Scroll Exporter Security Advisory 2014-11-19
This advisory discloses a critical security vulnerability that we have found in our Scroll PDF Exporter, Scroll EPUB Exporter and Scroll EclipseHelp Exporter and fixed in a recent version of these Scroll Exporters.
- Customers who have downloaded and installed Scroll PDF Exporter, Scroll EPUB Exporter or Scroll EclipseHelp Exporter should upgrade their existing Scroll Exporter version to fix this vulnerability.
- No other K15t add-ons are affected.
The vulnerability affects all versions of Scroll PDF Exporter, Scroll EPUB Exporter or Scroll EclipseHelp Exporter up to and including 3.1.3, running on all supported Confluence versions.
K15t Software is committed to improving product security. We fully support the reporting of vulnerabilities (through our support system or firstname.lastname@example.org) and we appreciate it when people work with us to identify and solve the problem.
Confluence permission checks can be bypassed
K15t Software rates the severity level of this vulnerability as critical, according to the scale published in Severity Levels of Security Issues by Atlassian. The scale allows us to rank the severity as critical, high, moderate or low.
This is an independent assessment and you should evaluate its applicability to your own IT environment.
We found a critical security problem in these products:
- Scroll PDF Exporter
- Scroll EclipseHelp Exporter
- Scroll EPUB Exporter
A malicious user may use these exporters to access Confluence services, bypassing the usual Confluence permission checks. These Confluence services can be used to access and manipulate content like pages and spaces.
If Confluence is configured to grant access to anonymous users, these services can also be used by anonymous users.
There is no workaround available. Confluence administrators must upgrade these exporters to version 3.1.4
The vulnerability affects all versions of Scroll PDF Exporter, Scroll EPUB Exporter and Scroll EclipseHelp Exporter up to and including 3.1.3. It has been fixed in 3.1.4. The issue is tracked in: - EXP-703Getting issue details... STATUS
Unfortunately there's no temporary workaround, please update your current Scroll PDF Exporter, Scroll EPUB Exporter and Scroll EclipseHelp Exporter to version 3.1.4 immediately.
This vulnerability can be fixed by upgrading your Scroll Exporter. If you have any questions, please raise a support request at http://support.k15t.com. We recommend upgrading.