Critical Security Update

This release fixes a security vulnerability that has been discovered in ScriptRunner for Confluence. The vulnerability affects version 4.3.1 - 5.5.8 (inclusive) of ScriptRunner for Confluence.

The vulnerability is classified as critical in line with Atlassian’s Security Levels.

The Markdown macro in ScriptRunner for Confluence enables users to render a markdown document in a page, blogpost or comment. The vulnerability is a Server Side Request Forgery (SSRF) that can be exploited by an unauthorised user to access internal resources accessible to the Confluence server, including files.

After you upgrade, a Confluence administrator will need to add the websites hosting approved Markdown documents to Confluence’s whitelist. Follow the detailed instructions in the Markdown Macro documentation on the whitelist.

How to find URLs to whitelist

The easiest way to find affected content is to do a quick search for which pages contain the Markdown Macro. ScriptRunner for Confluence makes this easy by adding a CQL Search feature right into Confluence???s main search.

To make use of it, start typing a search query and the search panel should pop out. Click Advanced Search.

On the search page, enter this query into the search box:

macro = markdown

…​then click the CQL Search button. A list of pages with the Markdown Macro should appear.

From the search results, you can visit a page and edit it to see the URL used for that content.

markdown macro URL example

You do not need to whitelist each individual URL. Confluence’s whitelist allows administrators to specify permitted domains or URL patterns. We recommend whitelisting https://bitbucket.com, https://raw.githubusercontent.com, and https://raw.github.com by default, as they will represent some of the most common use cases for this macro. All HTML produced by the Markdown Macro is sanitized to protect against cross-site scripting attacks, but you may use a more restrictive pattern such as https://bitbucket.com/MyCompany/* at your discretion. Any linked Atlassian applications, such as a linked Bitbucket Server instance, will be whitelisted by default as well.

Replacing File URLs

One of the use cases originally supported by the Markdown Macro was specifying file paths on the server or on remote FTP servers using URLs with the file:// or ftp:// prefix.

As the Confluence whitelist only supports http and https URLs, supporting file-based URLs requires a workaround. To that end, we have documented how to setup a REST Endpoint to securely read files from the filesystem on the Confluence server (including network shares) or from remote FTP servers.

Have questions? Visit the Atlassian Community to connect, share, and learn with other Atlassian users and experts, including Adaptavist staff.

Ask a question about ScriptRunner for JIRA, Bitbucket Server, or Confluence.

Want to learn more? Check out courses on Adaptavist Learn, an online platform to onboard and train new users for Atlassian solutions.