In Bamboo 4.1, I have several remote agents configured and running builds. In my browser I explicitly logout using the logout link, close browser, and start fresh browser session and try using several direct links to Bamboo plans and get prompted to login, which is expected behavior. I do not login, but if I visit URL http://<my-bamboo-host-and-port>/agent/viewAgents.action I can view the list of all agents, click an agent name, and drill down to view the agents details.

Note, the link to the Local Agent works and allows an anonymous user to view Local Agent details including a list of all of its recent builds and the capabilities configured on it (security information leakage).

The links to the remote agent prompt for login as the links are :

/admin/agent/viewAgent.action?agentId=131076

BUT if I change the link to :

/agent/viewAgent.action?agentId=131076

I can then view the list of builds for that agent and its capabilities. This is a medium-severity security issues as information leakage.