The renderContent method can be used by anonymous users, leaking information, and allowing macro execution.

      Should the entire JSON-RPC be inaccessible to anonymous users if anonymous users can't use confluence?

          Form Name

            [CONFSERVER-32955] JSON-RPC API allows anonymous content rendering

            Katherine Yabut made changes -
            Workflow Original: JAC Bug Workflow v3 [ 2884290 ] New: CONFSERVER Bug Workflow v4 [ 2979254 ]
            Owen made changes -
            Workflow Original: JAC Bug Workflow v2 [ 2787784 ] New: JAC Bug Workflow v3 [ 2884290 ]
            Status Original: Resolved [ 5 ] New: Closed [ 6 ]
            Owen made changes -
            Workflow Original: JAC Bug Workflow [ 2736030 ] New: JAC Bug Workflow v2 [ 2787784 ]
            Owen made changes -
            Workflow Original: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2389703 ] New: JAC Bug Workflow [ 2736030 ]
            Alex Yakovlev (Inactive) made changes -
            Labels Original: affects-server bugfix cvss-medium loyalty rest-api security New: affects-server cvss-medium loyalty rest-api security
            Alex Yakovlev (Inactive) made changes -
            Labels Original: affects-server bugfix cvss-medium rest-api security New: affects-server bugfix cvss-medium loyalty rest-api security
            Katherine Yabut made changes -
            Workflow Original: Confluence Workflow - Public Facing - Restricted v5 [ 2286177 ] New: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2389703 ]
            Katherine Yabut made changes -
            Workflow Original: Confluence Workflow - Public Facing - Restricted v5.1 - TEMP [ 2225883 ] New: Confluence Workflow - Public Facing - Restricted v5 [ 2286177 ]
            Katherine Yabut made changes -
            Workflow Original: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2180249 ] New: Confluence Workflow - Public Facing - Restricted v5.1 - TEMP [ 2225883 ]
            Katherine Yabut made changes -
            Workflow Original: Confluence Workflow - Public Facing - Restricted v5 [ 1946993 ] New: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2180249 ]

              vvo Vu Truong Vo (Inactive)
              djohnson@atlassian.com Dougall Johnson
              Affected customers:
              1 This affects my team
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: