cancel
Showing results for 
Search instead for 
Did you mean: 
Gal_Goldshtein
F5 Employee
F5 Employee

Recently a new critical vulnerability in Atlassian Confluence was discovered. Exploiting the vulnerability may allow attackers to write files into arbitrary locations in the server file system.

The vulnerability root cause located in the download all attachments functionality of Confluence, which allows the user to download a zip file containing all the files attached to the Confluence document. During the creation of the zip file Confluence creates a temporary directory and copies all the attached files into it, then it creates a zip file from this temporary directory and sends the created zip file in the response.

0151T000003d7ecQAA.png

Figure 1: Download all attachments functionality in Confluence

0151T000003d7edQAA.png

Figure 2: Zip file with all the attached files created when download all attachments function is called

In order to exploit the vulnerability attacker could tamper with the attachment file name parameter during the attachment upload request by adding directory traversals before the file name. Then when download all attachment function will be triggered Confluence will write the attached files outside of the designated temporary folder, which allows the attacker to write files anywhere in the file system of the server. This could also lead to remote code execution by writing the uploaded file inside a web accessible directory.

0151T000003d7eeQAA.png

Figure 3: Tampered attachment upload request

0151T000003d7efQAA.png

Figure 4: Malicious file written into a Confluence web accessible directory

0151T000003d7egQAA.png

Figure 5: JSP code executed when accessing the uploaded file

Mitigating the vulnerability with BIG-IP ASM

BIG-IP ASM customers under any supported BIG-IP version are already protected against this vulnerability. The exploitation attempt will be detected by existing directory traversal attack signatures which can be found in signature sets that include the “Path Traversal” attack type.

0151T000003d7ehQAA.png

Figure 6:  Exploit blocked with attack signature 200007016

0151T000003d7eiQAA.png

Figure 7:  Exploit blocked with attack signature 200000190

Version history
Last update:
‎23-Apr-2019 08:22
Updated by:
Contributors