Confluence Security Advisory 2010-08-17
This advisory announces a security vulnerability in Confluence 3.3 that we have found and fixed in Confluence 3.3.1. We recommend that you upgrade to Confluence 3.3.1 to fix this vulnerability.
In this advisory:
Secure Administrator Session Vulnerability
Atlassian rates this vulnerability as high, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank a vulnerability as critical, high, moderate or low.
We have identified and fixed a vulnerability in the Secure Administrator Sessions feature, introduced in Confluence 3.3, that allows it to be bypassed.
If an attacker is able to gain access to a session with administrator privileges, they will be able to access all administrator functions without having to re-authenticate.
This vulnerability exists in Confluence 3.3 only.
See CONF-20508 for more details.
We recommend upgrading your Confluence installation to fix these vulnerabilities. Please see the 'fix' section below.
Alternatively, if you are not in a position to upgrade immediately and you judge it necessary, you can disable public access (such as anonymous access and public signup) to your wiki until you have applied the necessary upgrade. For even tighter control, you could restrict access to trusted groups.