Confluence Security Advisory 2010-08-17

This advisory announces a security vulnerability in Confluence 3.3 that we have found and fixed in Confluence 3.3.1. We recommend that you upgrade to Confluence 3.3.1 to fix this vulnerability.

In this advisory:

Secure Administrator Session Vulnerability

Severity

Atlassian rates this vulnerability as high, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank a vulnerability as critical, high, moderate or low.

Risk Assessment

We have identified and fixed a vulnerability in the Secure Administrator Sessions feature, introduced in Confluence 3.3, that allows it to be bypassed.

Vulnerability

If an attacker is able to gain access to a session with administrator privileges, they will be able to access all administrator functions without having to re-authenticate.

This vulnerability exists in Confluence 3.3 only.

See CONF-20508 for more details.

Risk Mitigation

We recommend upgrading your Confluence installation to fix these vulnerabilities. Please see the 'fix' section below.

Alternatively, if you are not in a position to upgrade immediately and you judge it necessary, you can disable public access (such as anonymous access and public signup) to your wiki until you have applied the necessary upgrade. For even tighter control, you could restrict access to trusted groups.

Fix

Confluence 3.3.1 fixes this issue. See the release notes. You can download Confluence 3.3.1 from the download centre.

Was this helpful?

Thanks for your feedback!

Why was this unhelpful?

Have a question about this article?

See questions about this article

Powered by Confluence and Scroll Viewport