Confluence Arbitrary File Write via Path Traversal (CVE-2019-3398)
Recently a new critical vulnerability in Atlassian Confluence was discovered. Exploiting the vulnerability may allow attackers to write files into arbitrary locations in the server file system. The vulnerability root cause located in the download all attachments functionality of Confluence, which allows the user to download azip file containingall the files attached to the Confluence document. During the creation of the zip file Confluence creates a temporary directory and copies all the attached files into it, then it creates a zip file from this temporary directory and sends the created zip file in the response. Figure 1: Download all attachments functionality in Confluence Figure 2: Zip file with all the attached files created when download all attachments function is called In order to exploit the vulnerability attacker could tamper with the attachment file name parameter during the attachment upload request by adding directory traversals before the file name. Then when download all attachment function will be triggered Confluence will write the attached files outside of the designated temporary folder, which allows the attacker to write files anywhere in the file system of the server. This could also lead to remote code execution by writing the uploaded file inside a web accessible directory. Figure 3: Tampered attachment upload request Figure 4: Malicious file written into a Confluence web accessible directory Figure 5: JSP code executed when accessing the uploaded file Mitigating the vulnerability with BIG-IP ASM BIG-IP ASM customers under any supported BIG-IP version are already protected against this vulnerability. The exploitation attempt will be detected by existing directory traversal attack signatures which can be found in signature sets that include the “Path Traversal” attack type. Figure 6: Exploit blocked with attack signature 200007016 Figure 7: Exploit blocked with attack signature 200000190
