Confluence Administrator Can Add Himself to System Administrator Group

Type atlassian
Reporter cminarik
Modified 2017-02-17T04:33:33


I have found what I believe to be a security bug in Confluence that should be fixed.

We have System Administrator function from the Confluence Administrator Group, and created a new Group called System Administrators (see attachment). The purpose was to give our Tech Writers the ability to access the Admin screen without giving them the ability to install add-ons. They belong to the Confluence-Administrators group, but not to the System-Administrators group.

However, I have found out that they have the ability to add themselves to the System-Administrators group. This allows them to increase their own authority and install add-ons.

They should not be able to add themselves to a group that has higher authority than they had.