Security advisory - incorrect permissions on saved document versions (2018-03-07)
Incorrect permissions on saved document versions
|Advisory release date|
|Products||Scroll Documents for Confluence Cloud|
All versions before 1.0.15-AC
This advisory discloses a security issue of critical severity affecting Scroll Documents for Confluence Cloud, and provides a step-by-step guide to help you rectify the issue.
All document versions created on or before March 6th, 2018 may be affected by this issue. From this date and time forward, all Cloud installations have been updated to Scroll Documents 1.0.15-AC. Document versions saved after the update are not affected by this security issue.
Unfortunately you will have to take action to fix the document versions that were made on or before the update. We will walk you through this process below.
K15t Software rates the severity level of this issue as critical, as content in saved document versions might be accessible to more users/groups than originally intended.
This is our baseline assessment – it's best if you evaluate its applicability to your own IT environment.
Scroll Documents stores document versions as archived spaces in Confluence. When saving a document version, its archived space is created using the view permissions of the space containing the original document. Additionally, all of the original document's view page restrictions are applied to the document version.
The issue we have identified prevented these space permissions and page restrictions from being applied correctly. Please note that despite this issue the visibility of document versions has always been limited to your Confluence user base. The problem caused the default space permissions to be applied to all archived spaces, and anonymous access is not available in the default permissions.
This means that the archived spaces might be visible to Confluence users in your instance who should not have permission to access them. These users may be able to view this content by navigating to: Confluence Dashboard > Space Directory > Archived Spaces.
Steps we've taken to fix this issue
We have taken the following steps to address this issue:
- Deployed Scroll Documents 1.0.15-AC on Cloud
- Introduced a troubleshooting screen where you can fix the affected archived spaces
- Informed all app customers and evaluators who might have been affected
What you need to do to solve any issues on your instance
To follow these steps, you must have the Confluence Administrator global permission.
1: Recover the permissions for all document version spaces
Navigate to Confluence Administration > Space Permissions, and click Recover permissions for all listed document version spaces. If you see Manage permissions for a space, you already have the required permissions for the space.
You can identify document version spaces by the following name patterns ( please note that the random hash patterns in the name will be different on your instance):
- Document Version Space for document 158cb35aad4f494481b68790d2acf807
- Document Version Space for document 013418c8-2aea-48be-b5d1-ad804890a4dc
- Document [f6e03d1f47504897a0f59a5d633790ed]
2: Run the troubleshooting
Access the troubleshooting page at Confluence Administration > Scroll Documents > Troubleshooting
- After the automatic analysis is complete, all spaces with problems will be listed
- If an automatic fix is possible, click the Fix buttons for all affected spaces to solve the problems in them
- If there is a Reanalyze button for an entry, manual steps are required. Click the purple info icon for instructions on how to manually fix the problem
- Click Reanalyze for the problem you just fixed, it should now be fixed
- Carry out steps 3 and 4 for all problems that require manual steps
We are here to support you
We apologize deeply for any inconvenience this issue has caused you. If you would like assistance in correcting it, then we are here to help.
In case you have any questions or want to get support in fixing the issue on your system please let us know at firstname.lastname@example.org. We are happy to schedule a 1:1 screensharing session to help you resolve the issue should you so desire.