Confluence Arbitrary File Write via Path Traversal (CVE-2019-3398)

Recently a new critical vulnerability in Atlassian Confluence was discovered. Exploiting the vulnerability may allow attackers to write files into arbitrary locations in the server file system.

The vulnerability root cause located in the download all attachments functionality of Confluence, which allows the user to download a zip file containing all the files attached to the Confluence document. During the creation of the zip file Confluence creates a temporary directory and copies all the attached files into it, then it creates a zip file from this temporary directory and sends the created zip file in the response.

Figure 1: Download all attachments functionality in Confluence

Figure 2: Zip file with all the attached files created when download all attachments function is called

In order to exploit the vulnerability attacker could tamper with the attachment file name parameter during the attachment upload request by adding directory traversals before the file name. Then when download all attachment function will be triggered Confluence will write the attached files outside of the designated temporary folder, which allows the attacker to write files anywhere in the file system of the server. This could also lead to remote code execution by writing the uploaded file inside a web accessible directory.

Figure 3: Tampered attachment upload request

Figure 4: Malicious file written into a Confluence web accessible directory

Figure 5: JSP code executed when accessing the uploaded file

Mitigating the vulnerability with BIG-IP ASM

BIG-IP ASM customers under any supported BIG-IP version are already protected against this vulnerability. The exploitation attempt will be detected by existing directory traversal attack signatures which can be found in signature sets that include the “Path Traversal” attack type.

Figure 6:  Exploit blocked with attack signature 200007016

Figure 7:  Exploit blocked with attack signature 200000190

Published Apr 23, 2019
Version 1.0

Was this article helpful?

No CommentsBe the first to comment