recommend that you upgrade to Confluence 3.3.1 to fix this vulnerability.
In this advisory:
Secure Administrator Session Vulnerability
Severity
Atlassian rates this vulnerability as high, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank a vulnerability as critical, high, moderate or low.
Risk Assessment
We have identified and fixed a vulnerability in the Secure Administrator Sessions feature, introduced in Confluence 3.3, that allows it to be bypassed.
Vulnerability
If an attacker is able to gain access to a session with administrator privileges, they will be able to access all administrator functions without having to re-authenticate.
This vulnerability exists in Confluence 3.3 only.
See CONF-20508 for more details.
Risk Mitigation
We recommend upgrading your Confluence installation to fix these vulnerabilities. Please see the 'fix' section below.
Alternatively, if you are not in a position to upgrade immediately and you judge it necessary, you can disable public access (such as anonymous access and public signup) to your wiki until you have applied the necessary upgrade. For even tighter control, you could restrict access to trusted groups.
Fix
Confluence 3.3.1 fixes this issue. See the release notes. You can download Confluence 3.3.1 from the download centre.
Related content
- Javascript Error when accessing Issues link in Project Navigation after Upgrade
- JVM Segfault (SIGSEGV) After Plugin Initialisation
- SIGSEGV Segmentation Fault JVM Crash
- Uncaught QuotaExceededError displays in browser using Jira server
- Character Encoding Issues when using JASIG CAS Authenticator
- JIRA Agile error during page load - curl already exists
- How to fetch the Team name from the comments by using Regex
- JIRA Agile is currently unavailable error when Restoring the JIRA Cloud backup to JIRA 6.4.5 with JIRA Agile 6.7.4
- Error "Field with id' xxx' and name 'Team' does not support operation 'add' Supported operation(s) are: 'set'" on Jira Align Connector
- Configure the look and feel of Jira applications