CVE-2019-3396
CVE-2019-3396 is a critical-severity vulnerability in Atlassian Confluence Server with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2021-11-03). The underlying weakness is classified as CWE-22.
Key facts
- Severity: Critical (CVSS 3.x base score 9.8)
- CVSS v2: 10.0
- EPSS exploit prediction: 100% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2021-11-03)
- EU (EUVD) id: EUVD-2019-13035
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2021-11-03)
- Weakness: CWE-22
- Affected product: Atlassian Confluence Server
- Published:
- Last modified:
Description
The Widget Connector macro in Atlassian Confluence Server before version 6.6.12 (the fixed version for 6.6.x), from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before 6.13.3 (the fixed version for 6.13.x), and from version 6.14.0 before 6.14.2 (the fixed version for 6.14.x), allows remote attackers to achieve path traversal and remote code execution on a Confluence Server or Data Center instance via server-side template injection.
CVE-2019-3396: Atlassian Confluence Widget Connector Macro Server-Side Template Injection
AI-generated analysis based on the vulnerability data on this page.
| Field | Value |
|---|---|
| CVE | CVE-2019-3396 |
| Vendor | Atlassian |
| Product | Confluence Server / Data Center |
| CVSS v3.1 | 9.8 (Critical) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CVSS v2 | 10.0 — AV:N/AC:L/Au:N/C:C/I:C/A:C |
| EPSS | 0.99913 (99.967th percentile) |
| CWE | CWE-22: Improper Limitation of a Pathname to a Restricted Directory |
| KEV | Added 2021-11-03 |
| EUVD | EUVD-2019-13035 (active since 2021-11-03) |
Summary
The Widget Connector macro in Atlassian Confluence Server and Data Center fails to safely handle user-supplied input, enabling an unauthenticated attacker to perform server-side template injection (SSTI). This can be leveraged for path traversal and ultimately remote code execution on the host.
Background
Atlassian Confluence is an enterprise wiki and collaboration platform widely deployed in corporate environments. The Widget Connector macro allows users to embed external multimedia content into pages. In affected versions, the macro's handling of resource references is unsafe, exposing the underlying Velocity template engine to attacker-controlled data.
Root Cause
Officially classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), the vulnerability stems from insufficient validation of user input used to construct template or resource paths. The Widget Connector macro accepts parameters that an attacker can manipulate with path traversal sequences or URI schemes to reference unintended templates. Because the input is evaluated by the Apache Velocity engine, this path traversal enables server-side template injection: attacker-supplied content is interpreted as template code rather than literal data, leading to arbitrary code execution.
Impact
- CVSS 3.1 Score: 9.8 (Critical)
- CVSS 3.1 Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - CVSS 2.0 Score: 10.0
- CVSS 2.0 Vector:
AV:N/AC:L/Au:N/C:C/I:C/A:C
The vulnerability is exploitable over the network with no authentication and no user interaction. Successful exploitation grants an attacker complete control over confidentiality, integrity, and availability of the Confluence instance, typically resulting in remote code execution as the Confluence process user.
Exploitation Walkthrough
Attackers target endpoints where the Widget Connector macro renders content, supplying a malicious _template parameter or similar input that abuses the macro's resource-loading logic. The payload typically incorporates path traversal patterns to escape the intended template directory, combined with Velocity Expression Language directives that execute system commands within the JVM context.
In observed attack patterns, adversaries may supply an attacker-controlled HTTPS URL as a template source, or traverse locally to sensitive templates. When the Velocity engine renders the retrieved template, embedded expressions execute with the privileges of the Confluence application.
Ethics caveat: This walkthrough is provided for defensive awareness and detection engineering only. Unauthorized exploitation of this vulnerability is illegal and unethical.
Affected and Patched Versions
| Version Branch | Affected | Fixed Version |
|---|---|---|
| 6.6.x | < 6.6.12 | 6.6.12 |
| 6.7.0 – 6.12.2 | All intermediate | 6.12.3 |
| 6.13.0 – 6.13.2 | All intermediate | 6.13.3 |
| 6.14.0 – 6.14.1 | All intermediate | 6.14.2 |
Confluence Data Center editions are equally affected.
Remediation
- Upgrade immediately to the fixed version for your release branch:
- 6.6.12 or later
- 6.12.3 or later
- 6.13.3 or later
- 6.14.2 or later
- Compensating controls: If patching is not immediately feasible, disable the Widget Connector macro or restrict its usage via Confluence macro security settings. Restart the application after making these changes.
- Post-incident: Review Confluence logs for anomalous template rendering or unexpected process execution. Ensure the Confluence service account runs with least-privilege principles.
Detection
- Monitor HTTP access logs for requests to Widget Connector endpoints containing path traversal sequences (
../) or unexpected template parameters (_template,url, etc.). - Alert on Java process spawning or shell execution originating from the Confluence JVM.
