JSON-RPC API functions available anonymously even though anonymous API access is disabled.

XMLWordPrintable

    • 5

      The summary says it all really. The functions listed below can be used on our confluence service even though we have Anonymous API Access disabled (check box not checked in admin control panel). This is an issue when it comes to confluence sites that have sensitive user or group information.

      Functions in question:
      getUser
      getUserInformation
      hasGroup
      getServerInfo

      Information that can be obtained from each:
      getUser - User's email, full name, name, url
      getUserInformation - id, content, creation date, last modifier name, username, creator name, last modification date, and version of user
      hasGroup - whether a group exists in a confluence instance or not
      getServerInfo - obtain major version, build id, minor version, development build, and patch level

      System Info:
      Atlassian Confluence OnDemand
      majorVersion:5
      buildId:4332
      minorVersion:1
      developmentBuild:true
      patchLevel:0

      This issue also occurs on previous versions of Confluence.

      • 3.5.16
      • majorVersion:4, buildId:3289, minorVersion:2, developmentBuild:false, patchLevel:8
      • majorVersion:5, buildId:4216, minorVersion:1, developmentBuild:false, patchLevel:1
      • majorVersion:5, buildId:4249, minorVersion:1, developmentBuild:false, patchLevel:4
      • majorVersion:5, buildId:4104, minorVersion:0, developmentBuild:false, patchLevel:0
      • majorVersion:5, buildId:4226, minorVersion:1, developmentBuild:false, patchLevel:3
      • majorVersion:4, buildId:3277, minorVersion:2, developmentBuild:false, patchLevel:1
      • majorVersion:4, buildId:3398, minorVersion:3, developmentBuild:false, patchLevel:7
      • majorVersion:4, buildId:3287, minorVersion:2, developmentBuild:false, patchLevel:7
      • majorVersion:4, buildId:3390, minorVersion:3, developmentBuild:false, patchLevel:1
      • majorVersion:4, buildId:3280, minorVersion:2, developmentBuild:false, patchLevel:3
      • majorVersion:4, buildId:3281, minorVersion:2, developmentBuild:false, patchLevel:4
      • majorVersion:4, buildId:3296, minorVersion:2, developmentBuild:false, patchLevel:13
      • majorVersion:4, buildId:3295, minorVersion:2, developmentBuild:false, patchLevel:12
      • majorVersion:4, buildId:3393, minorVersion:3, developmentBuild:false, patchLevel:3
      • majorVersion:4, buildId:3152, minorVersion:1, developmentBuild:false, patchLevel:10

            Assignee:
            Alice Wang (Inactive)
            Reporter:
            JacobP
            Votes:
            1 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: