Intigriti - Hack Hub
  • Misconfig Mapper Docs
    • Introduction
    • Supported Services
    • CLI Tool
    • Contributing
  • Services
    • GraphQL
      • GraphQL Introspection Query Enabled
    • Symfony PHP
      • Symfony Profiler Enabled
    • Postman API Platform
      • Public Workspaces
    • Salesforce
      • Salesforce Lightning Aura Components Enabled
    • Trello
      • View Permissions on Trello Boards
    • Figma
      • View access misconfiguration
    • Freshworks Freshservice
      • Open User Registration
    • Slack
      • No Admin Approval for Invitations
    • Atlassian Bitbucket
      • Publicly Accessible Private Repositories
    • Atlassian Confluence
      • Anonymous access to Remote API
      • Disabled XSRF Protection
      • User Email Visibility
      • Misconfigured Spaces
    • Atlassian Jira
      • Open User Registration
      • Atlassian Jira Email Visibility
      • Atlassian Jira Service Desk Open Signups
    • AWS S3
      • Misconfigured List Permissions
    • Cloudflare R2
      • R2.DEV Enabled
    • Google Groups
      • Misconfigured read permissions
    • Google Docs
      • Misconfigured read permissions
    • Google Cloud Storage Bucket
      • Misconfigured access controls
    • Google OAuth
      • Unrestricted email domains
    • Jenkins
      • Open Signups
      • Public Groovy Script Console
    • GitLab
      • Gitlab Private Source Code Snippets Exposed
    • Drupal
      • Drupal Nodes with Misconfigured Access Controls
    • Laravel
      • Debug Mode Enabled
      • Laravel Telescope Enabled In Production
Powered by GitBook
On this page

Was this helpful?

Edit on GitHub
  1. Services
  2. Atlassian Confluence

Misconfigured Spaces

PreviousUser Email VisibilityNextAtlassian Jira

Last updated 11 months ago

Was this helpful?

Description:

Confluence Spaces are an integrated feature in Atlassian Confluence to help members organize content. Spaces often contain public data such as public roadmaps, guides, knowledge bases, etc.

But these spaces can also be used to store sensitive information that is meant to be only available to internal employees. In case your visibility settings are not configured properly, you may risk disclosing potentially sensitive information to anonymous users.

Testing:

Visit the following application route to check if anonymous users can view and read any information on Confluence Spaces:

https://<companyName>.atlassian.net/wiki/spaces

Next, manually examine every Space for hardcoded credentials, sensitive data (such as financial information), or other information that is not meant to be public.

Remediation:

To disable anonymous access to a specific Confluence Space:

  1. Navigate to /wiki/spaces on your Confluence site to list all your Confluence Spaces

  2. Select the Space you would like to change its visibility settings off

  1. Open the settings menu by clicking on Space settings

  2. Under Space permissions, click on Anonymous access

  1. Next, make sure to uncheck all permissions.

  2. Finally, click Save to save all your settings.

Once finished, you should not be able to view the COnfluence Space as an anonymous user:

To entirely disable anonymous-level access on your Confluence site:

  1. Click on the gear-icon on the top-right of your screen

  2. Open the Global permissions tab under Security

  3. Open the Anonymous access tab

  4. Cross-check that all permissions are disabled for Anonymous users

  5. Finally, save all your changes by clicking on Save

Potential Impact:

Unintentionally exposing private information (such as hard-coded secrets, internal financial data or even customer data) can introduce your company or organization to further attacks by bad actors. Generally allowing them to obtain a greater foothold in your network.

References:

https://infosecwriteups.com/hundreds-of-companies-internal-data-exposed-the-confluence-cloud-misconfiguration-63cbc143caea
https://confluence.atlassian.com/doc/assign-space-permissions-139460.html
https://support.atlassian.com/confluence-cloud/docs/make-a-space-public/