From f074b5310aa51e849a4e3a11353270668c8ed56e Mon Sep 17 00:00:00 2001 From: David Black Date: Thu, 21 Mar 2019 12:30:45 +1100 Subject: [PATCH] Add CVE-2019-3395 CVE-2019-3396 --- 2019/3xxx/CVE-2019-3395.json | 102 ++++++++++++++++++++++++++++++----- 2019/3xxx/CVE-2019-3396.json | 102 ++++++++++++++++++++++++++++++----- 2 files changed, 176 insertions(+), 28 deletions(-) diff --git a/2019/3xxx/CVE-2019-3395.json b/2019/3xxx/CVE-2019-3395.json index 0c88ac1bf28..0f785371ecb 100644 --- a/2019/3xxx/CVE-2019-3395.json +++ b/2019/3xxx/CVE-2019-3395.json @@ -1,18 +1,92 @@ { - "CVE_data_meta": { - "ASSIGNER": "cve@mitre.org", - "ID": "CVE-2019-3395", - "STATE": "RESERVED" - }, - "data_format": "MITRE", - "data_type": "CVE", - "data_version": "4.0", - "description": { - "description_data": [ + "CVE_data_meta": { + "ASSIGNER": "security@atlassian.com", + "DATE_PUBLIC": "2019-03-20T10:00:00", + "ID": "CVE-2019-3395", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ { - "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "product": { + "product_data": [ + { + "product_name": "Confluence Server", + "version": { + "version_data": [ + { + "version_value": "6.6.7", + "version_affected": "<" + }, + + + { + "version_value": "6.7.0", + "version_affected": ">=" + }, + { + "version_value": "6.7.3", + "version_affected": "<=" + }, + + + { + "version_value": "6.8.0", + "version_affected": ">=" + }, + { + "version_value": "6.8.5", + "version_affected": "<" + }, + + + { + "version_value": "6.9.0", + "version_affected": ">=" + }, + { + "version_value": "6.9.3", + "version_affected": "<" + } + ] + } + } + ] + }, + "vendor_name": "Atlassian" } - ] - } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "The WebDAV endpoint in Atlassian Confluence Server and Data Center before version 6.6.7 (the fixed version for 6.6.x), from version 6.7.0 before 6.8.5 (the fixed version for 6.8.x), and from version 6.9.0 before 6.9.3 (the fixed version for 6.9.x) allows remote attackers to send arbitrary HTTP and WebDAV requests from a Confluence Server or Data Center instance via Server-Side Request Forgery." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Server-Side Request Forgery (SSRF)" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://jira.atlassian.com/browse/CONFSERVER-57971" + } + ] + } } \ No newline at end of file diff --git a/2019/3xxx/CVE-2019-3396.json b/2019/3xxx/CVE-2019-3396.json index d2949d4a455..52a9464153f 100644 --- a/2019/3xxx/CVE-2019-3396.json +++ b/2019/3xxx/CVE-2019-3396.json @@ -1,18 +1,92 @@ { - "CVE_data_meta": { - "ASSIGNER": "cve@mitre.org", - "ID": "CVE-2019-3396", - "STATE": "RESERVED" - }, - "data_format": "MITRE", - "data_type": "CVE", - "data_version": "4.0", - "description": { - "description_data": [ + "CVE_data_meta": { + "ASSIGNER": "security@atlassian.com", + "DATE_PUBLIC": "2019-03-20T10:00:00", + "ID": "CVE-2019-3396", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ { - "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "product": { + "product_data": [ + { + "product_name": "Confluence Server", + "version": { + "version_data": [ + { + "version_value": "6.6.12", + "version_affected": "<" + }, + + + { + "version_value": "6.7.0", + "version_affected": ">=" + }, + { + "version_value": "6.12.3", + "version_affected": "<" + }, + + + { + "version_value": "6.13.0", + "version_affected": ">" + }, + { + "version_value": "6.13.3", + "version_affected": "<" + }, + + + { + "version_value": "6.14.0", + "version_affected": ">" + }, + { + "version_value": "6.14.2", + "version_affected": "<" + } + ] + } + } + ] + }, + "vendor_name": "Atlassian" } - ] - } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "The Widget Connector macro in Atlassian Confluence Server before version 6.6.12 (the fixed version for 6.6.x), from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before 6.13.3 (the fixed version for 6.13.x), and from version 6.14.0 before 6.14.2 (the fixed version for 6.14.x), allows remote attackers to achieve path traversal and remote code execution on a Confluence Server or Data Center instance via server-side template injection." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Server-Side Template Injection" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://jira.atlassian.com/browse/CONFSERVER-57974" + } + ] + } } \ No newline at end of file