NopSec.com uses cookies to make interactions with the Company’s Websites easy and meaningful. When you visit one of the Company’s Websites, NopSec.com’s servers send a cookie to your computer. Standing alone, cookies do not personally identify you; they merely recognize your Web browser. Unless you choose to identify yourself to NopSec.com, either by responding to a promotional offer, opening an account, or filling out a Web form (such as a “Contact Us” or a “Free Trial” Web form), you remain anonymous to the Company. Please go to our privacy statement for details.

Acknowledge

Trending CVEs for the Week of May 6th, 2019

Why IAM Technology is Critical to Your Vulnerability Management Program

CVE-2019-3396 – Widget Connector Macro in Atlassian Confluence Server

Last week, we covered CVE-2019-2725 which was a vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware in our last post. Even though, CVE-2019-2725 is still the most talked about this week, despite no major new developments surrounding them. This is why we will shift to Atlassian Confluence Server, the second most mentioned vulnerability.-NVD has classified this vulnerability as – CVE-2019-3396: Atlassian Confluence Widget Connector Macro Velocity Template Injection.

Description

Widget Connector Macro is part of Atlassian Confluence Server and Data Center that allows embed online videos, slideshows and more directly into page. This vulnerability is a server-side template injection in the Widget Connector that can lead to remote code execution. Authentication is un-required to exploit this vulnerability.

Affected Products

Confluence before version 6.6.12, from version 6.7.0 before 6.12.3, from version 6.13.0 before 6.13.3 and from version 6.14.0 before 6.14.2 are affected.

Exploitation and Risk

This vulnerability is considered a critical severity security vulnerabilities in Confluence Server and Confluence Data Center. The successful exploitation of CVE-2019-3396 in Atlassian Confluence Server can put resources at risk. You should do an assessment for your environment if it’s applicable or not.

Fixes

You should upgrade the latest version of the Confluence which can be found on the Confluence Security Advisory.

References

Rapid 7

Confluence Security Advisory

Share your thoughts in our community!

Click Here

Schedule a Product Demo Today!

See how NopSec's security insights and cyber threat exposure management platform can organize your security chaos.