Twenty Year Anniversary

Atlassian Confluence 6.1.1 Access Restriction Bypass

Atlassian Confluence 6.1.1 Access Restriction Bypass
Posted Jun 13, 2017
Authored by Mathias Frank | Site

Atlassian Confluence versions 4.3.0 through 6.1.1 suffers from an access restriction bypass vulnerability.

tags | exploit, bypass
MD5 | 71d758377b0464d5863a7cf56d17a000

Atlassian Confluence 6.1.1 Access Restriction Bypass

Change Mirror Download
SEC Consult Vulnerability Lab Security Advisory < 20170613-0 >
title: Access Restriction Bypass
product: Atlassian Confluence
vulnerable version: 4.3.0 - 6.1.1
fixed version: 6.2.1
CVE number: -
impact: Medium
found: 2017-03-27
by: Mathias Frank (Office Vienna)
SEC Consult Vulnerability Lab

An integrated part of SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich


Vendor description:
"In 2002, our founders, Scott Farquhar and Mike Cannon-Brookes, set
conventional wisdom on its ear by launching a successful enterprise
software company with no sales force. From Australia. Our first product, JIRA,
proved that if you make a great piece of software, price it right, and make
it available to anyone to download from the internet, teams will come. And
they'll build great things with it. And they'll tell two friends, and so on,
and so on.
Today a lot has changed. We're over 1,700 Atlassians (and growing), in six
locations, with products to help all types of teams realize their visions and
get stuff done. But the fundamentals remain the same. We're for teams because
we believe that great teams can do amazing things. We're not afraid to do
things differently. And we're driven by an inspiring set of values that shape
our culture and our products for the better."


Business recommendation:
SEC Consult recommends to upgrade to the latest version available which fixes
the identified issue.

Vulnerability overview/description:
1) Access Restriction Bypass
The "watch" functionality provides a user the option to subscribe to specific
content. Furthermore, the user gets a notification for any new comment made to the
previously subscribed content.

A user can manually subscribe to pages which he is not able to view and he then
receives any further comment made on the restricted page.

Proof of concept:
1) Access Restriction Bypass
Prerequisite as admin user just for a proof of concept demo page:
* Create a Space "Demo Space" visible for every user and group
* Create a Page "Demo Page" (example pageID: 1048582) and restrict the
"Viewing and editing restriction" to only the administrator group/user with
the "/pages/getcontentpermissions.action" function.

Send the following request as user:
POST /users/addpagenotificationajax.action HTTP/1.1
Host: localhost:8090
Referer: http://localhost:8090/display/ds/Welcome+to+Confluence
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest


Then the user is subscribed to the "Demo Page" and receives a notification and is
able to receive any further comments made on the subscribed page.

Vulnerable / tested versions:
The following version has been tested by SEC Consult
Atlassian Confluence version 5.9.14 and 6.1.1

Atlassian believes that versions beginning from 4.3.0 before 6.2.1 are affected.

Vendor contact timeline:
2017-04-03: Contacting vendor through
2017-04-05: Vendor confirmed the vulnerability and issued the references
CONFSERVER-52241 (Confluence Server) and CONFCLOUD-54634 (Confluence
2017-04-13: Vendor fixed the issue CONFCLOUD-54634.
2017-05-11: Asked for planned timeline and release of an fix for CONFSERVER-52241.
2017-05-29: Vendor released a fix for CONFSERVER-52241 with version 6.2.1.
2017-06-08: Vendor prepares a sanitised copy of CONFSERVER-52241 for release along
with the advisory -
2017-06-13: Public release of advisory.

Upgrade to version 6.2.1 available at:
The effectiveness of the fix was verified by the SEC Consult Vulnerability Lab.

Disable workbox notifications as per the instructions found at

Advisory URL:


SEC Consult Vulnerability Lab

SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

Interested to work with the experts of SEC Consult?
Send us your application

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices

Mail: research at sec-consult dot com

EOF Mathias Frank / @2017


RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

September 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    1 Files
  • 2
    Sep 2nd
    3 Files
  • 3
    Sep 3rd
    15 Files
  • 4
    Sep 4th
    15 Files
  • 5
    Sep 5th
    18 Files
  • 6
    Sep 6th
    18 Files
  • 7
    Sep 7th
    15 Files
  • 8
    Sep 8th
    2 Files
  • 9
    Sep 9th
    2 Files
  • 10
    Sep 10th
    16 Files
  • 11
    Sep 11th
    17 Files
  • 12
    Sep 12th
    15 Files
  • 13
    Sep 13th
    29 Files
  • 14
    Sep 14th
    21 Files
  • 15
    Sep 15th
    3 Files
  • 16
    Sep 16th
    1 Files
  • 17
    Sep 17th
    15 Files
  • 18
    Sep 18th
    16 Files
  • 19
    Sep 19th
    29 Files
  • 20
    Sep 20th
    18 Files
  • 21
    Sep 21st
    5 Files
  • 22
    Sep 22nd
    2 Files
  • 23
    Sep 23rd
    2 Files
  • 24
    Sep 24th
    15 Files
  • 25
    Sep 25th
    30 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2018 Packet Storm. All rights reserved.

Security Services
Hosting By