Confluence Docs 3.3 : Confluence Security Advisory 2010-07-06
This page last changed on Jul 06, 2010 by alui.
This advisory announces a number of security vulnerabilities in earlier versions of Confluence that we have found and fixed in Confluence 3.3. In addition to releasing Confluence 3.3, we also provide patches (in the form of plugin upgrades) for the vulnerabilities mentioned. You will be able to apply these plugin upgrades to older versions of Confluence. There will, however, be a number of security improvements in Confluence 3.3 that cannot be patched or backported. We recommend upgrading to Confluence 3.3 rather than applying the plugin upgrades. In this advisory: XSS VulnerabilitiesSeverityAtlassian rates the severity level of these vulnerabilities as high, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank the severity as critical, high, moderate or low. Risk AssessmentWe have identified and fixed a number of cross-site scripting (XSS) vulnerabilities which may affect Confluence instances in a public environment. These vulnerabilities are exposed in the Confluence functions described in the table below.
You can read more about XSS attacks at cgisecurity, CERT and other places on the web. VulnerabilityWe have identified and fixed vulnerabilities in the Confluence features described in the table below.
Risk MitigationWe recommend that you upgrade your Confluence installation to fix these vulnerabilities. Please see the 'fix' section below. Alternatively, if you are not in a position to upgrade immediately and you judge it necessary, you can apply one or both of the following mitigations:
In addition, please refer to our guidelines on best practices for configuring Confluence security. In particular, please read our guidelines on using Apache to limit access to the Confluence administration interface. FixPlease choose one of the options below that best suits your Confluence version and your ability to upgrade immediately. Option 1 (Recommended): Upgrade to Confluence 3.3We recommend that you upgrade to Confluence 3.3, which fixes all of the security issues reported in this advisory. See the Confluence 3.3 release notes. You can download Confluence 3.3 from the download centre. Option 2: Upgrade or Disable the Affected PluginsIf you cannot upgrade your Confluence installation, you can upgrade or disable the affected plugins to fix the vulnerabilities described in this security advisory.
|
![]() |
Document generated by Confluence on Jul 09, 2010 01:08 |