CVE-2020-29448

The ConfluenceResourceDownloadRewriteRule class in Confluence Server and Confluence Data Center before version 6.13.18, from 6.14.0 before 7.4.6, and from 7.5.0 before 7.8.3 allowed unauthenticated remote attackers to read arbitrary files within WEB-INF and META-INF directories via an incorrect path access check.

Published: Feb 22, 2021
Updated: Apr 14, 2023
CVE: CVE-2020-29448
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.3
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:P/I:N/A:N

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
atlassian / confluence_server	-	6.13.18
atlassian / confluence_server	6.14.0	7.4.6
atlassian / confluence_server	7.5.0	7.8.3
atlassian / confluence_data_center	-	6.13.18
atlassian / confluence_data_center	6.14.0	7.4.6
atlassian / confluence_data_center	7.5.0	7.8.3

https://jira.atlassian.com/browse/CONFSERVER-60469

Vulnerability Database

289,784

CVE-2020-29448