Atlassian Confluence Server Pre-Authorization Arbitrary File Read Vulnerability
Affected versions of Atlassian Confluence Server allow remote attackers to view restricted resources via a pre-authorization arbitrary file read vulnerability in the /s/ endpoint.
A remote attacker, without authentication, can achieve partial data exposure. CISA has confirmed use of this vulnerability in known ransomware campaigns — treat as high priority for remediation. Federal agencies are required to remediate by 2022-04-18 under CISA BOD 22-01.
This is a Software Vulnerability (CWE-425) (CWE-425) vulnerability in Atlassian Confluence Server. Affected versions of Atlassian Confluence Server allow remote attackers to view restricted resources via a Pre-Authorization Arbitrary File Read vulnerability in the /s/ endpoint. The affected versions are before version 7.4.10, and from version 7.5.0 before 7.12.3. Exploitation requires remote network access, low attack complexity, no authentication required, and no user interaction required.
📧
Phishing link
🖼
Malicious file
🔓
Server compromised
Probably yes if any of these apply:
Used in known ransomware campaigns. Threat-research write-up: http://packetstormsecurity.com/files/164401/Atlassian-Confluence-Server-7.5.1-Arbitrary-File-Read.html
Manual remediation steps
Apply the Vendor Patch
This vulnerability is in the CISA Known Exploited Vulnerabilities catalog — apply the vendor's security update as soon as possible.
CISA required action: Apply updates per vendor instructions.
References
No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.
References