Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-58485

Confluence leaks group names when anonymous access is enabled

XMLWordPrintable

    • 2
    • We collect Confluence feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

      Issue Summary

      As a side effect of allowing anonymous access to Confluence, the REST API leaks information such as group names. If your organisation uses this information for verification or authentication in other areas then this information could be used to compromise or attack. There may also be information contained in group names that would violate the GDPR regulations by making it freely available.

      Environment

      Any Confluence instance that is has anonymous access allowed at some level. There are some online examples below:

      https://wiki.akraino.org/rest/prototype/1/search/user-or-group.json?max-results=50&query=a
      https://confluence.atlassian.com/rest/prototype/1/search/user-or-group.json?max-results=50&query=a

      Suggested behaviour

      The ability to prevent this information from leaking when anonymous access is enabled. There are some external infrastructure changes that could be made to prevent this access, but it is not always a given that this could be implemented in the instance concerned. This should be part of Confluence's default settings.

        1. group-names.png
          group-names.png
          184 kB

              Unassigned Unassigned
              wmasters Will Masters (Inactive)
              Votes:
              3 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated: