MCP Atlassian Confluence Path Traversal Vulnerability in Attachment Download Tool Allowing Arbitrary Code Execution

A critical vulnerability exists in the MCP Atlassian Confluence attachment download tool, prior to version 0.17.0. The tool's 'download_path' parameter lacks proper directory boundary enforcement, allowing attackers to write arbitrary content to any writable path on the server. This vulnerability can be exploited by uploading a malicious attachment to Confluence, which is then downloaded by the MCP tool to a sensitive location, such as a cron directory, leading to unauthorized code execution.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server where Confluence is running. The MCP tools can be invoked without authentication, using the server's own Confluence credentials, which could be exploited remotely or through a malicious Confluence page.

Reproduction

To reproduce this vulnerability, upload a file containing a valid cron entry as a Confluence attachment. Then, use the 'confluence_download_attachment' tool to download the attachment to a path like '/etc/cron.d/mcp-backdoor'. The content of the attachment will be executed as a cron job within a minute.

Remediation

Users should update to MCP Atlassian version 0.17.0 or later, where this vulnerability has been patched.