Confluence Widget Connector SSTI
Description
The Widget Connector macro in Atlassian Confluence Server contains a path traversal vulnerability (CWE-22) that can be exploited to achieve Server-Side Template Injection (SSTI). This vulnerability allows unauthenticated attackers to traverse the file system and inject malicious template code, which is then executed on the server, leading to arbitrary code execution.
Remediation
Apply security patches immediately by upgrading Confluence Server to a fixed version as specified in the Atlassian security advisory. Affected versions should be upgraded to: Confluence Server 6.6.12 or later (for 6.6.x), 6.12.3 or later (for 6.12.x), 6.13.3 or later (for 6.13.x), or 6.14.2 or later (for 6.14.x). As an interim mitigation, if immediate patching is not possible, disable the Widget Connector macro through the Confluence administration console under 'Manage Apps' > 'Widget Connector'. Monitor server logs for suspicious activity including unexpected file access patterns or template rendering errors. Verify that no unauthorized access or code execution has occurred prior to patching.