[CONFSERVER-32955] JSON-RPC API allows anonymous content rendering - Create and track feature requests for Atlassian products.

Type: Bug
Resolution: Fixed
Priority: Medium
Fix Version/s: 5.5.1
Affects Version/s: 5.4.3
Component/s: Core - Content REST APIs
Labels:

CVSS Score:
5
Bug Fix Policy:
View Atlassian Server bug fix policy

The renderContent method can be used by anonymous users, leaking information, and allowing macro execution.

Should the entire JSON-RPC be inaccessible to anonymous users if anonymous users can't use confluence?

relates to

CONFCLOUD-54452 JSON-RPC API functions available anonymously even though anonymous API access is disabled.

Closed

mentioned in: Page Failed to load; Page Failed to load; Page Failed to load; Page Failed to load; Page Loading...

(1 mentioned in)

Assignee:: Vu Truong Vo (Inactive)

Reporter:: Dougall Johnson

Affected customers:: 1 This affects my team

Watchers:: 5 Start watching this issue

Created:: 17/Mar/2014 2:18 AM

Updated:: 11/Oct/2018 8:48 AM

Resolved:: 28/Apr/2014 3:32 AM