| Summary | Unfiltered Confluence People Directory accessible to all users behind specially designed URLs |
|---|---|
| Advisory Release Date |
|
| Product | Space Privacy |
Affected Versions | Space Privacy 3.1.0 and earlier |
| Fixed Version | Space Privacy 3.1.1 |
| CVSS Classification | Base Score 4.3 (Medium) |
Problem
Accessing the People Directory with a specially designed URL while logged in allowed bypassing the Space Privacy filters – displaying basic profile information (name, email address and avatar) of all registered users.
This vulnerability has been rated as Medium (4.3) according to the scale published under the Common Vulnerability Scoring System (CVSS). Space Privacy 3.1.0 and earlier are affected by this vulnerability.
A customer disclosed the potential for profile data leaks to us after hours on . During we investigated the issue, patched the URL redirect to account for the vulnerable behavior, and prepared a hotfix release to Atlassian Marketplace. This patch, Space Privacy 3.1.1, has been published on .
Solution
Update to the latest Marketplace version: Space Privacy 3.1.1 or newer.
Should you be unable to perform this update, or encounter technical challenges while doing so, please reach out to our support team at https://seibert.biz/help.
A bug in certain Confluence versions (in particular, 7.4.6 and earlier) can cause parts of theming to not work properly after performing app updates. For more details, please refer to Parts of Linchpin or Confluence not accessible after update in our knowledge base if you're using Linchpin-based theming.
Link to this page: https://seibert.biz/kbsecuritynotice21-04-sp