CVE-2017-9505
 
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
Atlassian Confluence starting with 4.3.0 before 6.2.1 did not check if a user had permission to view a page when creating a workbox notification about new comments. An attacker who can login to Confluence could receive workbox notifications, which contain the content of comments, for comments added to a page after they started watching it even if they do not have permission to view the page itself.
Atlassian Confluence desde la versión 4.3.0 hasta la 6.2.1 no comprobaba si un usuario tenía permiso para visualizar una página mientras se creaba una notificación workbox sobre nuevos comentarios. Un atacante que pueda iniciar sesión en Confluence podría recibir notificaciones workbox, que contienen los comentarios, para los comentarios añadidos a una página una vez que han empezado a verla aunque no tengan permiso para visualizar la propia página.
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2017-06-07 CVE Reserved
- 2017-06-15 CVE Published
- 2023-03-07 EPSS Updated
- 2024-10-16 CVE Updated
- 2024-10-16 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-276: Incorrect Default Permissions
CAPEC
References (3)
URL | Tag | Source |
---|---|---|
http://www.securityfocus.com/bid/99086 | Third Party Advisory |
URL | Date | SRC |
---|---|---|
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20170613-0_Atlassian_Confluence_Access_Restriction_Bypass_v10.txt | 2024-10-16 |
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://jira.atlassian.com/browse/CONFSERVER-52560 | 2020-07-21 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Atlassian Search vendor "Atlassian" | Confluence Search vendor "Atlassian" for product "Confluence" | >= 4.3 < 6.2.1 Search vendor "Atlassian" for product "Confluence" and version " >= 4.3 < 6.2.1" | - |
Affected
|