CVE-2022-42977 - Unauthorized File Exposure in Netic User Export add-on for Atlassian Confluence

A severe vulnerability has been discovered in the Netic User Export add-on, which affects versions earlier than 1.3.5 in Atlassian Confluence. The vulnerability, registered as CVE-2022-42977, poses a significant risk as it allows unauthorized users to download and expose any file from the system hosting the application (e.g., an SSH private key). The vulnerable parameter, fileName, is part of the HTTP request when a user exports a list of users in the application.

Details of the Vulnerability

The Netic User Export add-on is designed to generate a list of users in Atlassian Confluence and provide the option to export the list. During the export process, the vulnerable HTTP request containing the fileName parameter accepts and processes input from users without proper validation or filtering. As a result, an attacker can exploit this vulnerability by providing a file path or name of their choice, which could lead to unauthorized access to sensitive files from the system.

A sample code snippet that demonstrates the issue can be found below

GET /plugins/servlet/user-export?fileName=../../../../../../../../../etc/passwd HTTP/1.1
Host: example.com

In the example above, the attacker attempts to retrieve the /etc/passwd file from the server by exploiting the fileName parameter.

Exploiting the Vulnerability

Exploiting this vulnerability is relatively simple, as it only requires an attacker to craft a specially-designed HTTP request to the exposed endpoint. To exploit the vulnerability, follow these steps:

1. Identify the target Confluence instance with the Netic User Export add-on installed at a version earlier than 1.3.5.
2. Craft a vulnerable HTTP request, as shown earlier, by replacing the fileName parameter value with the desired file path.

Analyze the server's response to retrieve the contents of the requested file.

For example, using the following curl command, an attacker can retrieve the contents of the /etc/passwd file:

curl "http://example.com/plugins/servlet/user-export?fileName=../../../../../../../../../etc/passwd";

Mitigation and Remediation

The most effective way to mitigate this vulnerability is by upgrading the Netic User Export add-on to version 1.3.5 or later. According to the official release notes, the issue has been addressed in the latest version of the add-on. Upgrading to the latest version should prevent attackers from successfully exploiting this vulnerability.

If you are unable to upgrade immediately, consider implementing a temporary workaround, such as adding firewall rules, IP restrictions, or other security measures to restrict access to the vulnerable endpoint.

References

- CVE-2022-42977 - MITRE
- Netic User Export release notes - Atlassian Marketplace
- Atlassian Confluence - Official Website
- Netic User Export add-on - Atlassian Marketplace

Conclusion

The unauthorized file exposure vulnerability (CVE-2022-42977) in the Netic User Export add-on for Atlassian Confluence poses a significant risk to organizations and should be addressed immediately. To protect your systems against unauthorized access or data leakage, ensure that you upgrade the add-on to version 1.3.5 or implement appropriate security measures to safeguard your assets.

Timeline

Published on: 11/15/2022 01:15:00 UTC
Last modified on: 08/08/2023 14:22:00 UTC