SSRF vulnerability in Scroll Word Exporter 2019-09-05

Summary

This advisory discloses a security issue of high severity affecting Scroll Word Exporter for Confluence Server and Datacenter, and provides a step-by-step guide to help you rectify the issue.

Affected Products and Versions

Scroll Word Exporter before and including 4.1.10. Fixed in 4.1.11 and later.

Severity

K15t rates the severity level of this issue as high, because it can be abused for SSRF attacks.

This is our baseline assessment – it's best if you evaluate its applicability to your own IT environment.

Detailed description

A bug in the processing of user-provided export templates can be exploited for a Server Side Request Forgery attack (SSRF) in order to initiate HTTP calls to internal resources such as a file server. This can also be used to include such resources into the exported Word file.
To exploit this an authenticated Confluence user needs to be able to upload manipulated Scroll Word Exporter templates for example in their personal space and then export using this template.

We've rated this bug with a CVSS score of 8.5 (High).

Steps we've taken to fix this issue

• We released a fixed version of Scroll Word Exporter on the Atlassian Marketplace.

What you need to do to solve this issue on your instance

A Confluence administrator needs to upgrade the affected apps to a fixed version.