All issues

Order by Created
  1. Public Security Vulnerability
    CONFSERVER-98205Stored XSS in Confluence Data Center and Server
  2. Bug
    CONFSERVER-98204Importing a site or space into Confluence 8.5.16 fails with error "java.io.InvalidClassException: Unauthorized deserialization attempt"
  3. Bug
    CONFSERVER-98199Using an invalid or wrong personal access token with REST API is incorrectly handled as anonymous user instead of as an unauthorized request
  4. Suggestion
    CONFSERVER-98194Notion to Confluence migration - copy over toggles
  5. Suggestion
    CONFSERVER-98193REST API GET method to retrieve spaces with anonymous access.
  6. Bug
    CONFSERVER-98192Pasting a URL with "()" characters inside the editor breaks the link
  7. Public Security Vulnerability
    CONFSERVER-98190Directory Traversal moment Dependency in Confluence Data Center and Server
  8. Public Security Vulnerability
    CONFSERVER-98189ReDoS (Regular Expression Denial of Service) moment Dependency in Confluence Data Center and Server
  9. Public Security Vulnerability
    CONFSERVER-98188Path Traversal moment Dependency in Confluence Data Center and Server
  10. Suggestion
    CONFSERVER-98187Synchrony should come with diagnostic logs and GC logs enabled
  11. Suggestion
    CONFSERVER-98186Addition of 'BeforeUserAuthenticate' Event
  12. Suggestion
    CONFSERVER-98183REST API for profile settings
  13. Bug
    CONFSERVER-98181Cosmetic issue: Duplicate Error message while uploading the Attachment on Confluence unpublished draft in Edit Mode.
  14. Bug
    CONFSERVER-98180Uploading 2 attachments to same page at the same time via REST API will cause 500 error
  15. Bug
    CONFSERVER-98179Storage order of the atlassian-confluence.log seems to have changed in 8.5
  16. Suggestion
    CONFSERVER-98153Password aging, expiry, and rotation for improved password management
  17. Bug
    CONFSERVER-98151The create button and the three dots next to it are not displayed when users navigate to a space link where they do not have view permission
  18. Suggestion
    CONFSERVER-98147Official support to subscribe to Airtable calendars from Team Calendars
  19. Bug
    CONFSERVER-98146Document/PDF file containing Web URL doesn't get render as HyperLink in preview mode of the file on Confluence Page.
  20. Bug
    CONFSERVER-98149Fix content property field mappings
  21. Suggestion
    CONFSERVER-98145Hide labels from users if they exist only in inaccessible contents
  22. Bug
    CONFSERVER-98144Jira Issue Macro doesn't refresh when displaying "Epic Name" or "Epic Link"
  23. Suggestion
    CONFSERVER-98143Ability to nest LDAP groups under local groups for centralized permission management
  24. Suggestion
    CONFSERVER-98142Ability to backup, restore, and merge Confluence Analytics data
  25. Suggestion
    CONFSERVER-98140Confluence Mobile App - Embedded Web View
  26. Suggestion
    CONFSERVER-98139Troubleshooting and Support Tools plugin should support custom log path locations
  27. Bug
    CONFSERVER-98110Page history comparison not showing correctly with changes in the page having Jira Issues
  28. Suggestion
    CONFSERVER-98109Related Labels macro should have an option to filter by space and/or show only the related labels on that space
  29. Suggestion
    CONFSERVER-98107Add option to save Web images as attachments
  30. Suggestion
    CONFSERVER-98106Update PDF/PPTX Text Extract and preview conversion
  31. Suggestion
    CONFSERVER-98105Option to integrate Microsoft Copilot for Microsoft 365 with Confluence Data Center
  32. Suggestion
    CONFSERVER-98103Atlassian Intelligence for Jira Data Center
  33. Bug
    CONFSERVER-98102Anonymous do not see CSS stylesheet
  34. Suggestion
    CONFSERVER-98072Make 'Centralized license visibility' plugin compatible with Confluence version 9.x.x
  35. Suggestion
    CONFSERVER-98071Make 'Atlassian REST API Browser' plugin compatible with Confluence version 9.x.x
  36. Bug
    CONFSERVER-98070Diagrams from Excel Sheet integrated with Office Macro not Rendering when Worksheet Name is specified
  37. Suggestion
    CONFSERVER-98054Disable Pages and Attachments versions
  38. Bug
    CONFSERVER-98053Incorrect language used in the content of the pop-up window of the Team Calendar
  39. Bug
    CONFSERVER-98052Dragging and dropping attachment's thumbnails disappear in edit mode
  40. Suggestion
    CONFSERVER-98051标注问题
  41. Bug
    CONFSERVER-98050"Go to included page" hits 400
  42. Suggestion
    CONFSERVER-98048Security enhance in Confluence Databases. Columns access restrictions.
  43. Suggestion
    CONFSERVER-98047Add the ability to pin macros to the editing panel in Confluence
  44. Bug
    CONFSERVER-98044LocalNotification is failing to add context path to the icon and URL as part of notification and to the detailed view of the notification
  45. Suggestion
    CONFSERVER-98043Add date and user pickers as variables in Confluence Templates
  46. Suggestion
    CONFSERVER-98042Data Center Syntax-Highlighting needs to be updated to include more languages
  47. Bug
    CONFSERVER-98039Office Excel Marco doesn't work properly when worksheet name is provided
  48. Public Security Vulnerability
    CONFSERVER-98022DoS (Denial of Service) decode-uri-component Dependency in Confluence Data Center
  49. Public Security Vulnerability
    CONFSERVER-98021BASM (Broken Authentication & Session Management) browserify-sign Dependency in Confluence Data Center
  50. Suggestion
    CONFSERVER-98019Emojis on folders
Refresh results
703 of 47610
Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-98199

