icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons_061

Atlassian Confluence Server 4.3.x < 4.3.3 SQLi

High

Synopsis

The remote Confluence server is affected by an SQL injection vulnerability.

Description

Versions of Confluence 4.3.x prior to 4.3.3 contain a flaw that may allow carrying out an SQL injection attack. The issue is due to the 'deleteReferrersWithPrefix' method in the 'DefaultReferralManager' class in 'DefaultReferralManager.java' not properly sanitizing user-supplied input before using it in SQL queries. This may allow a remote attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

Solution

Upgrade to Confluence 4.3.x version 4.3.3 or later.