Confluence Docs 3.1 : Confluence Security Advisory 2009-02-18
This page last changed on Feb 17, 2009 by ggaskell.
In this advisory: HTTP Header Injection FlawSeverityAtlassian rates this vulnerability as high, according to the scale published in Confluence Security. The scale allows us to rank a vulnerability as critical, high, moderate or low. Risk AssessmentWe have identified and fixed a security flaw which may affect Confluence instances in a public environment. This flaw is an HTTP header injection vulnerability in the Seraph web framework that is used by Confluence. This potentially allows a malicious user (attacker) to modify the HTTP response to insert malicious code. An attacker could present a modified URL to users (e.g. disguised in an email message). If any user clicks the URL, the malicious code would be executed in the user's session.
Atlassian recommends that you upgrade to Confluence 2.10.2 to fix the vulnerabilities described below. Risk MitigationWe strongly recommend either patching or upgrading your Confluence installation to fix this vulnerability. Please see the 'Fix' section below. Alternatively, you may consider taking the following step, although the time required to fix this vulnerability and the extent of its effectiveness will depend on your application server running Confluence and its configuration:
VulnerabilityAll versions of Confluence prior to 2.10.2 are vulnerable to this security flaw. FixThe fix updates the Seraph framework to a version which correctly encodes and validates redirect URLs before sending them back to the user. To patch your existing installation of Confluence, please refer to CONF-14275. This JIRA issue contains the downloadable patch file and instructions on how to patch your existing Confluence installation. Alternatively, install or upgrade to Confluence version 2.10.2. (See the release notes.) The Confluence 2.10.2 installation files can be downloaded from the download centre. For more information, please refer to CONF-14275. |
![]() |
Document generated by Confluence on Dec 10, 2009 18:40 |