Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-26917

User name disclosure through auto-completion

    XMLWordPrintable

Details

    • Bug
    • Resolution: Won't Fix
    • Low
    • None
    • None
    • None

    Description

      NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report.

      cert.fr@cassidian.com reported the following vulnerability:

      === Vulnerability 1 ===
      == Type ==
      Information Disclosure

      == Product ==
      Atlassian Confluence

      == Severity ==
      Medium

      == Description ==
      Some fields in Confluence have an auto-completion feature for usernames or groups. The pages used to perform this auto-completion allow to disclose all the usernames and groups of the application, without any restriction.
      Vulnerable pages are:

      • /confluence/users/userpicker.action
      • /confluence/spaces/dosearchgroupsnopermissions.action

      Attachments

        Issue Links

          is duplicated by

          Suggestion - CONFSERVER-23985 Do not show registered users in quick search to anonymous users

          • Closed
          relates to

          Bug - A problem which impairs or prevents the functions of the product. CONFCLOUD-26917 User name disclosure through auto-completion

          • Low - Low priority issues
          • Closed

          Activity

            People

              Unassigned Unassigned
              dblack David Black
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: