[CONFSERVER-32541] Confluence Administrator Can Add Himself to System Administrator Group - Create and track feature requests for Atlassian products.

Type: Bug
Resolution: Not a bug
Priority: Medium
Fix Version/s: None
Affects Version/s: 4.3.6
Component/s: None
Labels:
- administrator
- affects-server
- confluence
- group
- security
- system
Environment:

Confluence is running via Tomcat 6.0.32 on Windows Server 2008-64 bit. JDK: 1.7.0_07.

Bug Fix Policy:
View Atlassian Server bug fix policy

I have found what I believe to be a security bug in Confluence that should be fixed.

We have System Administrator function from the Confluence Administrator Group, and created a new Group called System Administrators (see attachment). The purpose was to give our Tech Writers the ability to access the Admin screen without giving them the ability to install add-ons. They belong to the Confluence-Administrators group, but not to the System-Administrators group.

However, I have found out that they have the ability to add themselves to the System-Administrators group. This allows them to increase their own authority and install add-ons.

They should not be able to add themselves to a group that has higher authority than they had.

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List

Confluence Global Permissions.jpg
62 kB
06/Feb/2014 8:13 PM

Assignee:: David Rizzuto

Reporter:: Chuck Minarik

Affected customers:: 0 This affects my team

Watchers:: 3 Start watching this issue

Created:: 06/Feb/2014 8:13 PM

Updated:: 11/Oct/2018 9:09 AM

Resolved:: 07/Feb/2014 12:14 AM

Details

Description

Attachments

Attachments

Forms

Activity

People

Dates