- Review outbound network connections from the Confluence server to unknown external hosts, which may indicate retrieval of attacker-controlled templates.
- Correlate findings with the CISA KEV catalog entry and EUVD-2019-13035.
Assessment
With an EPSS score of 0.99913 (99.967th percentile), CVE-2019-3396 is among the most probable vulnerabilities to be exploited in the wild. Its inclusion in the CISA Known Exploited Vulnerabilities catalog (added 2021-11-03) and the EU Exploited Vulnerabilities Database (EUVD-2019-13035, active since 2021-11-03) confirms sustained, real-world abuse. The combination of unauthenticated network access and full RCE makes this a maximum-priority patching item.
Lessons:
- Server-side template injection in enterprise Java applications can bridge directly to full system compromise; user input must never reach a template engine without strict validation and sandboxing.
- When EPSS approaches 1.0 and KEV/EUVD inclusion is confirmed, defenders should treat the vulnerability as actively exploited and prioritize emergency patching over standard change-management cycles.
References
- http://packetstormsecurity.com/files/152568/Atlassian-Confluence-Widget-Connector-Macro-Velocity-Template-Injection.html
- http://packetstormsecurity.com/files/161065/Atlassian-Confluence-6.12.1-Template-Injection.html
- http://www.rapid7.com/db/modules/exploit/multi/http/confluence_widget_connector
- https://jira.atlassian.com/browse/CONFSERVER-57974
- https://www.exploit-db.com/exploits/46731/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-3396
Frequently asked questions
- What is CVE-2019-3396?
- The Widget Connector macro in Atlassian Confluence Server before version 6.6.12 (the fixed version for 6.6.x), from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before 6.13.3 (the fixed version for 6.13.x), and from version 6.14.0 before 6.14.2 (the fixed version for 6.14.x), allows remote attackers to achieve path traversal and remote code execution on a Confluence Server or Data Center instance via server-side template injection.
- How severe is CVE-2019-3396?
- CVE-2019-3396 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2019-3396 being actively exploited?
- Yes. CVE-2019-3396 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2021-11-03, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2019-3396?
- CVE-2019-3396 affects Atlassian Confluence Server. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2019-3396?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2019-3396 have an EU (EUVD) identifier?
- Yes. CVE-2019-3396 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2019-13035. It is also flagged as exploited in the EUVD (since 2021-11-03).
- When was CVE-2019-3396 published?
- CVE-2019-3396 was published on 2019-03-25 and last updated on 2026-06-17.
References
- http://packetstormsecurity.com/files/152568/Atlassian-Confluence-Widget-Connector-Macro-Velocity-Template-Injection.html
- http://packetstormsecurity.com/files/161065/Atlassian-Confluence-6.12.1-Template-Injection.html
- http://www.rapid7.com/db/modules/exploit/multi/http/confluence_widget_connector
- https://jira.atlassian.com/browse/CONFSERVER-57974
- https://www.exploit-db.com/exploits/46731/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-3396
Affected products (1)
- cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*
More vulnerabilities in Atlassian Confluence Server
- CVE-2023-22527 — Critical (CVSS 9.8): A template injection vulnerability on older versions of Confluence Data Center and Server allows an unauthenticated…
- CVE-2023-22518 — Critical (CVSS 9.8): All versions of Confluence Data Center and Server are affected by this unexploited vulnerability. This Improper…
- CVE-2023-22515 — Critical (CVSS 9.8): Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have…
- CVE-2022-26136 — Critical (CVSS 9.8): A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to bypass Servlet Filters used…
- CVE-2022-26134 — Critical (CVSS 9.8): In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an…
- CVE-2021-26084 — Critical (CVSS 9.8): In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an…
All CVEs affecting Atlassian Confluence Server →
Other CWE-22 (Path Traversal) vulnerabilities
- CVE-2026-48282 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted…
- CVE-2026-54917 — Critical (CVSS 10.0): SeaweedFS is a distributed storage system for object storage (S3), file systems, and Iceberg tables. Prior to 4.30, the…
- CVE-2026-11429 — Critical (CVSS 10.0): Two endpoints in the Vault Service ScriptsController, shared by Altium Enterprise Server and Altium 365, accept file…
- CVE-2026-34909 — Critical (CVSS 10.0): A malicious actor with access to the network could exploit a Path Traversal vulnerability found in UniFi OS devices to…
- CVE-2026-7411 — Critical (CVSS 10.0): In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, inadequate path normalization in the Submodel…
- CVE-2026-36767 — Critical (CVSS 10.0): A path traversal vulnerability in the /content/images/add endpoint of shopizer v3.2.5 allows attackers write arbitrary…