Trending CVEs for the Week of May 6th, 2019

CVE-2019-3396 – Widget Connector Macro in Atlassian Confluence Server

Last week, we covered CVE-2019-2725 which was a vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware in our last post. Even though, CVE-2019-2725 is still the most talked about this week, despite no major new developments surrounding them. This is why we will shift to Atlassian Confluence Server, the second most mentioned vulnerability.-NVD has classified this vulnerability as – CVE-2019-3396: Atlassian Confluence Widget Connector Macro Velocity Template Injection.


Widget Connector Macro is part of Atlassian Confluence Server and Data Center that allows embed online videos, slideshows and more directly into page. This vulnerability is a server-side template injection in the Widget Connector that can lead to remote code execution. Authentication is un-required to exploit this vulnerability.

Affected Products

Confluence before version 6.6.12, from version 6.7.0 before 6.12.3, from version 6.13.0 before 6.13.3 and from version 6.14.0 before 6.14.2 are affected.

Exploitation and Risk

This vulnerability is considered a critical severity security vulnerabilities in Confluence Server and Confluence Data Center. The successful exploitation of CVE-2019-3396 in Atlassian Confluence Server can put resources at risk. You should do an assessment for your environment if it’s applicable or not.


You should upgrade the latest version of the Confluence which can be found on the Confluence Security Advisory.


Rapid 7

Confluence Security Advisory

Share your thoughts in our community!

Click Here