Site icon API Security Blog

JSON-RPC API functions available anonymously even though anonymous API access is disabled.

The summary says it all really. The functions listed below can be used on our confluence service even though we have Anonymous API Access disabled (check box not checked in admin control panel). This is an issue when it comes to confluence sites that have sensitive user or group information.

*Functions in question*:
getUser
getUserInformation
hasGroup
getServerInfo

*Information that can be obtained from each*:
getUser – User’s email, full name, name, url
getUserInformation – id, content, creation date, last modifier name, username, creator name, last modification date, and version of user
hasGroup – whether a group exists in a confluence instance or not
getServerInfo – obtain major version, build id, minor version, development build, and patch level

*System Info*:
Atlassian Confluence OnDemand
majorVersion:5
buildId:4332
minorVersion:1
developmentBuild:true
patchLevel:0

This issue also occurs on previous versions of Confluence.
* 3.5.16
* majorVersion:4, buildId:3289, minorVersion:2, developmentBuild:false, patchLevel:8
* majorVersion:5, buildId:4216, minorVersion:1, developmentBuild:false, patchLevel:1
* majorVersion:5, buildId:4249, minorVersion:1, developmentBuild:false, patchLevel:4
* majorVersion:5, buildId:4104, minorVersion:0, developmentBuild:false, patchLevel:0
* majorVersion:5, buildId:4226, minorVersion:1, developmentBuild:false, patchLevel:3
* majorVersion:4, buildId:3277, minorVersion:2, developmentBuild:false, patchLevel:1
* majorVersion:4, buildId:3398, minorVersion:3, developmentBuild:false, patchLevel:7
* majorVersion:4, buildId:3287, minorVersion:2, developmentBuild:false, patchLevel:7
* majorVersion:4, buildId:3390, minorVersion:3, developmentBuild:false, patchLevel:1
* majorVersion:4, buildId:3280, minorVersion:2, developmentBuild:false, patchLevel:3
* majorVersion:4, buildId:3281, minorVersion:2, developmentBuild:false, patchLevel:4
* majorVersion:4, buildId:3296, minorVersion:2, developmentBuild:false, patchLevel:13
* majorVersion:4, buildId:3295, minorVersion:2, developmentBuild:false, patchLevel:12
* majorVersion:4, buildId:3393, minorVersion:3, developmentBuild:false, patchLevel:3
* majorVersion:4, buildId:3152, minorVersion:1, developmentBuild:false, patchLevel:10Read More

Exit mobile version