[CONFSERVER-30887] doremovespacemail action can be called by non-admins

Type: Bug
Resolution: Fixed
Priority: Low
Fix Version/s: 5.4.1
Affects Version/s: 5.2.3
Component/s: Server - Mail Archiving
Labels:
Environment:

Confluence version 5.2.3 (standalone)
Running on Ubuntu Server 12.04.

CVSS Score:
4
Bug Fix Policy:
View Atlassian Server bug fix policy

The doremovespacemail action is provided by the confluence-mail-archiving plugin, and allows all of the archived mail associated with a space to be removed. This action can be called by any authenticated user, which appears to be an oversight in access control, given that similar methods (such as doremovemail) firstly check that the caller has REMOVE_MAIL_PERMISSION permission.

This could allow a malicious Confluence user who only has view access to a particular space to remove all of the archived mail from that space.

mentioned in: Page Failed to load; Wiki Page Failed to load

Katherine Yabut made changes - 13/Nov/2018 4:43 AM

Workflow

Original: JAC Bug Workflow v3 [ 2879971 ]

New: CONFSERVER Bug Workflow v4 [ 2988691 ]

Owen made changes - 11/Oct/2018 8:43 AM

Workflow	Original: JAC Bug Workflow v2 [ 2780057 ]	New: JAC Bug Workflow v3 [ 2879971 ]
Status	Original: Resolved [ 5 ]	New: Closed [ 6 ]

Owen made changes - 29/Aug/2018 11:13 PM

Workflow

Original: JAC Bug Workflow [ 2723083 ]

New: JAC Bug Workflow v2 [ 2780057 ]

Owen made changes - 02/Jul/2018 6:59 AM

Workflow

Original: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2393749 ]

New: JAC Bug Workflow [ 2723083 ]

Alex Yakovlev (Inactive) made changes - 16/Oct/2017 3:51 AM

Labels

Original: NCC affects-server bugfix cvss-medium loyalty mail-archiving mail_archive security

New: NCC affects-server cvss-medium loyalty mail-archiving mail_archive security

Alex Yakovlev (Inactive) made changes - 16/Oct/2017 3:42 AM

Labels

Original: NCC affects-server bugfix cvss-medium mail-archiving mail_archive security

New: NCC affects-server bugfix cvss-medium loyalty mail-archiving mail_archive security

Katherine Yabut made changes - 22/Jun/2017 6:51 AM

Workflow

Original: Confluence Workflow - Public Facing - Restricted v5 [ 2288612 ]

New: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2393749 ]

Katherine Yabut made changes - 31/May/2017 5:37 AM

Workflow

Original: Confluence Workflow - Public Facing - Restricted v5.1 - TEMP [ 2227348 ]

New: Confluence Workflow - Public Facing - Restricted v5 [ 2288612 ]

Katherine Yabut made changes - 31/May/2017 4:58 AM

Workflow

Original: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2182824 ]

New: Confluence Workflow - Public Facing - Restricted v5.1 - TEMP [ 2227348 ]

Katherine Yabut made changes - 31/May/2017 2:02 AM

Workflow

Original: Confluence Workflow - Public Facing - Restricted v5 [ 1951039 ]

New: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2182824 ]

Assignee:: Petro Semeniuk (Inactive)

Reporter:: Richard Turnbull

Affected customers:: 0 This affects my team

Watchers:: 6 Start watching this issue

Created:: 20/Sep/2013 5:08 PM

Updated:: 11/Oct/2018 8:43 AM

Resolved:: 02/Dec/2013 10:40 PM

Details

Description

Attachments

Issue Links

Forms

Activity

People

Dates