[CONFSERVER-29534] Passwords of configured SMTP mail accounts are stored in cleartext

Type: Suggestion
Resolution: Unresolved
Fix Version/s: None
Component/s: None
Labels:
Environment:
Confluence 5.1.3 and Confluence 4.3.7 + Jira 5.2.7 on Linux (CentOS 5) with MySQL 5.1.34 or PostgreSQL 8.4.17

UIS:
1
Support reference count:
5
Feedback Policy:

We collect Confluence feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

NOTE: This suggestion is for Confluence Data Center. Using Confluence Cloud? See the corresponding suggestion.

Atlassian Update - 8 February 2024

Hi everyone,

This is Kathleen from the Confluence team. Thank you for your interest in this suggestion. We understand that this functionality is important to many of you.

We are considering this feature for the Confluence roadmap and hope to start development when our current projects are completed.

To learn more about our recent investments in Confluence Data Center, please check our public roadmap and our dashboards containing recently resolved issues, and current work and future plans.

Kind regards,
Confluence Data Center

Passwords for configured mail accounts are stored in clear text in the database as can be seen e.g. by:

SELECT * FROM BANDANA WHERE BANDANAKEY = 'atlassian.confluence.space.mailaccounts';

Even when being an admin I should NOT be able to read-out other users email account password!

This problem exists for Confluence AND Jira as well.

is related to

CONFSERVER-2146 Encrypt all passwords stored on the file system

Closed

relates to

CONFCLOUD-29534 Passwords of configured SMTP mail accounts are stored in cleartext

Closed

mentioned in: Page Failed to load; Page Failed to load

Form Name

SET Analytics Bot made changes - 27/Apr/2025 4:08 AM

Support reference count

Original: 1

New: 5

Jeremy R made changes - 06/Dec/2024 8:23 PM

Labels	Original: admin-console affects-server dmb-legacy-jac-none no-cvss-required not-80 panther security security_flaw shouldBePrivate	New: admin-console affects-server dmb-legacy-jac-none no-cvss-required not-80 panther security security_flaw
Security	Original: Reporter and Atlassian Staff [ 10751 ]

Zaro made changes - 02/Dec/2024 1:57 PM

Labels	Original: admin-console affects-server dmb-legacy-jac-none no-cvss-required not-80 panther security security_flaw	New: admin-console affects-server dmb-legacy-jac-none no-cvss-required not-80 panther security security_flaw shouldBePrivate
Security		New: Reporter and Atlassian Staff [ 10751 ]

Sumitra Sahu (Inactive) made changes - 21/Jun/2024 4:29 AM

Assignee

Original: Sumitra Sahu [ 24ee36512d14 ]

Kathleen Xu made changes - 08/Feb/2024 3:22 AM

Description

Original: {panel:bgColor=#e7f4fa}
*NOTE:* This suggestion is for {*}Confluence Data Center{*}. Using {*}Confluence Cloud{*}? [See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-29534].
{panel}
Passwords for configured mail accounts are stored in clear text in the database as can be seen e.g. by:
{code:java}
SELECT * FROM BANDANA WHERE BANDANAKEY = 'atlassian.confluence.space.mailaccounts';
{code}
Even when being an admin I should *NOT* be able to read-out other users email account password!

This problem exists for Confluence *AND* Jira as well.

New: {panel:bgColor=#e7f4fa}
*NOTE:* This suggestion is for {*}Confluence Data Center{*}. Using {*}Confluence Cloud{*}? [See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-29534].
{panel}
{panel:title=Atlassian Update - 8 February 2024|borderStyle=solid|borderColor=#6554c0|titleBGColor=#6554c0|bgColor=#eae6ff|titleColor=#ffffff}
Hi everyone,

This is Kathleen from the Confluence team. Thank you for your interest in this suggestion. We understand that this functionality is important to many of you.

We are considering this feature for the Confluence roadmap and hope to start development when our current projects are completed.

To learn more about our recent investments in Confluence Data Center, please check our [public roadmap|https://www.atlassian.com/roadmap/data-center?status=released&product=confluence] and our dashboards containing [recently resolved issues|https://jira.atlassian.com/secure/Dashboard.jspa?selectPageId=108194], and [current work and future plans|https://jira.atlassian.com/secure/Dashboard.jspa?selectPageId=108195].

Kind regards,
Confluence Data Center
{panel}
Passwords for configured mail accounts are stored in clear text in the database as can be seen e.g. by:
{code:java}
SELECT * FROM BANDANA WHERE BANDANAKEY = 'atlassian.confluence.space.mailaccounts';
{code}
Even when being an admin I should *NOT* be able to read-out other users email account password!

This problem exists for Confluence *AND* Jira as well.

Kathleen Xu made changes - 08/Feb/2024 3:21 AM

Description

Original: {panel:bgColor=#e7f4fa}
*NOTE:* This suggestion is for {*}Confluence Server{*}. Using {*}Confluence Cloud{*}? [See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-29534].
{panel}
Passwords for configured mail accounts are stored in clear text in the database as can be seen e.g. by:
{code:java}
SELECT * FROM BANDANA WHERE BANDANAKEY = 'atlassian.confluence.space.mailaccounts';
{code}
Even when being an admin I should *NOT* be able to read-out other users email account password!

This problem exists for Confluence *AND* Jira as well.

New: {panel:bgColor=#e7f4fa}
*NOTE:* This suggestion is for {*}Confluence Data Center{*}. Using {*}Confluence Cloud{*}? [See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-29534].
{panel}
Passwords for configured mail accounts are stored in clear text in the database as can be seen e.g. by:
{code:java}
SELECT * FROM BANDANA WHERE BANDANAKEY = 'atlassian.confluence.space.mailaccounts';
{code}
Even when being an admin I should *NOT* be able to read-out other users email account password!

This problem exists for Confluence *AND* Jira as well.

Kathleen Xu made changes - 08/Feb/2024 3:21 AM

Description

Original: {panel:bgColor=#e7f4fa}
*NOTE:* This suggestion is for *Confluence Server*. Using *Confluence Cloud*? [See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-29534].
{panel}

Passwords for configured mail accounts are stored in clear text in the database as can be seen e.g. by:
{code}
SELECT * FROM BANDANA WHERE BANDANAKEY = 'atlassian.confluence.space.mailaccounts';
{code}

Even when being an admin I should *NOT* be able to read-out other users email account password!

This problem exists for Confluence *AND* Jira as well.

New: {panel:bgColor=#e7f4fa}
*NOTE:* This suggestion is for {*}Confluence Server{*}. Using {*}Confluence Cloud{*}? [See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-29534].
{panel}
Passwords for configured mail accounts are stored in clear text in the database as can be seen e.g. by:
{code:java}
SELECT * FROM BANDANA WHERE BANDANAKEY = 'atlassian.confluence.space.mailaccounts';
{code}
Even when being an admin I should *NOT* be able to read-out other users email account password!

This problem exists for Confluence *AND* Jira as well.

Kathleen Xu made changes - 08/Feb/2024 3:19 AM

PM Reviewed		New: 08/Feb/2024
Status	Original: Reviewing [ 11773 ]	New: Under Consideration [ 11774 ]

Charlie Marriott made changes - 03/Jan/2024 4:20 AM

Remote Link

New: This issue links to "Page (Confluence)" [ 851309 ]

SET Analytics Bot made changes - 24/Nov/2023 2:01 AM

UIS

Original: 2

New: 1

Assignee:: Unassigned

Reporter:: Rainer Pöhlmann

Votes:: 7 Vote for this issue

Watchers:: 14 Start watching this issue

Created:: 05/Jun/2013 6:39 AM

Updated:: 27/Apr/2025 4:08 AM

Details

Description

Attachments

Issue Links

Forms

Activity

People

Dates