Confluence Security Advisory 2010-08-17
This advisory announces a security vulnerability in Confluence 3.3 that we have found and fixed in Confluence 3.3.1. We recommend that you upgrade to Confluence 3.3.1 to fix this vulnerability.
In this advisory:
Secure Administrator Session Vulnerability
Severity
Atlassian rates this vulnerability as high, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank a vulnerability as critical, high, moderate or low.
Risk Assessment
We have identified and fixed a vulnerability in the Secure Administrator Sessions feature, introduced in Confluence 3.3, that allows it to be bypassed.
Vulnerability
If an attacker is able to gain access to a session with administrator privileges, they will be able to access all administrator functions without having to re-authenticate.
This vulnerability exists in Confluence 3.3 only.
See CONF-20508 for more details.
Risk Mitigation
We recommend upgrading your Confluence installation to fix these vulnerabilities. Please see the 'fix' section below.
Alternatively, if you are not in a position to upgrade immediately and you judge it necessary, you can disable public access (such as anonymous access and public signup) to your wiki until you have applied the necessary upgrade. For even tighter control, you could restrict access to trusted groups.
Fix
Confluence 3.3.1 fixes this issue. See the release notes. You can download Confluence 3.3.1 from the download centre.