Description

The Confluence drafts diff rest resource makes the current content of all blogs and pages in Confluence available without authentication by providing a page id or draft id. Attackers who can access the Confluence web interface of a vulnerable version can use this vulnerability to obtain the content of all blogs and pages inside Confluence provided that they first enumerate page or draft ids. All versions of Confluence starting with 6.0.0 before version 6.0.7 are affected by this vulnerability.

Remediation

Upgrade Confluence to version 6.1.0 or above (recommended)

References

Confluence Security Advisory - 2017-04-19

Related Vulnerabilities

NodeBB Arbitrary JSON File Read (CVE-2021-43788)

WordPress Plugin Advanced Custom Fields (ACF) Information Disclosure (6.0.2)

WordPress Plugin Paid Memberships Pro-Restrict Member Access to Content, Courses, Communities-Free or Paid Subscriptions Information Disclosure (2.5.2)

WordPress Plugin Yoast SEO Information Disclosure (3.2.4)

WordPress Plugin Duplicator-WordPress Migration Arbitrary File Disclosure (0.3.0)

Severity

High

Classification

CVE-2017-7415 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Information Disclosure