Uploaded image for project: 'Confluence Cloud'
  1. Confluence Cloud
  2. CONFCLOUD-54452

JSON-RPC API functions available anonymously even though anonymous API access is disabled.

    XMLWordPrintable

Details

    Description

      The summary says it all really. The functions listed below can be used on our confluence service even though we have Anonymous API Access disabled (check box not checked in admin control panel). This is an issue when it comes to confluence sites that have sensitive user or group information.

      Functions in question:
      getUser
      getUserInformation
      hasGroup
      getServerInfo

      Information that can be obtained from each:
      getUser - User's email, full name, name, url
      getUserInformation - id, content, creation date, last modifier name, username, creator name, last modification date, and version of user
      hasGroup - whether a group exists in a confluence instance or not
      getServerInfo - obtain major version, build id, minor version, development build, and patch level

      System Info:
      Atlassian Confluence OnDemand
      majorVersion:5
      buildId:4332
      minorVersion:1
      developmentBuild:true
      patchLevel:0

      This issue also occurs on previous versions of Confluence.

      • 3.5.16
      • majorVersion:4, buildId:3289, minorVersion:2, developmentBuild:false, patchLevel:8
      • majorVersion:5, buildId:4216, minorVersion:1, developmentBuild:false, patchLevel:1
      • majorVersion:5, buildId:4249, minorVersion:1, developmentBuild:false, patchLevel:4
      • majorVersion:5, buildId:4104, minorVersion:0, developmentBuild:false, patchLevel:0
      • majorVersion:5, buildId:4226, minorVersion:1, developmentBuild:false, patchLevel:3
      • majorVersion:4, buildId:3277, minorVersion:2, developmentBuild:false, patchLevel:1
      • majorVersion:4, buildId:3398, minorVersion:3, developmentBuild:false, patchLevel:7
      • majorVersion:4, buildId:3287, minorVersion:2, developmentBuild:false, patchLevel:7
      • majorVersion:4, buildId:3390, minorVersion:3, developmentBuild:false, patchLevel:1
      • majorVersion:4, buildId:3280, minorVersion:2, developmentBuild:false, patchLevel:3
      • majorVersion:4, buildId:3281, minorVersion:2, developmentBuild:false, patchLevel:4
      • majorVersion:4, buildId:3296, minorVersion:2, developmentBuild:false, patchLevel:13
      • majorVersion:4, buildId:3295, minorVersion:2, developmentBuild:false, patchLevel:12
      • majorVersion:4, buildId:3393, minorVersion:3, developmentBuild:false, patchLevel:3
      • majorVersion:4, buildId:3152, minorVersion:1, developmentBuild:false, patchLevel:10

      Attachments

        Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. CONFSERVER-32955 JSON-RPC API allows anonymous content rendering

          • Medium - Medium priority issues
          • Closed

          Activity

            People

              alwang Alice Wang (Inactive)
              7afec4ea286f JacobP
              Votes:
              1 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: