Page tree
Skip to end of metadata
Go to start of metadata
SummaryUnfiltered Confluence People Directory accessible to all users behind specially designed URLs
Advisory Release Date

 

Product

Space Privacy

Affected Versions

Space Privacy 3.1.0 and earlier

Fixed VersionSpace Privacy 3.1.1
CVSS ClassificationBase Score 4.3 (Medium)

Problem

Accessing the People Directory with a specially designed URL while logged in allowed bypassing the Space Privacy filters – displaying basic profile information (name, email address and avatar) of all registered users.

This vulnerability has been rated as Medium (4.3) according to the scale published under the Common Vulnerability Scoring System (CVSS). Space Privacy 3.1.0 and earlier are affected by this vulnerability.

A customer disclosed the potential for profile data leaks to us after hours on . During  we investigated the issue, patched the URL redirect to account for the vulnerable behavior, and prepared a hotfix release to Atlassian Marketplace. This patch, Space Privacy 3.1.1, has been published on .

Solution

Update to the latest Marketplace version: Space Privacy 3.1.1 or newer.

Should you be unable to perform this update, or encounter technical challenges while doing so, please reach out to our support team at https://seibert.biz/help.

A bug in certain Confluence versions (in particular, 7.4.6 and earlier) can cause parts of theming to not work properly after performing app updates. For more details, please refer to Parts of Linchpin or Confluence not accessible after update in our knowledge base if you're using Linchpin-based theming.

This page was last edited on 04/28/2021.