Page tree
Skip to end of metadata
Go to start of metadata

Dear customers,

On May 27th, 2019, we have discovered a vulnerability on Play SQL Base, Play SQL Spreadsheets and Play SQL Cloud. We recommend Confluence Server customers to upgrade to Play SQL Base/Spreadsheets 3.1.3. Cloud users are already upgraded.

Source of vulnerability identification

The issue was discovered when developing an adjacent feature for a customer: We noticed that we had misconfigured a library, which created an XSS vulnerability.

Investigation details

During the investigation, we established that the issue had been present since almost the beginning of this plugin.


Confluence ServerConfluence Cloud
What it allowsIt allows an attacker to execute commands as another user, as long as this other user views the Spreadsheet forged by the attacker.
Limitations for this vulnerability

WebSudo: By default, Confluence is configured with WebSudo enabled. If used, the attacker can't reach administrative options.

The attacker needs to have write permissions on spreadsheets.

Our plugin only has READ access to Confluence, so the attacker could only have read data.

The attacker needs to have write permissions on spreadsheets.

Atlassian evaluated the security level to HIGH on their CVSS v3 scale.

Remediation actions


Confluence ServerConfluence Cloud
What actions we have taken

We've published a fix on the same day. We recommend users to upgrade.

We have communicated immediately with Atlassian about the issue, and they evaluated High on their CVSS scale.

Our cloud version was upgraded the same day as the discovery.

We have communicated immediately with Atlassian about the issue, and they evaluated High on their CVSS scale.

Version

Play SQL Spreadsheets 3.1.3

Play SQL Base 3.1.3

Automatic.

Decisions we've taken

We've decided to publish the bugfix under an innocuous label, so customers have a chance to upgrade before the existence of this vulnerability is publicly known. 48 customers have done so. We are now communicating it explicitly to customers.


Information about likelihood of exploitation / real-world impacts

We've investigated data on all our Cloud instances:

  • No customer has data making use of this attack vector,
  • No customer has had such data in the 30 days preceding the discovery (between April 28th and May 27th).
  • We ignore whether the vulnerability could have been used before that, but we estimate it is unlikely that an attacker would have discovered it, used it and hidden it before our discovery.

We can't investigate whether Server instances have been affected, since we don't have access to this data.

Actions to perform

If you are using Play SQL Spreadsheets or Play SQL Base on Confluence Server, please upgrade to the latest version.

  • No labels