Technical Articles
F5 SMEs share good practice.
Showing results for 
Search instead for 
Did you mean: 
Custom Alert Banner
F5 Employee
F5 Employee

Recently a new critical vulnerability in Atlassian Confluence was discovered. Exploiting the vulnerability may allow attackers to write files into arbitrary locations in the server file system.

The vulnerability root cause located in the download all attachments functionality of Confluence, which allows the user to download a zip file containing all the files attached to the Confluence document. During the creation of the zip file Confluence creates a temporary directory and copies all the attached files into it, then it creates a zip file from this temporary directory and sends the created zip file in the response.


Figure 1: Download all attachments functionality in Confluence


Figure 2: Zip file with all the attached files created when download all attachments function is called

In order to exploit the vulnerability attacker could tamper with the attachment file name parameter during the attachment upload request by adding directory traversals before the file name. Then when download all attachment function will be triggered Confluence will write the attached files outside of the designated temporary folder, which allows the attacker to write files anywhere in the file system of the server. This could also lead to remote code execution by writing the uploaded file inside a web accessible directory.


Figure 3: Tampered attachment upload request


Figure 4: Malicious file written into a Confluence web accessible directory


Figure 5: JSP code executed when accessing the uploaded file

Mitigating the vulnerability with BIG-IP ASM

BIG-IP ASM customers under any supported BIG-IP version are already protected against this vulnerability. The exploitation attempt will be detected by existing directory traversal attack signatures which can be found in signature sets that include the “Path Traversal” attack type.


Figure 6:  Exploit blocked with attack signature 200007016


Figure 7:  Exploit blocked with attack signature 200000190

Version history
Last update:
‎23-Apr-2019 08:22
Updated by: