Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-32541

Confluence Administrator Can Add Himself to System Administrator Group

    XMLWordPrintable

Details

    • Bug
    • Resolution: Not a bug
    • Medium
    • None
    • 4.3.6
    • None

    • Confluence is running via Tomcat 6.0.32 on Windows Server 2008-64 bit. JDK: 1.7.0_07.

    Description

      I have found what I believe to be a security bug in Confluence that should be fixed.

      We have System Administrator function from the Confluence Administrator Group, and created a new Group called System Administrators (see attachment). The purpose was to give our Tech Writers the ability to access the Admin screen without giving them the ability to install add-ons. They belong to the Confluence-Administrators group, but not to the System-Administrators group.

      However, I have found out that they have the ability to add themselves to the System-Administrators group. This allows them to increase their own authority and install add-ons.

      They should not be able to add themselves to a group that has higher authority than they had.

      Attachments

        Activity

          People

            drizzuto David Rizzuto
            e026b759b9eb Chuck Minarik
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: