Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-30887

doremovespacemail action can be called by non-admins

XMLWordPrintable

      The doremovespacemail action is provided by the confluence-mail-archiving plugin, and allows all of the archived mail associated with a space to be removed. This action can be called by any authenticated user, which appears to be an oversight in access control, given that similar methods (such as doremovemail) firstly check that the caller has REMOVE_MAIL_PERMISSION permission.

      This could allow a malicious Confluence user who only has view access to a particular space to remove all of the archived mail from that space.

            [CONFSERVER-30887] doremovespacemail action can be called by non-admins

            Petro Semeniuk (Inactive) added a comment - - edited

            Notes for QR:

            1. Both confluence and anonymous user remove mail permission need to be disabled at space level
            2. Cache need to be flushed before checking

            Petro Semeniuk (Inactive) added a comment - - edited Notes for QR: Both confluence and anonymous user remove mail permission need to be disabled at space level Cache need to be flushed before checking

            Petro Semeniuk (Inactive) added a comment -

            xsrf tracked in https://jira.atlassian.com/browse/CONF-31433

            Petro Semeniuk (Inactive) added a comment - xsrf tracked in https://jira.atlassian.com/browse/CONF-31433

            VitalyA added a comment -

            See linked issue.

            VitalyA added a comment - See linked issue.

              psemeniuk Petro Semeniuk (Inactive)
              4d658525b00b Richard Turnbull
              Affected customers:
              0 This affects my team
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: