We're updating the issue view to help you get more done. 

The bundled Scroll Runtime plugin does not check permissions under certain conditions

Description

Summary

This advisory discloses a security issue of medium severity affecting all Scroll Exporter apps, and provides a step-by-step guide to help you rectify the issue.

If you have Scroll Runtime version 2.4.6 or earlier installed on your Confluence instances you may be affected by this issue. After updating to Scroll PDF Exporter 4.5.3, Scroll Word Exporter 4.0.4 and other Scroll Exporters to 3.8.5, your instance is no longer affected by this security issue because these app versions include Scroll Runtime 2.4.7.

Severity

K15t Software rates the severity level of this issue as medium, because exploiting the bug is limited to authenticated users and read-only operations.

This is our baseline assessment – it's best if you evaluate its applicability to your own IT environment.

Detailed description

We found a bug in the Scroll Runtime plugin which is bundled with the following Scroll apps:

This bug enables authenticated users to read page IDs and titles from all spaces, regardless of space permissions and page-level restrictions. Other page information such as content, attachments or comments are NOT affected by this bug.

Anonymous / unauthenticated users were NOT able to exploit the bug, even if access to anonymous users is enabled in Confluence and individual spaces.

We've rated this bug with a CVSS score of 4.3 (Medium).

Steps we've taken to fix this issue

We released Scroll PDF Exporter 4.5.3, Scroll Word Exporter 4.0.4 and other Scroll Exporters in version 3.8.5 including Scroll Runtime 2.4.7 on Atlassian Marketplace.

What you need to do to solve this issue on your instance

A Confluence administrator needs to upgrade Scroll PDF Exporter to 4.5.3, Scroll Word Exporter to 4.0.4 and other Scroll Exporters to version 3.8.5 or later. This will also update Scroll Runtime to version 2.4.7.

Environment

None

Status

Assignee

Unassigned

Reporter

Jens Rutschmann (K15t)

Labels

None

Participants

None

Deployment

Server

Fix versions

Priority

Major