Atlassian plugs Confluence info leak hole

By on
Atlassian plugs Confluence info leak hole

Two security problems in one week.

Atlassian is urging users of its Confluence team collaboration software to upgrade in order to fix a bug that allows unauthenticated users to view all blogs and pages.

The "high severity" vulnerability was introduced in Confluence 6.0.0.

"The Confluence drafts diff rest resource made the current content of all blogs and pages in Confluence available without authentication by providing a page id or draft ID," Atlassian advised.

"Attackers who can access the Confluence web interface of a vulnerable version can use this vulnerability to obtain the content of all blogs and pages inside Confluence provided that they first enumerate page or draft IDs."

Confluence versions 6.0.0 to 6.0.6 are vulnerable to the information leakage bug.

Atlassian recommends users upgrade to Confluence 6.1.0, but if they cannot move to the latest version, to install 6.0.7 as soon as possible. 

Cloud instances of Confluence are already upgraded, Atlassian said.

Users can mitigate against the information leakage vulnerability by turning off collaborative editing in Confluence; however doing so means shared drafts will be lost.

It's the second damaging security issue to be faced by the company in a week. Atlassian was forced to reset all passwords for its HipChat collaboration service over the weekend after an attacker broke into the platform via a vulnerability in a third-party library and accessed user data.

Atlassian claims Confluence customers include NASA, Germany's national airline Lufthansa and streaming music server Spotify, with over 100 million pages being published through the software.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © . All rights reserved.

Most Read Articles

Log In

  |  Forgot your password?