The ConfluenceResourceDownloadRewriteRule class in Confluence Server and Confluence Data Center before version 6.13.18, from 6.14.0 before 7.4.6, and from 7.5.0 before 7.8.3 allowed unauthenticated remote attackers to read arbitrary files within WEB-INF and META-INF directories via an incorrect path access check.

According to its self-reported version number, the Atlassian Confluence application running on the remote host is prior to 6.13.18, 6.14.x < 7.4.6 or 7.5.x < 7.8.3. It is, therefore, affected by an incorrect path access check vulnerability allowing unauthenticated remote attackers to read arbitrary files within WEB-INF and META-INF directories.

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its self-reported version number, the Atlassian Confluence application running on the remote host is prior to 6.13.18, 6.14.x prior to 7.4.6 or 7.5.x prior to 7.8.3. It is, therefore, affected by an arbitrary file read vulnerability in its ConfluenceResourceDownloadRewriteRule class due to an incorrect path access check. An unauthenticated, remote attacker can exploit this to read arbitrary files within WEB-INF and META-INF.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
112862	Atlassian Confluence 7.5.x < 7.8.3 Arbitrary File Read	Web App Scanning	Component Vulnerability	medium
112861	Atlassian Confluence 6.14.x < 7.4.6 Arbitrary File Read	Web App Scanning	Component Vulnerability	medium
112860	Atlassian Confluence < 6.13.18 Arbitrary File Read	Web App Scanning	Component Vulnerability	medium
146869	Atlassian Confluence < 6.13.18 / 6.14 < 7.4.6 / 7.5 < 7.8.3 Arbitrary File Read (CONFSERVER-60469)	Nessus	CGI abuses	medium

Detections

Analytics

CVE-2020-29448

medium

Tenable Plugins

medium

medium

medium

medium