Atlassian warns of critical security flaw
Confluence customers urged to upgrade
Atlassian has warned of a critical security flaw in its Confluence product.
All versions of Confluence up to and including 4.1.9 are at risk, the company says, thanks to what it calls an “XML parsing vulnerability” that could lead to “denial of service attacks against the Confluence server” or allow intruders to “read all local files readable to the system user under which Confluence runs.”
Atlassian has provided fixes for all major versions of Confluence that are supported – 3.5.x, 4.0.x and 4.1.x. Hence, customers do not have to upgrade to 4.2 to fix the vulnerability.
Atlassian has posted a mitigation procedure, but warns the actions it recommends “will only limit the impact of the vulnerability … not mitigate it completely.” ®