• Released 13 Aug 2019


Critical Security Update

This release fixes a security vulnerability that has been discovered in ScriptRunner for Confluence. The vulnerability affects version 4.3.1 - 5.5.8 (inclusive) of ScriptRunner for Confluence.

The vulnerability is classified as critical in line with Atlassian’s Security Levels.

The Markdown macro in ScriptRunner for Confluence enables users to render a markdown document in a page, blogpost or comment. The vulnerability is a Server Side Request Forgery (SSRF) that can be exploited by an unauthorized user to access internal resources accessible to the Confluence server, including files.

After you upgrade, a Confluence administrator will need to add the websites hosting approved Markdown documents to Confluence’s whitelist. Follow the detailed instructions in the Markdown Macro documentation on the whitelist.

How to Find URLs to Whitelist

The easiest way to find affected content is to do a quick search for which pages contain the Markdown Macro. ScriptRunner for Confluence makes this easy by adding a CQL Search feature right into Confluence???s main search.

To make use of it, start typing a search query and the search panel should pop out. Click Advanced Search.

On the search page, enter this query into the search box:

macro = markdown

…​then click the CQL Search button. A list of pages with the Markdown Macro should appear.

From the search results, you can visit a page and edit it to see the URL used for that content.

You do not need to whitelist each individual URL. Confluence’s whitelist allows administrators to specify permitted domains or URL patterns. We recommend whitelisting https://bitbucket.com, https://raw.githubusercontent.com, and https://raw.github.com by default, as they will represent some of the most common use cases for this macro. All HTML produced by the Markdown Macro is sanitized to protect against cross-site scripting attacks, but you may use a more restrictive pattern such as https://bitbucket.com/MyCompany/* at your discretion. Any linked Atlassian applications, such as a linked Bitbucket Server instance, will be whitelisted by default as well.

Replacing File URLs

One of the use cases originally supported by the Markdown Macro was specifying file paths on the server or on remote FTP servers using URLs with the file:// or ftp:// prefix.

As the Confluence whitelist only supports http and https URLs, supporting file-based URLs requires a workaround. To that end, we have documented how to setup a REST Endpoint to securely read files from the filesystem on the Confluence server (including network shares) or from remote FTP servers.


  • Released 10 July 2019

Bug Fixes

  • [SRCONF-397] - Lock-content macro: Error message when restricting a group in template
  • [SRCONF-471] - Built-in macros not available to select


  • Released 19 June 2019

New Features

  • [SRCONF-708] - Javadoc lookup for Confluence
  • [SRPLAT-96] - Custom event listeners should be able to listen to events provided by plugins
  • [SRCONF-706] - ScriptRunner for Confluence + Comala Workflows

Bug Fixes


  • Released 15 May 2019.


Anonymous Analytics

Anonymous Analytics collects data allowing Adaptavist to gain insight into ScriptRunner usage. A new settings option allows administrators to switch Anonymous Analytics on or off. See our documentation for more information.

Code Insight

This release includes our first version of code insight, a set of features designed to increase productivity, discovery, and enjoyement, when writing code in ScriptRunner.

This consists of code completions, parameter lookups, and javadoc links (javadoc links currently for Jira only).

Take a look at the documentation for more information.

Bug Fixes

  • [SRCONF-425] - Rename labels wrong error message position
  • [SRCONF-437] - Prune old versions terminates if a new version is created while the script is running
  • [SRCONF-666] - Built in Script Transformation window throws a 500 when checking the code in the script window