CVE-2017-9505

Summary

Atlassian Confluence starting with 4.3.0 before 6.2.1 did not check if a user had permission to view a page when creating a workbox notification about new comments. An attacker who can login to Confluence could receive workbox notifications, which contain the content of comments, for comments added to a page after they started watching it even if they do not have permission to view the page itself.

Affected Software

VendorProductVersion RangeStatus
AtlassianConfluence ServerVersions of Confluence starting with 4.3.0 before 6.2.1 are affected by this vulnerability.affected

Weaknesses

  • Access Restriction Bypass

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References