--- licence_title: Creative Commons Attribution 4.0 International (CC-BY 4.0) licence_link: https://creativecommons.org/licenses/by/4.0/ licence_restrictions: https://cert.europa.eu/legal-notice licence_author: CERT-EU, The Cybersecurity Service for the European Union institutions, bodies, offices and agencies title: 'Confluence Server Critical Remote Code Execution Vulnerability' version: '1.0' number: '2019-009' date: 'April 15, 2019' --- _History:_ * _15/04/2019 --- v1.0 -- Initial publication_ # Summary A server-side template injection vulnerability has been discovered in Confluence Server and Data Center, in the Widget Connector. An attacker able to exploit this issue could achieve _path traversal_ and _remote code execution_ on systems that run a vulnerable version of Confluence Server or Data Center [1]. # Technical Details The Widget Connector macro in affected version of Atlassian Confluence Server allows remote attackers to achieve path traversal and remote code execution on a Confluence Server or Data Center instance via server-side template injection [2]. # Products Affected Atlassian Confluence Server affected versions include: * before version 6.6.12 (the fixed version for 6.6.x), * from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), * from version 6.13.0 before 6.13.3 (the fixed version for 6.13.x), * from version 6.14.0 before 6.14.2 (the fixed version for 6.14.x). # Recommendations Atlassian recommends that you upgrade to the latest version (6.15.1). For a full description of the latest version of Confluence Server and Data Center, see the Release Notes [3]. You can download the latest version of Confluence from the Atlassian website [4]. The versions of Confluence Server that address the issues: * Confluence Server and Data Center versions 6.15.1 can be be downloaded from [4]. * Confluence Server and Data Center versions 6.6.12, 6.12.3, 6.13.3 and 6.14.2 can be be downloaded from [5]. If upgrading is not possible, see relevant instructions [6]. # References [1] [2] [3] [4] [5] [6]