Misconfigured Spaces

Description:

Confluence Spaces are an integrated feature in Atlassian Confluence to help members organize content. Spaces often contain public data such as public roadmaps, guides, knowledge bases, etc.

But these spaces can also be used to store sensitive information that is meant to be only available to internal employees. In case your visibility settings are not configured properly, you may risk disclosing potentially sensitive information to anonymous users.

Testing:

Visit the following application route to check if anonymous users can view and read any information on Confluence Spaces:

https://<companyName>.atlassian.net/wiki/spaces

Next, manually examine every Space for hardcoded credentials, sensitive data (such as financial information), or other information that is not meant to be public.

Remediation:

To disable anonymous access to a specific Confluence Space:

1. Navigate to /wiki/spaces on your Confluence site to list all your Confluence Spaces

2. Select the Space you would like to change its visibility settings off

1. Open the settings menu by clicking on Space settings

2. Under Space permissions, click on Anonymous access

1. Next, make sure to uncheck all permissions.

2. Finally, click Save to save all your settings.

Once finished, you should not be able to view the COnfluence Space as an anonymous user:

To entirely disable anonymous-level access on your Confluence site:

1. Click on the gear-icon on the top-right of your screen

2. Open the Global permissions tab under Security

3. Open the Anonymous access tab

4. Cross-check that all permissions are disabled for Anonymous users

5. Finally, save all your changes by clicking on Save

Potential Impact:

Unintentionally exposing private information (such as hard-coded secrets, internal financial data or even customer data) can introduce your company or organization to further attacks by bad actors. Generally allowing them to obtain a greater foothold in your network.

References: