Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-14388

Email notifications for jiraissues macro reflect page owner permissions rather than permissions of notified user...

      When a notification is sent out for a page that includes the {jiraissues} macro, the list of issues is based on the page owner's permissions rather than the notified user's permissions.

      Here are the steps to reproduce:

      1. Set up the trust relationship between your JIRA and Confluence installs
      2. Create users "user1" and "user2" on both Confluence and JIRA
      3. In Confluence, create a TEST space that is visible to both user1 and user2.
      4. Log in as user2 and watch the TEST space. While you're logged in as user2, check your email preferences and make sure your email address is valid.
      5. Create a JIRA project (PRIVATE, for example)
      6. Create 1-2 issues in the new project
      7. Create a "private" group in JIRA
      8. Add user1 to the "private" group
      9. Create a permission scheme for the new project in which the "private" group is allowed to do everything and no other users are allowed to do anything.
      10. Assign the permission scheme to the new project
      11. Search for open issues in the new project
      12. Copy the XML URL from the search
      13. Log out of JIRA and log in as user2. When browsing or searching, user2 should not be able to see any issues in the private project (or even know that it exists).
      14. Log in to Confluence as user1. Create a page using the jiraissues macro and the URL copied above
      15. Log in to Confluence as user2. View the page containing the jiraissues macro, which correctly indicates that there are no issues (none are visible to the user).
      16. Check the mail address specified for user2. The notification will display issues that are not visible to user2 in either JIRA or Confluence.

      This bug is very specific to the mail notifications. All other views appear to respect user permissions.

          Form Name

            [CONFSERVER-14388] Email notifications for jiraissues macro reflect page owner permissions rather than permissions of notified user...

            aatkins can you reproduce this issue in confluence 4?

            David Black added a comment - aatkins can you reproduce this issue in confluence 4?

            VitalyA added a comment -

            Dave to verify.

            VitalyA added a comment - Dave to verify.

            David Black added a comment - - edited

            CVSS score: 4 => Medium severity

            Exploitability Metrics

            AccessVector Network
            AccessComplexity Low
            Authentication Single Instance

            Impact Metrics

            ConfImpact Partial
            IntegImpact None
            AvailImpact None

            See https://extranet.atlassian.com/display/SECCOUNCIL/How+to+evaluate+vulnerability+severity+under+CVSS for details and http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2 for score calculator.

            David Black added a comment - - edited CVSS score: 4 => Medium severity Exploitability Metrics AccessVector Network AccessComplexity Low Authentication Single Instance Impact Metrics ConfImpact Partial IntegImpact None AvailImpact None See https://extranet.atlassian.com/display/SECCOUNCIL/How+to+evaluate+vulnerability+severity+under+CVSS for details and http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2 for score calculator.

            Are there any plans on fixing this issue or any suggested workarounds? This is a big security loophole if page-level security is often used.

            Note that this is not just the jiraissues macro, but any confluence content macro (recently-updated, contentbylabel, etc...)

            Nate Homitsky added a comment - Are there any plans on fixing this issue or any suggested workarounds? This is a big security loophole if page-level security is often used. Note that this is not just the jiraissues macro, but any confluence content macro (recently-updated, contentbylabel, etc...)

            i think these two are connected somehow. The main purpose here isnt the notification if some remote information is changed but it also notifies on rendering a dynamic piece of content.

            Frank Stiller added a comment - i think these two are connected somehow. The main purpose here isnt the notification if some remote information is changed but it also notifies on rendering a dynamic piece of content.

              Unassigned Unassigned
              aatkins TonyA
              Affected customers:
              6 This affects my team
              Watchers:
              9 Start watching this issue

                Created:
                Updated:
                Resolved: