CVE-2019-3394

HIGH

Confluence 6.1.0-6.6.15, 6.7.0-6.13.6, 6.14.0-6.15.7 - Authenticated Local File Disclosure via Page Export

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-3394. PoCs published by jas502n.

AI-analyzed exploit summary This repository contains a proof-of-concept exploit for CVE-2019-3394, a local file read vulnerability in Atlassian Confluence. The exploit leverages a path traversal technique via the `src` attribute in an image tag to read arbitrary files from the `WEB-INF` directory.

Description

There was a local file disclosure vulnerability in Confluence Server and Confluence Data Center via page exporting. An attacker with permission to editing a page is able to exploit this issue to read arbitrary file on the server under <install-directory>/confluence/WEB-INF directory, which may contain configuration files used for integrating with other services, which could potentially leak credentials or other sensitive information such as LDAP credentials. The LDAP credential will be potentially leaked only if the Confluence server is configured to use LDAP as user repository. All versions of Confluence Server from 6.1.0 before 6.6.16 (the fixed version for 6.6.x), from 6.7.0 before 6.13.7 (the fixed version for 6.13.x), and from 6.14.0 before 6.15.8 (the fixed version for 6.15.x) are affected by this vulnerability.

Exploits (1)

nomisec WORKING POC 17 stars
by jas502n · poc
https://github.com/jas502n/CVE-2019-3394

This repository contains a proof-of-concept exploit for CVE-2019-3394, a local file read vulnerability in Atlassian Confluence. The exploit leverages a path traversal technique via the `src` attribute in an image tag to read arbitrary files from the `WEB-INF` directory.

Classification
Working Poc 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Atlassian Confluence (6.1.0 <= version < 6.6.16, 6.7.0 <= version < 6.13.7, 6.14.0 <= version < 6.15.8)
Auth required
Prerequisites: Access to a Confluence instance with 'Add Page' permissions · Valid session cookie (JSESSIONID)
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Vendor Advisory x_refsource_misc
https://jira.atlassian.com/browse/CONFSERVER-58734
Patch, Vendor Advisory x_refsource_misc
https://confluence.atlassian.com/x/uAsvOg

Scores

CVSS v3 8.8
EPSS 0.1141
EPSS Percentile 95.4%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-22
Status published
Products (2)
atlassian/confluence 6.1.0 - 6.6.16
atlassian/confluence_server 6.14.0 - 6.15.8
Published Aug 29, 2019
Tracked Since Feb 18, 2026