SummaryMicropost content can be exchanged by any logged-in user with create permissions
Advisory Release Date

 12:00 CET

Product
  • Microblogging for Confluence
  • Linchpin Intranet Suite

Affected Microblogging for Confluence Versions

All version from 2.2 to 5.1.4

Fixed Microblog for Confluence VersionVersion 5.1.5
Affected Linchpin Intranet Suite VersionsAll versions from 1.0.0 to 2.0.2 and version 3.0.0
Fixed Linchpin Intranet Suite VersionsVersion 2.0.3 and all version from 3.0.1

Problem

Recently, a security vulnerability was identified in our Microblogging for Confluence app. The vulnerability allowed any logged-in user to exchange the content of a Micropost by using a manipulated request, as long as the user has the permission to create Microposts on the topic. This manipulation would not show up in the edit history of the Micropost and it would not be noticeable for users that the Micropost was changed at all. Information from these Microposts could not be leaked. However, the integrity could have been affected.

The vulnerability has been rated as low (3.3) according to the scale published under the Common Vulnerability Scoring System (CVSS).

It was brought to our notice on 24 February 2020 at approximately 11:15 CEST by the user who noticed the issue. As soon as we were made aware of the issue, we analyzed the codebase for similar vulnerabilities.

All versions of the app Microblogging for Confluence between 2.2.0 and 5.1.4 are affected by this vulnerability.

All versions of the Linchpin Intranet Suite are affected by this vulnerability, until versions 2.0.3 and 3.0.1.

Solution

Depending on the fact whether you use the Microblogging for Confluence app or the Linchpin Intranet Suite, there are different steps to perform to solve this issue.

Microbloging for Confluence

If you are using the Microbloging for Confluence app in one of the affected versions 2.2.0 to 5.1.4, immediately update to version 5.1.5.

Linchpin Intranet Suite

If you are using the Microblog in your system, immediately update to a Linchpin Intranet Suite version containing the fix. Please refer to the table below to determine the appropriate fix version. If you are not able to update the Linchpin Intranet Suite to one of the listed versions, please contact our support team at https://seibert.biz/help.

Current versionFix version
1.0.x, 1.1.x, 1.2.x2.0.3
2.0.x2.0.3
3.0.03.0.1

Important: If you update from Linchpin Intranet Suite 2.0.0 or earlier versions, your system could be affected by a rare bug that causes the installation to hang.
Please follow the description in this article: Installation or update of Linchpin Intranet Suite hangs

  1. Restart Confluence (only necessary if the update is already hanging)
  2. Uninstall the app "Linchpin User Profiles (Content Responsibility)".
  3. Uninstall the app "Linchpin User Profiles".
  4. Install the app "Linchpin Intranet Suite" or install the app "Linchpin User Profiles" again.

Root Cause

When creating a Micropost, a draft will be created in order to handle attachments. Upon saving the Micropost, the draft will be converted into a real Micropost. The vulnerability allows this save action to target posts which are no longer in draft status but already submitted. Because of this, the create permissions were checked instead of the edit permissions and thus the authorship of the post was not verified. This led to the problem that the Micropost's content was replaced by the supplied data under the original user's name.


This content was last updated on 02/28/2020.

This content hasn't been updated in a while. That doesn't have to be a problem. Some of our pages live for years without becoming obsolete.

Old content can be incorrect, misleading or outdated. Please get in contact with us via a form on this page, our live chat or via email with content@seibert.group if you are in doubt, have a question, suggestion, or want changes from us.