Details
-
Bug
-
Resolution: Unresolved
-
Medium
-
2
-
Severity 3 - Minor
-
Description
Issue Summary
Media API links for attachments within products are accessible by external users who are not authenticated on the site and are not part of the IP addresses added to the IP allowlist.
Steps to Reproduce
In Confluence with IP allowlist enabled for example
- Create a page
- Add some images/screenshots
- Open the image from the attachment section or try to download the images
- It will generate a request to the Media platform: https://api.media.atlassian.com/file/XXXXXXXXX/binary?client=XXXXXXXXX&token=XXXXXXXX&name=FILE-NAME.png
- Copy the link of the request from the browser Network Tab
- Try accessing it from the device that is not on the list of allowed IP addresses for the site
Expected Results
External users who do not have access to the site and are not part of the allowed IP addresses should not be able to see the image.
Actual Results
External users can see the image with the link shared.
Workaround
No workaround available.
Attachments
Issue Links
- was cloned as
-
CONFCLOUD-78161 Restrict access to https://api.media.atlassian.com download to only authenticated users
- Gathering Interest
- links to
- mentioned in
-
Page Loading...
- resolves
-
ACE-5094 Loading...