Details
-
Bug
-
Resolution: Fixed
-
High
-
1
-
Severity 2 - Major
-
44
-
Description
Issue Summary
Anonymous access was able to remove the Confluence space
Steps to Reproduce
Jira Anonymous user is not capable to make any space modification using the JSM confluence link integration as the API call responds back with a 400 error.
But the integration between JSM and Confluence (using a regular user) can trigger a process without user context, this is allowed in Confluence as valid to modify permissions in any space, no matter if the user that requested the change has access/permissions on the spaces.
The following case is a repro I did in my lab, which is not what happened in the customer environment. A regular user Account on JIRA (no admin) * User does not have access as admin in JIRA
- User knows how to invoke the api to trigger a confluence permission change
- User does not have access to the space where the Confluence link is configured
- User does not have an account on Confluence and do not have permission to any space.
Expected Results
User should not be able to modify permission
Actual Results
- User is able to change to change the trigger the permission event change even if it did not have access to the JIRA project where it was configured
- User was able to modify permisions on Confluence even tho the user does not havev access in confluence.
...
Workaround
Restrict the page dit setting to "only Confluence users".
Attachments
Issue Links
- mentioned in
-
Page Loading...