Confluence WebDAV Client Plugin, Widget Connector Macro, and Download All Attachments Disabled
This article applies to: Confluence
On advisement of the vendor and the Cornell IT Security Office, the Confluence WebDAV client plugin, Widget Connector macro, and “Download All” Attachments have been disabled.
WebDAV client plugin
We are unable to identify which spaces are using the WebDAV client plugin to access Confluence through a native client for performing bulk actions.
Widget Connector macro
We have identified 218 pages across various spaces that are currently using the Widget Connector macro to embed online videos, slideshows, photo streams, or calendars in Confluence. If you think your Confluence space may be affected, you can confirm by using the Search Results for Widget Macro to identify pages affected by this change, if you have access to the impacted page.
You will no longer be able to view embedded content on pages that rely on the Widget Connector macro. The Source Editor can show the URL to directly access the content. As a workaround, you can include in your text a hyperlink to the URL in place of the widget.
Download All Attachments
The option to download all attachments associated with a Confluence space with a single click is being disabled. Individual attachment downloads will continue to work. The vendor has identified the “Download All” attachments option as providing a potential security vulnerability. The option to download all attachments will still be visible after the change, but clicking it will produce an error, “The requested resource is not available.”
Once the Confluence upgrade project that’s currently underway is complete, these add-ons and features will be re-enabled. The add-ons are delivered by the application and do not have an individual update or fix. The only options are upgrading the entire system or disabling the add-ons.