Atlassian Confluence information disclosure
Description
Atlassian Confluence versions 6.0.0 through 6.0.6 contain an authentication bypass vulnerability in the drafts diff REST API endpoint. This endpoint exposes the full content of all blogs and pages without requiring user authentication when provided with a valid page ID or draft ID. Attackers with network access to the Confluence web interface can exploit this vulnerability by enumerating page and draft identifiers to retrieve sensitive content that should be protected by Confluence's access controls.
Remediation
Immediately upgrade Atlassian Confluence to version 6.0.7 or later (version 6.1.0 or above is recommended for additional security improvements). Follow these steps:
1. Review Atlassian's security advisory and backup your Confluence instance before upgrading
2. Schedule a maintenance window and notify users of the planned upgrade
3. Download the latest Confluence version from the official Atlassian website
4. Follow the Atlassian upgrade guide specific to your deployment method (standalone, data center, or cloud)
5. After upgrading, verify the version number in the Confluence administration console
6. Review access logs for any suspicious REST API requests to the drafts diff endpoint during the vulnerable period
If immediate patching is not possible, implement network-level access controls to restrict Confluence access to trusted IP addresses only as a temporary mitigation measure.