Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-13276

Restrict anonymous users from viewing user profiles.

XMLWordPrintable

      Even if I start Confluence with -Dconfluence.disable.peopledirectory.anonymous=true, it is still possible to browse individual users by visiting a URL like https://[wikiBaseUrl]/display/~[accountName].

      This is a major security problem for us because it exposes:
      1. The user's name
      2. The user's ID
      3. The user's email address

      Evidence of the data leakage can be found by searching Google on the account name of people in the People Directory.

      Because of this problem, we had to disable all anonymous access to our system, and I am dealing with fallout from reduced institutional confidence in Atlassian Confluence.

      "Best security practices" should require this information not be made available anonymously without a sysadmin override.

      Also, it should also be easier for administrators to restrict access than by hacking the registry (for Windows Service-based installs) or modifying setenv.bat.

      I set priority to "critical" because:
      A. This has negatively impacted our use of Atlassian. I had to disable anonymous view privileges on wiki spaces that we needed to be exposed to the world (like our Help Desk wiki space).
      B. This is a security hole.

            [CONFSERVER-13276] Restrict anonymous users from viewing user profiles.

            Katherine Yabut made changes -
            Workflow Original: JAC Bug Workflow v3 [ 2893715 ] New: CONFSERVER Bug Workflow v4 [ 2985897 ]
            Owen made changes -
            Workflow Original: JAC Bug Workflow v2 [ 2775251 ] New: JAC Bug Workflow v3 [ 2893715 ]
            Status Original: Resolved [ 5 ] New: Closed [ 6 ]
            Owen made changes -
            Workflow Original: JAC Bug Workflow [ 2734281 ] New: JAC Bug Workflow v2 [ 2775251 ]
            Owen made changes -
            Workflow Original: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2399693 ] New: JAC Bug Workflow [ 2734281 ]
            Katherine Yabut made changes -
            Workflow Original: Confluence Workflow - Public Facing - Restricted v5 [ 2298542 ] New: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2399693 ]
            Katherine Yabut made changes -
            Workflow Original: Confluence Workflow - Public Facing - Restricted v5.1 - TEMP [ 2233372 ] New: Confluence Workflow - Public Facing - Restricted v5 [ 2298542 ]
            Katherine Yabut made changes -
            Workflow Original: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2194539 ] New: Confluence Workflow - Public Facing - Restricted v5.1 - TEMP [ 2233372 ]
            Katherine Yabut made changes -
            Workflow Original: Confluence Workflow - Public Facing - Restricted v5 [ 1950442 ] New: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2194539 ]
            Katherine Yabut made changes -
            Workflow Original: Confluence Workflow - Public Facing - Restricted v3 [ 1744230 ] New: Confluence Workflow - Public Facing - Restricted v5 [ 1950442 ]
            Confluence Escalation Bot (Inactive) made changes -
            Labels Original: affects-server qa-manual security New: affects-cloud affects-server qa-manual security

              pcurren Paul Curren
              dc8cdf9b05da Aren Cambre
              Affected customers:
              7 This affects my team
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: