CVE-2018-20237 | Cyber Solutions By Thales

Abstract Advisory Information

Atlassian Confluence Server and Data Center before version 6.13.1 allows an authenticated user to download a deleted page via the word export feature.

Author: Jean-Marie Bourbon

Version affected

Name: Confluence

Versions: 6.12.0

Common Vulnerability Scoring System

3.1

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

Patches

Fixed on 6.14.0 or 6.13.1

References

https://jira.atlassian.com/browse/CONFSERVER-57814

Vulnerability Disclosure Timeline

18/09/2018 – Vulnerability discovered.
19/09/2018 – BugCrowds Submission.
20/09/2018 – Atlassian psirt notificiation
24/09/2018 – Atlassian support notificatinon
25/09/2018 – Issue acknowledged by support -> Long Term backlog.
29/01/2019 – Published on Atlassian’s public issue tracke
28/02/2019 – Public disclosure