July 20, 2020

GHSL-2020-045: Server-side template injection in Atlassian Confluence - CVE-2020-4027

Alvaro Muñoz

Summary

A user with privileges to edit User macros may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running Confluence.

Product

Atlassian Confluence

Tested Version

Atlassian Confluence 7.3.3

Details

Server-Side Template Injection (Velocity)

Even though Confluence does a good job installing the Velocity SecureUberspector to sandbox the User macro templates, it stills exposes a number of objects through the Templating API that can be used to circumvent the sandbox and achieve remote code execution.

Deep inspection of the exposed objects' object graph allows an attacker to get access to objects that allow them to instantiate arbitrary Java objects.

Impact

This issue may lead to Remote Code Execution.

CVE

CVE-2020-4027

Coordinated Disclosure Timeline

This report was subject to the GHSL coordinated disclosure policy.

  • 03/23/2020: Sent report to security@atlassian.com
  • 03/23/2020: Issue is acknowledged
  • 06/05/2020: Fix is released as part of 7.5.1
  • 06/06/2020: Additional RCE vectors are reported to Atlassian
  • 06/24/2020: Fix is released

Credit

This issue was discovered and reported by GHSL team member @pwntester (Alvaro Munoz).

Contact

You can contact the GHSL team at securitylab@github.com, please include the GHSL-2020-045 in any communication regarding this issue.