CVE-2019-15006
CVE-2019-15006 is a medium-severity vulnerability in Atlassian Confluence with a CVSS 3.x base score of 6.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-913.
Key facts
- Severity: Medium (CVSS 3.x base score 6.5)
- CVSS v2: 5.8
- EPSS exploit prediction: 2% (77th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-913
- Affected product: Atlassian Confluence
- Published:
- Last modified:
Description
There was a man-in-the-middle (MITM) vulnerability present in the Confluence Previews plugin in Confluence Server and Confluence Data Center. This plugin was used to facilitate communication with the Atlassian Companion application. The Confluence Previews plugin in Confluence Server and Confluence Data Center communicated with the Companion application via the atlassian-domain-for-localhost-connections-only.com domain name, the DNS A record of which points at 127.0.0.1. Additionally, a signed certificate for the domain was publicly distributed with the Companion application. An attacker in the position to control DNS resolution of their victim could carry out a man-in-the-middle (MITM) attack between Confluence Server (or Confluence Data Center) and the atlassian-domain-for-localhost-connections-only.com domain intended to be used with the Companion application. This certificate has been revoked, however, usage of the atlassian-domain-for-localhost-connections-only.com domain name was still present in Confluence Server and Confluence Data Center. An attacker could perform the described attack by denying their victim access to certificate revocation information, and carry out a man-in-the-middle (MITM) attack to observe files being edited using the Companion application and/or modify them, and access some limited user information.
Frequently asked questions
- What is CVE-2019-15006?
- There was a man-in-the-middle (MITM) vulnerability present in the Confluence Previews plugin in Confluence Server and Confluence Data Center. This plugin was used to facilitate communication with the Atlassian Companion application. The Confluence Previews plugin in Confluence Server and Confluence Data Center communicated with the Companion application via the atlassian-domain-for-localhost-connections-only.com domain name, the DNS A record of which points at 127.0.0.1. Additionally, a signed certificate for the domain was publicly distributed with the Companion application. An attacker in the position to control DNS resolution of their victim could carry out a man-in-the-middle (MITM) attack between Confluence Server (or Confluence Data Center) and the atlassian-domain-for-localhost-connections-only.com domain intended to be used with the Companion application. This certificate has been revoked, however, usage of the atlassian-domain-for-localhost-connections-only.com domain name was still present in Confluence Server and Confluence Data Center. An attacker could perform the described attack by denying their victim access to certificate revocation information, and carry out a man-in-the-middle (MITM) attack to observe files being edited using the Companion application and/or modify them, and access some limited user information.
- How severe is CVE-2019-15006?
- CVE-2019-15006 has a CVSS 3.x base score of 6.5, rated medium severity. It is exploitable over network with high attack complexity, requires no privileges and no user interaction. Impact on confidentiality is low, integrity high, and availability none.
- Is CVE-2019-15006 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 2% (77th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2019-15006?
- CVE-2019-15006 primarily affects Atlassian Confluence. In total, 2 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2019-15006?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2019-15006 published?
- CVE-2019-15006 was published on 2019-12-19 and last updated on 2026-06-17.
References
- http://packetstormsecurity.com/files/155742/Atlassian-Confluence-Man-In-The-Middle.html
- https://confluence.atlassian.com/doc/confluence-security-advisory-2019-12-18-982324349.html
- https://jira.atlassian.com/browse/CONFSERVER-59244
- https://seclists.org/bugtraq/2019/Dec/36
- https://twitter.com/SwiftOnSecurity/status/1202034106495832067
Affected products (2)
- cpe:2.3:a:atlassian:confluence:*:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*
More vulnerabilities in Atlassian Confluence
- CVE-2019-3395 — Critical (CVSS 9.8): The WebDAV endpoint in Atlassian Confluence Server and Data Center before version 6.6.7 (the fixed version for 6.6.x),…
- CVE-2012-2926 — Critical (CVSS 9.1): Atlassian JIRA before 5.0.1; Confluence before 3.5.16, 4.0 before 4.0.7, and 4.1 before 4.1.10; FishEye and Crucible…
- CVE-2019-3394 — High (CVSS 8.8): There was a local file disclosure vulnerability in Confluence Server and Confluence Data Center via page exporting. An…
- CVE-2019-20406 — High (CVSS 7.8): The usage of Tomcat in Confluence on the Microsoft Windows operating system before version 7.0.5, and from version…
- CVE-2017-18086 — Medium (CVSS 6.1): Various resources in Atlassian Confluence Server before version 6.4.2 allow remote attackers to inject arbitrary HTML…
- CVE-2017-18085 — Medium (CVSS 6.1): The viewdefaultdecorator resource in Atlassian Confluence Server before version 6.6.1 allows remote attackers to inject…
All CVEs affecting Atlassian Confluence →
Other CWE-913 vulnerabilities
- CVE-2026-47208 — Critical (CVSS 10.0): vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, VM2 suffers from a sandbox breakout…
- CVE-2026-47137 — Critical (CVSS 10.0): vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, the fix for GHSA-8hg8-63c5-gwmx (CVE-2023-37903)…
- CVE-2026-47131 — Critical (CVSS 10.0): vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, by combining…
- CVE-2023-29017 — Critical (CVSS 10.0): vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Prior to version 3.9.15, vm2 was…
- CVE-2022-36067 — Critical (CVSS 10.0): vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. In versions prior to version…
- CVE-2026-34156 — Critical (CVSS 9.9): NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior…