| Summary | Micropost content can be exchanged by any logged-in user with create permissions |
|---|---|
| Advisory Release Date | 12:00 CET |
| Product |
|
Affected Microblogging for Confluence Versions | All version from 2.2 to 5.1.4 |
| Fixed Microblog for Confluence Version | Version 5.1.5 |
| Affected Linchpin Intranet Suite Versions | All versions from 1.0.0 to 2.0.2 and version 3.0.0 |
| Fixed Linchpin Intranet Suite Versions | Version 2.0.3 and all version from 3.0.1 |
Problem
Recently, a security vulnerability was identified in our Microblogging for Confluence app. The vulnerability allowed any logged-in user to exchange the content of a Micropost by using a manipulated request, as long as the user has the permission to create Microposts on the topic. This manipulation would not show up in the edit history of the Micropost and it would not be noticeable for users that the Micropost was changed at all. Information from these Microposts could not be leaked. However, the integrity could have been affected.
The vulnerability has been rated as low (3.3) according to the scale published under the Common Vulnerability Scoring System (CVSS).
It was brought to our notice on 24 February 2020 at approximately 11:15 CEST by the user who noticed the issue. As soon as we were made aware of the issue, we analyzed the codebase for similar vulnerabilities.
All versions of the app Microblogging for Confluence between 2.2.0 and 5.1.4 are affected by this vulnerability.
All versions of the Linchpin Intranet Suite are affected by this vulnerability, until versions 2.0.3 and 3.0.1.
Solution
Depending on the fact whether you use the Microblogging for Confluence app or the Linchpin Intranet Suite, there are different steps to perform to solve this issue.
Microbloging for Confluence
If you are using the Microbloging for Confluence app in one of the affected versions 2.2.0 to 5.1.4, immediately update to version 5.1.5.
Linchpin Intranet Suite
If you are using the Microblog in your system, immediately update to a Linchpin Intranet Suite version containing the fix. Please refer to the table below to determine the appropriate fix version. If you are not able to update the Linchpin Intranet Suite to one of the listed versions, please contact our support team at https://seibert.biz/help.
| Current version | Fix version |
|---|---|
| 1.0.x, 1.1.x, 1.2.x | 2.0.3 |
| 2.0.x | 2.0.3 |
| 3.0.0 | 3.0.1 |
Important: If you update from Linchpin Intranet Suite 2.0.0 or earlier versions, your system could be affected by a rare bug that causes the installation to hang.
Please follow the description in this article: Installation or update of Linchpin Intranet Suite hangs
- Restart Confluence (only necessary if the update is already hanging)
- Uninstall the app "Linchpin User Profiles (Content Responsibility)".
- Uninstall the app "Linchpin User Profiles".
- Install the app "Linchpin Intranet Suite" or install the app "Linchpin User Profiles" again.
Root Cause
When creating a Micropost, a draft will be created in order to handle attachments. Upon saving the Micropost, the draft will be converted into a real Micropost. The vulnerability allows this save action to target posts which are no longer in draft status but already submitted. Because of this, the create permissions were checked instead of the edit permissions and thus the authorship of the post was not verified. This led to the problem that the Micropost's content was replaced by the supplied data under the original user's name.