Confluence Administrator Can Add Himself to System Administrator Group

XMLWordPrintable

    • Type: Bug
    • Resolution: Not a bug
    • Priority: Medium
    • None
    • Affects Version/s: 4.3.6
    • Component/s: None
    • Environment:

      Confluence is running via Tomcat 6.0.32 on Windows Server 2008-64 bit. JDK: 1.7.0_07.

      I have found what I believe to be a security bug in Confluence that should be fixed.

      We have System Administrator function from the Confluence Administrator Group, and created a new Group called System Administrators (see attachment). The purpose was to give our Tech Writers the ability to access the Admin screen without giving them the ability to install add-ons. They belong to the Confluence-Administrators group, but not to the System-Administrators group.

      However, I have found out that they have the ability to add themselves to the System-Administrators group. This allows them to increase their own authority and install add-ons.

      They should not be able to add themselves to a group that has higher authority than they had.

        1. Confluence Global Permissions.jpg
          62 kB
          Chuck Minarik

            Assignee:
            David Rizzuto (Inactive)
            Reporter:
            Chuck Minarik
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: