Vulnerability Description
Atlassian Confluence starting with 4.3.0 before 6.2.1 did not check if a user had permission to view a page when creating a workbox notification about new comments. An attacker who can login to Confluence could receive workbox notifications, which contain the content of comments, for comments added to a page after they started watching it even if they do not have permission to view the page itself.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Atlassian | Confluence | >= 4.3, < 6.2.1 |
Related Weaknesses (CWE)
References
- http://www.securityfocus.com/bid/99086Third Party AdvisoryVDB Entry
- https://jira.atlassian.com/browse/CONFSERVER-52560MitigationVendor Advisory
- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20170613-ExploitMitigationThird Party Advisory
- http://www.securityfocus.com/bid/99086Third Party AdvisoryVDB Entry
- https://jira.atlassian.com/browse/CONFSERVER-52560MitigationVendor Advisory
- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20170613-ExploitMitigationThird Party Advisory
FAQ
What is CVE-2017-9505?
CVE-2017-9505 is a vulnerability with a CVSS score of 4.3 (MEDIUM). Atlassian Confluence starting with 4.3.0 before 6.2.1 did not check if a user had permission to view a page when creating a workbox notification about new comments. An attacker who can login to Conflu...
How severe is CVE-2017-9505?
CVE-2017-9505 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-9505?
Check the references section above for vendor advisories and patch information. Affected products include: Atlassian Confluence.