Confluence did not check if a user had permission to view a page when creating a workbox notification about new comments. An attacker who can login to Confluence could receive workbox notifications, which contain the content of comments, for comments added to a page after they started watching it even if they do not have permission to view the page itself.

Affected versions:

• Versions of Confluence starting with 4.3.0 before 6.2.1 are affected by this vulnerability.

Fix:

• Confluence Server 6.2.1 is available to download from https://www.atlassian.com/software/confluence/download.

 Workaround

If you are unable to upgrade to the fixed version or newer and need a workaround, you will need to disable in-app notifications from workbox as per the instructions found here:

1. Navigate to > General Configuration
2. Choose In-app Notifications in the left-hand panel
3. Select does not provide in-app notifications.
4. The workbox icon will disappear from the Confluence top menu bar.
    

Acknowledgements
Atlassian would like to credit Mathias Frank of SEC Consult Vulnerability Lab for reporting this issue to us.