Blind Server-Side Request Forgery Vulnerability in Confluence Server from Atlassian
CVE-2020-29445

4.3MEDIUM

Key Information:

Vendor: Atlassian
Status: Confluence Server
Vendor: CVE Published:; 7 May 2021

Summary

A vulnerability in Atlassian Confluence Server allows attackers to exploit a blind server-side request forgery through Team Calendars parameters. This flaw can enable unauthorized internal host and port identification, potentially leading to further exploitation of internal systems. Affected versions include those prior to 7.4.8 and 7.5.0 up to but not including 7.11.0, highlighting the need for users to update to a secure version to mitigate this risk.

Affected Version(s)

Confluence Server < 7.4.8

Confluence Server 7.5.0

Confluence Server < 7.11.0

References

https://jira.atlassian.com/browse/CONFSERVER-61453

x_refsource_MISC

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 7, 2021
Vulnerability Reserved
Dec 1, 2020