Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Atlassian Confluence Server < 4.3 Multiple Vulnerabilities

Medium

Synopsis

The remote Confluence server is affected by multiple vulnerabilities.

Description

Versions of Confluence prior to 4.3 are affected by multiple vulnerabilities :

- A flaw exists that is due to the program allowing anonymous users to access '/spaces/opengrouppicker.action'. This may allow remote attackers to browse internal directories. (OSVDB 125864) - A flaw exists in '/users/userpicker.action' that is due to the program failing to properly restrict unprivileged access. This may allow a remote attacker to gain access to potentially sensitive information regarding LDAP directory users and groups. (OSVDB 125865) - A flaw exists in '/users/userpicker.action' that is due to the program exposing LDAP directory users and groups to unauthenticated remote attackers. This may allow a remote attacker to gain access to potentially sensitive information. (OSVDB 128215) - A flaw exists in '/spaces/opengrouppicker.action' that is due to the program exposing LDAP directory users and groups to unauthenticated remote attackers. This may allow a remote attacker to gain access to potentially sensitive information. (OSVDB 128216) - A flaw exists in the '/rest/prototype/1/search/user.json' script that is triggered as input passed via the 'query' parameter is not properly handled. This may allow a remote attacker to enumerate arbitrary users. (OSVDB 133803)

Solution

Upgrade to Confluence version 4.3 or later.