Details
-
Bug
-
Resolution: Fixed
-
Low
-
7.12.5
-
1
-
Severity 3 - Minor
-
0
-
Description
Issue Summary
Endpoint "rest/config/1.0/directory" can be accessed anonymously. This page is an XML output that exposes the gadgets installed on the Confluence instance.
While there are not be any identifying information, user data, or anything else available to anonymous users if they hit this URL, a potential bad actor could better understand which add-ons customers have installed into their Confluence instance and use that information to their advantage to attack them. This could be through malicious attacks that exploit those add-ons specifically, taking advantage of possible security vulnerabilities of those instances, or phishing-like attacks where the bad actor may impersonate vendors to get information from us.
Steps to Reproduce
Access <Confluence BASE URL>/rest/config/1.0/directory anonymously
Expected Results
The user gets redirected to log in
Actual Results
Notes
This happens even if the public access is blocked using a flag in the dark features
This page is used by the Confluence gadget plugin so we don't recommend blocking it as it might cause some functionalities to fail in Confluence, and this was not tested.
Workaround
Block the unauthenticated access to this particular URL */rest/config/1.0/directory at the network level. For example, block the URL from being accessed from the proxy side. Another option is doing it from Apache Tomcat: How to block access to a specific URL at Tomcat
Attachments
Issue Links
- is caused by
-
VULN-567573 Loading...
- links to