Incorrect context paths included in the fallback URL still pass you to the login form when enable-authentication-fallback is enabled.

h3. Issue Summary When using an incorrect fallback URL to bypass SAML, you are still passed to the login form. This can be reproduced using a context path in the URL when no context path is set in the server.xml or by using a misspelled/wrong context path when one is set. This is reproducible on...

Security Issue: REST API does not respect 'Allow Anonymous Access to Remote API' setting on pages that has anonymous access

h3. Summary Anonymous API access are allowed on on pages that has Anonymous View Permission, even though the 'Allow Anonymous Access to Remote API' setting not ticked h3. Steps to Reproduce Make sure that 'Allow Anonymous Access to Remote API' setting from Confluence Administration Security...

Recommended updates email includes excerpts from Private/Restricted pages

The recommended updates email will include pages that are restricted, so all users will see an excerpt of that page. This is a security concern as projects that are documented could contain sensitive information. Also mentioned by users in the comments at...

Encrypt all passwords stored on the file system

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Cloud. Using Confluence Server? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFSERVER-2146. panel Passwords are not encrypted in confluence-mail.cfg.xml nor in confluence.cfg.xml; they should be. Resolve an...