Anonymous users can view list of installed gadgets in Confluence

Issue Summary

Endpoint "rest/config/1.0/directory" can be accessed anonymously. This page is an XML output that exposes the gadgets installed on the Confluence instance.

While there are not be any identifying information, user data, or anything else available to anonymous users if they hit this URL, a potential bad actor could better understand which add-ons customers have installed into their Confluence instance and use that information to their advantage to attack them. This could be through malicious attacks that exploit those add-ons specifically, taking advantage of possible security vulnerabilities of those instances, or phishing-like attacks where the bad actor may impersonate vendors to get information from us.

Steps to Reproduce

Access <Confluence BASE URL>/rest/config/1.0/directory anonymously

Expected Results

The user gets redirected to log in

Actual Results

The page is shown:

Notes
This happens even if the public access is blocked using a flag in the dark features

This page is used by the Confluence gadget plugin so we don't recommend blocking it as it might cause some functionalities to fail in Confluence, and this was not tested.

Workaround

Block the unauthenticated access to this particular URL */rest/config/1.0/directory at the network level. For example, block the URL from being accessed from the proxy side. Another option is doing it from Apache Tomcat: How to block access to a specific URL at Tomcat