2019-12-23 Baselines for Confuence Security Advisory

Title	Authorization vulnerability for Confluence page tree
Summary	A vulnerability discovered in Baselines for Confluence allows an attacker to get the names and page tree locations of Confluence pages that should have been invisible to that user because of Page Restrictions.
Security Advisory Release Date	23.12.2019
Severity	Low
Affected Products	Baselines for Confluence Server
Affected Version(s)	From version 1.2.0.97 up to version 1.7.2.163
Fixed Version(s)	1.7.3.165
Details	A vulnerability in Baselines for Confluence version 1.7.2.163 and earlier versions allows an attacker to get the names and locations of Confluence pages that should be restricted by Page Restrictions for that user. In order to exploit this vulnerability, the attacker must already have a valid user on Confluence. Attackers without a valid Confluence login cannot exploit this vulnerability. The vulnerability allows the attacker to only see the page names and the locations of those pages in the page tree. The attacker cannot access or change the contents of those pages using this vulnerability.
Workaround	No workaround is available.
Permanent Fix	Upgrade to Baselines for Confluence 1.7.3.165 or above.
What you should do	If you are using a version of Baselines for Confluence between 1.2.0.97 and 1.7.2.163, you should update your app to versin 1.7.3.165 or above.
Support	If you have questions, you can reach OBSS support team through htttps://pluginsupport.obss.com.tr/ or by sending an e-mail to plugin@obss.com.tr
	Unable to locate Jira server for this macro. It may be due to Application Link configuration.