Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-32541

Confluence Administrator Can Add Himself to System Administrator Group

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Not a bug
    • Icon: Medium Medium
    • None
    • 4.3.6
    • None

    • Confluence is running via Tomcat 6.0.32 on Windows Server 2008-64 bit. JDK: 1.7.0_07.

      I have found what I believe to be a security bug in Confluence that should be fixed.

      We have System Administrator function from the Confluence Administrator Group, and created a new Group called System Administrators (see attachment). The purpose was to give our Tech Writers the ability to access the Admin screen without giving them the ability to install add-ons. They belong to the Confluence-Administrators group, but not to the System-Administrators group.

      However, I have found out that they have the ability to add themselves to the System-Administrators group. This allows them to increase their own authority and install add-ons.

      They should not be able to add themselves to a group that has higher authority than they had.

        1. Confluence Global Permissions.jpg
          Confluence Global Permissions.jpg
          62 kB

            [CONFSERVER-32541] Confluence Administrator Can Add Himself to System Administrator Group

            Katherine Yabut made changes -
            Workflow Original: JAC Bug Workflow v3 [ 2902715 ] New: CONFSERVER Bug Workflow v4 [ 2997363 ]
            Owen made changes -
            Workflow Original: JAC Bug Workflow v2 [ 2800363 ] New: JAC Bug Workflow v3 [ 2902715 ]
            Status Original: Resolved [ 5 ] New: Closed [ 6 ]
            Owen made changes -
            Workflow Original: JAC Bug Workflow [ 2730857 ] New: JAC Bug Workflow v2 [ 2800363 ]
            Owen made changes -
            Workflow Original: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2396109 ] New: JAC Bug Workflow [ 2730857 ]
            Katherine Yabut made changes -
            Workflow Original: Confluence Workflow - Public Facing - Restricted v5 [ 2292557 ] New: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2396109 ]
            Katherine Yabut made changes -
            Workflow Original: Confluence Workflow - Public Facing - Restricted v5.1 - TEMP [ 2229717 ] New: Confluence Workflow - Public Facing - Restricted v5 [ 2292557 ]
            Katherine Yabut made changes -
            Workflow Original: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2187090 ] New: Confluence Workflow - Public Facing - Restricted v5.1 - TEMP [ 2229717 ]
            Katherine Yabut made changes -
            Workflow Original: Confluence Workflow - Public Facing - Restricted v5 [ 1913083 ] New: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2187090 ]
            Katherine Yabut made changes -
            Workflow Original: Confluence Workflow - Public Facing - Restricted v3 [ 1724502 ] New: Confluence Workflow - Public Facing - Restricted v5 [ 1913083 ]
            Katherine Yabut made changes -
            Workflow Original: CONF Bug Subtask WF (TEMP) [ 1680900 ] New: Confluence Workflow - Public Facing - Restricted v3 [ 1724502 ]

              drizzuto David Rizzuto
              e026b759b9eb Chuck Minarik
              Affected customers:
              0 This affects my team
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: