Misconfigured Spaces
Description:
Confluence Spaces are an integrated feature in Atlassian Confluence to help members organize content. Spaces often contain public data such as public roadmaps, guides, knowledge bases, etc.
But these spaces can also be used to store sensitive information that is meant to be only available to internal employees. In case your visibility settings are not configured properly, you may risk disclosing potentially sensitive information to anonymous users.
Testing:
Visit the following application route to check if anonymous users can view and read any information on Confluence Spaces:
Next, manually examine every Space for hardcoded credentials, sensitive data (such as financial information), or other information that is not meant to be public.
Remediation:
To disable anonymous access to a specific Confluence Space:
Navigate to
/wiki/spaceson your Confluence site to list all your Confluence SpacesSelect the Space you would like to change its visibility settings off
Open the settings menu by clicking on Space settings
Under Space permissions, click on Anonymous access
Next, make sure to uncheck all permissions.
Finally, click Save to save all your settings.
Once finished, you should not be able to view the COnfluence Space as an anonymous user:
To entirely disable anonymous-level access on your Confluence site:
Click on the gear-icon on the top-right of your screen
Open the Global permissions tab under Security
Open the Anonymous access tab
Cross-check that all permissions are disabled for Anonymous users
Finally, save all your changes by clicking on Save
Potential Impact:
Unintentionally exposing private information (such as hard-coded secrets, internal financial data or even customer data) can introduce your company or organization to further attacks by bad actors. Generally allowing them to obtain a greater foothold in your network.
References:
Last updated