Using an invalid or wrong personal access token with REST API is incorrectly handled as anonymous user instead of as an unauthorized request

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Low Low
    • None
    • 7.9.0, 9.0.0
    • Personal Access Tokens
    • None

      Issue Summary

      When trying to authenticate a REST API request with wrong credentials through basic authentication, Confluence properly respond with a 401 HTTP response status.

      The same behavior would be expected when using personal access tokens.
      If a wrong, nonexistent token is used, Confluence doesn't respond with 401 HTTP status, but passes the request as an anonymous user (if anonymous access is enabled).

      Note that regular product permissions is still followed and the results will only show data that an anonymous user would have access to.

      Steps to Reproduce

      1. Create a vanilla instance of Confluence Data Center.
        • This was validated on Confluence version 9.0.
      2. Enable anonymous access.
      3. Create a sample Space with a couple of pages.
      4. Create a regular user with access to the sample space.
      5. Try accessing the following REST API using the correct credentials for the sample user. 
        CONFLUENCE_BASE_URL=http://127.0.0.1:8090
CONFLUENCE_USR_NAME=user001
CONFLUENCE_USR_PWD=user001

curl -v -o /dev/null \
  -u ${CONFLUENCE_USR_NAME}:${CONFLUENCE_USR_PWD} \
  ${CONFLUENCE_BASE_URL}'/rest/api/latest/content?limit=1'
      6. Try accessing the same REST API using the wrong credentials as below. 
        CONFLUENCE_BASE_URL=http://127.0.0.1:8090
CONFLUENCE_USR_NAME=user001
CONFLUENCE_USR_PWD=not_my_password

curl -v -o /dev/null \
  -u ${CONFLUENCE_USR_NAME}:${CONFLUENCE_USR_PWD} \
  ${CONFLUENCE_BASE_URL}'/rest/api/latest/content?limit=1'
      7. Create a personal access token (PAT) to the sample user.
      8. Try accessing the same REST API using the correct PAT. 
        CONFLUENCE_BASE_URL=http://127.0.0.1:8090

curl -v -o /dev/null \
  -H 'Authorization: Bearer MDM4MTUwMzY5OTUwOsozS9OggiMR2teDPOUWhnZTODOf' \
  ${CONFLUENCE_BASE_URL}'/rest/api/latest/content?limit=1'
      9. Try accessing the same REST API using the wrong credentials as below. 
        CONFLUENCE_BASE_URL=http://127.0.0.1:8090

curl -v -o /dev/null \
  -H 'Authorization: Bearer not_my_token' \
  ${CONFLUENCE_BASE_URL}'/rest/api/latest/content?limit=1'

      Expected Results

      The request is not authorized as it's using a nonexistent token and Confluence responds the request with a 401 HTTP status.

      Actual Results

      The request is fulfilled with a 200 HTTP response status.
      Since the used PAT doesn't exist, the request is made as anonymous.

      Workaround

      When using PAT, refer to the X-AUSERNAME response header to ensure the authentication worked with the expected user.

        1. screenshot-1.png
          screenshot-1.png
          285 kB
        2. screenshot-2.png
          screenshot-2.png
          265 kB

          Form Name

              Unassigned Unassigned
              tmasutti Thiago Masutti
              Affected customers:
              1 This affects my team
              Watchers:
              4 Start watching this issue

                Created:
                Updated: