Lockpoint Security Notice 2021-02-18

Notice Date: February 18, 2021

Overview

Cenote is advising customers of the release of a security release for Cenote Lockpoint for Confluence. This release corrects two sets of CSRF security issues, one of which is rated as low severity and the second of which is rated as medium severity.

The latest version of Cenote Lockpoint (2.4.7) and all subsequent releases contain fixes for these vulnerabilities. All prior versions of Lockpoint are vulnerable, although one of the issues is applicable only when used with a certain range of Confluence versions.

Security Issue #1: CSRF tampering of email notifications (all Confluence versions)

Severity: LOW (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N)

Requests to generate email notifications of attachment unlocks were not properly validated, so a CSRF attack could be used to trick a victim into subscribing to or unsubscribing from such email notifications for an attachment.

This vulnerability is present in all versions of Lockpoint from 2.4.6 and below, when used in any configuration, and with any version of Confluence.

Security Issue #2: CSRF tampering of other requests (Confluence 7.1 and below only)

Severity: MEDIUM (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N)

Certain other product endpoints were not properly validated against CSRF attacks, depending on the Confluence configuration. This could potentially allow an attacker to trick an unsuspecting victim into modifying attachment properties and similar state, given sufficient knowledge of the target system.

This vulnerability is present in all versions of Lockpoint from 2.4.6 and below, but only when used in conjunction with Confluence 7.1.x and below. If you are using Confluence 7.2 and above, your configuration is not vulnerable to this issue, regardless of your Lockpoint version.

Fix

Both of these issues can be corrected by upgrading to Lockpoint 2.4.7 or above. For the second issue only, an alternate possible resolution is to upgrade to Confluence 7.2 or higher without upgrading Lockpoint itself.

The fixed version, Lockpoint 2.4.7, is compatible with Confluence 6.0.1 and higher.

Workarounds

There are no other workarounds available.

Questions

If you have any questions, please contact Cenote Support.