Confluence 3.5 : Confluence Security Advisory 2009-01-07
This page last changed on Oct 11, 2010 by alui.
In this advisory: Content Overwrite Vulnerability in the Office Connector PluginSeverityAtlassian rates this vulnerability as high, according to the scale published in Confluence Security. The scale allows us to rank a vulnerability as critical, high, moderate or low. Risk AssessmentWe have identified a risk that makes it possible for users with read-only access to a Confluence wiki space to modify its contents via the document import feature of the Office Connector plugin. This issue, however, does not expose restricted content on a Confluence wiki space to unauthorised users. Risk MitigationPlease see the 'Fix' section below. If you cannot apply the fix immediately, you can consider taking one or more of the following steps:
VulnerabilityThe Office Connector plugin was first bundled in Confluence version 2.10.0. Hence, this vulnerability affects Confluence 2.10.0 where the Office Connector Plugin is enabled. Additionally, this plugin is compatible with all versions of Confluence from 2.3.0 onwards. Hence, if you have installed the plugin, this vulnerability will affect your Confluence instance. FixPlease download and install the latest version of the Office Connector plugin via the Confluence Plugin Repository (instructions here). If you wish to install this plugin manually, you can download it from here. Alternatively, install or upgrade to Confluence version 2.10.1. (See the release notes.) The Confluence 2.10.1 installation files can be downloaded from the download centre. For more information, please refer to CONF-14014. Our thanks to Justin Wong, who reported this vulnerability. We fully support the reporting of vulnerabilities and we appreciate it when people work with us to identify and solve the problem. |
![]() |
Document generated by Confluence on Mar 16, 2011 18:29 |