Confluence 4.0 : Confluence Security Advisory 2011-03-24
This page last changed on Mar 25, 2011 by aatkins.
This cumulative advisory announces a number of security vulnerabilities that we have found in Confluence and fixed in recent versions of Confluence. We also provide upgraded plugins and patches that you will be able to apply to existing installations of Confluence to fix these vulnerabilities. However, we recommend that you upgrade your complete Confluence installation rather than upgrading only the affected plugins. Enterprise Hosted customers should request an upgrade by raising a support request at http://support.atlassian.com. JIRA Studio is not vulnerable to any of the issues described in this advisory. Atlassian is committed to improving product security. The vulnerabilities listed in this advisory have been discovered by Atlassian, unless noted otherwise. The reporter may also have requested that we do not credit them. In this advisory: XSS VulnerabilitiesSeverityAtlassian rates the severity level of these vulnerabilities as high, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank the severity as critical, high, moderate or low. These vulnerabilities are not critical. This is an independent assessment and you should evaluate its applicability to your own IT environment. Risk AssessmentWe have identified and fixed a number of cross-site scripting (XSS) vulnerabilities which may affect Confluence instances, including publicly available instances (that is, Internet-facing servers). XSS vulnerabilities allow an attacker to embed their own JavaScript into a Confluence page. You can read more about XSS attacks at cgisecurity.com, The Web Application Security Consortium and other places on the web. VulnerabilityThe table below describes the Confluence versions and the specific functionality affected by each of the XSS vulnerabilities.
Our thanks to Dave B, who reported the vulnerability in the action links of attachments lists. We fully support the reporting of vulnerabilities and we appreciate it when people work with us to identify and solve the problem. Risk MitigationWe recommend that you upgrade your Confluence installation to fix these vulnerabilities. Alternatively, if you are not in a position to upgrade immediately and you judge it necessary, you can disable public signup to your wiki until you have applied the necessary patch or upgrade. For even tighter control, you could restrict access to trusted groups. We also recommend that you read our guidelines on best practices for configuring Confluence security. FixConfluence 3.4.9 or later fixes all of these issues. Some issues have been fixed in earlier versions as described in the table above. For a full description of this release, see the release notes. You can download the latest version of Confluence from the download centre. The most recent version at the time of this advisory is Confluence 3.5. PatchesIf for some reason you cannot upgrade to the latest version of Confluence, you can upgrade the relevant plugins (below) in your Confluence installation to fix the vulnerabilities described in this security advisory. For details on upgrading Confluence's plugins using the plugin manager, see:
Patches are also attached to the relevant issues (listed in the table above) if you need to apply these fixes manually.
Include Page Macro
To apply this fix, use the plugin manager to upgrade the Advanced Macros plugin to a version greater than or equal to that specified in the file name above. Activity Stream Gadget
Action links of attachments lists
To apply this fix, use the plugin manager to upgrade the Confluence Attachments Plugin plugin to a version greater than or equal to that specified in the file name above. Table of Contents macro
To apply this fix, use the plugin manager to upgrade the Table of Contents Plugin plugin to a version greater than or equal to that specified in the file name above. |
![]() |
Document generated by Confluence on Sep 19, 2011 02:40 |