CVE-2019-3396

CVE-2019-3396 is a critical-severity vulnerability in Atlassian Confluence Server with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2021-11-03). The underlying weakness is classified as CWE-22.

Key facts

Description

The Widget Connector macro in Atlassian Confluence Server before version 6.6.12 (the fixed version for 6.6.x), from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before 6.13.3 (the fixed version for 6.13.x), and from version 6.14.0 before 6.14.2 (the fixed version for 6.14.x), allows remote attackers to achieve path traversal and remote code execution on a Confluence Server or Data Center instance via server-side template injection.

CVE-2019-3396: Atlassian Confluence Widget Connector Macro Server-Side Template Injection

AI-generated analysis based on the vulnerability data on this page.

Field Value
CVE CVE-2019-3396
Vendor Atlassian
Product Confluence Server / Data Center
CVSS v3.1 9.8 (Critical) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS v2 10.0 — AV:N/AC:L/Au:N/C:C/I:C/A:C
EPSS 0.99913 (99.967th percentile)
CWE CWE-22: Improper Limitation of a Pathname to a Restricted Directory
KEV Added 2021-11-03
EUVD EUVD-2019-13035 (active since 2021-11-03)

Summary

The Widget Connector macro in Atlassian Confluence Server and Data Center fails to safely handle user-supplied input, enabling an unauthenticated attacker to perform server-side template injection (SSTI). This can be leveraged for path traversal and ultimately remote code execution on the host.

Background

Atlassian Confluence is an enterprise wiki and collaboration platform widely deployed in corporate environments. The Widget Connector macro allows users to embed external multimedia content into pages. In affected versions, the macro's handling of resource references is unsafe, exposing the underlying Velocity template engine to attacker-controlled data.

Root Cause

Officially classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), the vulnerability stems from insufficient validation of user input used to construct template or resource paths. The Widget Connector macro accepts parameters that an attacker can manipulate with path traversal sequences or URI schemes to reference unintended templates. Because the input is evaluated by the Apache Velocity engine, this path traversal enables server-side template injection: attacker-supplied content is interpreted as template code rather than literal data, leading to arbitrary code execution.

Impact

  • CVSS 3.1 Score: 9.8 (Critical)
  • CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • CVSS 2.0 Score: 10.0
  • CVSS 2.0 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

The vulnerability is exploitable over the network with no authentication and no user interaction. Successful exploitation grants an attacker complete control over confidentiality, integrity, and availability of the Confluence instance, typically resulting in remote code execution as the Confluence process user.

Exploitation Walkthrough

Attackers target endpoints where the Widget Connector macro renders content, supplying a malicious _template parameter or similar input that abuses the macro's resource-loading logic. The payload typically incorporates path traversal patterns to escape the intended template directory, combined with Velocity Expression Language directives that execute system commands within the JVM context.

In observed attack patterns, adversaries may supply an attacker-controlled HTTPS URL as a template source, or traverse locally to sensitive templates. When the Velocity engine renders the retrieved template, embedded expressions execute with the privileges of the Confluence application.

Ethics caveat: This walkthrough is provided for defensive awareness and detection engineering only. Unauthorized exploitation of this vulnerability is illegal and unethical.

Affected and Patched Versions

Version Branch Affected Fixed Version
6.6.x < 6.6.12 6.6.12
6.7.0 – 6.12.2 All intermediate 6.12.3
6.13.0 – 6.13.2 All intermediate 6.13.3
6.14.0 – 6.14.1 All intermediate 6.14.2

Confluence Data Center editions are equally affected.

Remediation

  1. Upgrade immediately to the fixed version for your release branch:
    • 6.6.12 or later
    • 6.12.3 or later
    • 6.13.3 or later
    • 6.14.2 or later
  2. Compensating controls: If patching is not immediately feasible, disable the Widget Connector macro or restrict its usage via Confluence macro security settings. Restart the application after making these changes.
  3. Post-incident: Review Confluence logs for anomalous template rendering or unexpected process execution. Ensure the Confluence service account runs with least-privilege principles.

Detection

  • Monitor HTTP access logs for requests to Widget Connector endpoints containing path traversal sequences (../) or unexpected template parameters (_template, url, etc.).
  • Alert on Java process spawning or shell execution originating from the Confluence JVM.
  • Review outbound network connections from the Confluence server to unknown external hosts, which may indicate retrieval of attacker-controlled templates.
  • Correlate findings with the CISA KEV catalog entry and EUVD-2019-13035.

Assessment

With an EPSS score of 0.99913 (99.967th percentile), CVE-2019-3396 is among the most probable vulnerabilities to be exploited in the wild. Its inclusion in the CISA Known Exploited Vulnerabilities catalog (added 2021-11-03) and the EU Exploited Vulnerabilities Database (EUVD-2019-13035, active since 2021-11-03) confirms sustained, real-world abuse. The combination of unauthenticated network access and full RCE makes this a maximum-priority patching item.

Lessons:

  1. Server-side template injection in enterprise Java applications can bridge directly to full system compromise; user input must never reach a template engine without strict validation and sandboxing.
  2. When EPSS approaches 1.0 and KEV/EUVD inclusion is confirmed, defenders should treat the vulnerability as actively exploited and prioritize emergency patching over standard change-management cycles.

References

Frequently asked questions

What is CVE-2019-3396?
The Widget Connector macro in Atlassian Confluence Server before version 6.6.12 (the fixed version for 6.6.x), from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before 6.13.3 (the fixed version for 6.13.x), and from version 6.14.0 before 6.14.2 (the fixed version for 6.14.x), allows remote attackers to achieve path traversal and remote code execution on a Confluence Server or Data Center instance via server-side template injection.
How severe is CVE-2019-3396?
CVE-2019-3396 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2019-3396 being actively exploited?
Yes. CVE-2019-3396 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2021-11-03, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2019-3396?
CVE-2019-3396 affects Atlassian Confluence Server. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2019-3396?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2019-3396 have an EU (EUVD) identifier?
Yes. CVE-2019-3396 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2019-13035. It is also flagged as exploited in the EUVD (since 2021-11-03).
When was CVE-2019-3396 published?
CVE-2019-3396 was published on 2019-03-25 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Atlassian Confluence Server

All CVEs affecting Atlassian Confluence Server →

Other CWE-22 (Path Traversal) vulnerabilities

Browse all CWE-22 (Path Traversal) vulnerabilities →