Confluence Security Advisory 2010-07-06

This advisory announces a number of security vulnerabilities in earlier versions of Confluence that we have found and fixed in Confluence 3.3. In addition to releasing Confluence 3.3, we also provide patches (in the form of plugin upgrades) for the vulnerabilities mentioned. You will be able to apply these plugin upgrades to older versions of Confluence. There will, however, be a number of security improvements in Confluence 3.3 that cannot be patched or backported. We recommend upgrading to Confluence 3.3 rather than applying the plugin upgrades.

In this advisory:

XSS Vulnerabilities

Severity

Atlassian rates the severity level of these vulnerabilities as high, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank the severity as critical, high, moderate or low.

Risk Assessment

We have identified and fixed a number of cross-site scripting (XSS) vulnerabilities which may affect Confluence instances in a public environment. These vulnerabilities are exposed in the Confluence functions described in the table below.

  • An attacker might take advantage of the vulnerability to steal other users' session cookies or other credentials, by sending the credentials back to such an attacker's own web server.
  • XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a Confluence page. An attacker's text and script might be displayed to other people viewing the page. This is potentially damaging to your company's reputation.

You can read more about XSS attacks at cgisecurity, CERT and other places on the web.

Vulnerability

We have identified and fixed vulnerabilities in the Confluence features described in the table below.

Confluence Feature

Affected Confluence Versions

Issue Tracking

PDF export

3.1.0 – 3.2.1

CONF-20121

Clickr theme

2.7.0 – 3.2.1

CONF-20126

Tasklist macro

2.8.0 – 3.2.1

CONF-20119

Contributors plugin (Contributors macro and Contributors Summary macro)

3.0.0 – 3.2.1

CONF-20122
CONF-20125

Risk Mitigation

We recommend that you upgrade your Confluence installation to fix these vulnerabilities. Please see the 'fix' section below.

Alternatively, if you are not in a position to upgrade immediately and you judge it necessary, you can apply one or both of the following mitigations:

In addition, please refer to our guidelines on best practices for configuring Confluence security. In particular, please read our guidelines on using Apache to limit access to the Confluence administration interface.

Fix

Please choose one of the options below that best suits your Confluence version and your ability to upgrade immediately.

Option 1 (Recommended): Upgrade to Confluence 3.3

We recommend that you upgrade to Confluence 3.3, which fixes all of the security issues reported in this advisory. See the Confluence 3.3 release notes. You can download Confluence 3.3 from the download centre.

Option 2: Upgrade or Disable the Affected Plugins

If you cannot upgrade your Confluence installation, you can upgrade or disable the affected plugins to fix the vulnerabilities described in this security advisory.

  • You can upgrade the plugins in the normal manner, via the Confluence Plugin Repository or by manually uploading the JAR. Please refer to the documentation for more details on installing plugins.
  • You can disable plugins via the Confluence Administration Console. See Universal Plugin Manager documentation.

Affected Feature

Confluence Versions that Can Update the Plugin

Upgrade or Disable Plugin

PDF export plugin

3.1 – 3.3

If you cannot upgrade to Confluence 3.3:

  • If you are running Confluence 3.1.x or 3.2.x, you should install version 1.9 of the PDF Export plugin.
  • If you are running Confluence 3.0.2 or earlier, you do not need to take any action as these versions are not affected by the security flaw.

Clickr theme

3.2 – 3.3

If you cannot upgrade to Confluence 3.3:

  • If you are running Confluence 3.2.x, you should install version 2.10 of the Clickr Theme plugin.
  • If you are running Confluence 3.1.2 or earlier, you should disable the 'Clickr Theme' plugin.

Tasklist macro

3.1 – 3.3

If you cannot upgrade to Confluence 3.3:

  • If you are running Confluence 3.1.x or 3.2.x, you should install version 3.2.5.2 of the Dynamic Task List 2 plugin.
  • If you are running Confluence 2.8.x to 3.0.x, you should disable the 'Dynamic Task List 2' plugin.
  • If you are running Confluence 2.7.x or earlier, you do not need to take any action as these versions are not affected by the security flaw.

Contributors plugin

3.0 – 3.3

If you cannot upgrade to Confluence 3.3:

  • If you are running Confluence 3.0.x to 3.2.x, you should install version 1.2.6 of the Contributors plugin.
  • If you are running Confluence 2.10.4 or earlier, you do not need to take any action as these versions are not affected by the security flaw.

Was this helpful?

Thanks for your feedback!

Why was this unhelpful?

Have a question about this article?

See questions about this article

Powered by Confluence and Scroll Viewport