This advisory discloses security vulnerabilities found and fixed in Comala Metadata. We recommend upgrading Comala Metadata to the latest supported version.

Affected Versions

The vulnerability affects Comala Metadata prior to version 3.5.6

Versions 3.5.6 and 4.0.0 release contains a fix for the issue mentioned below.

Confluence Page View Permission Vulnerability


Comalatech rates the severity of this issue as Medium according to the published Atlassian Security Levels.

This is an independent assessment and you should evaluate its applicability to your own IT environment.


Several data reporting macros in Comala Metadata allow users to see metadata snippets from pages they do not have permission to view.

The following macros have been identified as having a possible page view permission escalation for page metadata:

  • Metadata Values
  • Blogpost Report
  • Space Breadcrumbs
  • Space Report

Risk Mitigation

We recommend upgrading to the latest version of Comala Metadata, version 4.0. The 4.0 release transitions the app to a paid version, which will allow the Comalatech team to continue supporting and improving the app. It also ensures that our team can continue to update the app to be compatible with the newest releases of Confluence.

Alternatively you can install version 3.5.6, which is the last free version of the app we will release. Further bug fixes, including security vulnerabilities, will only be addressed in the paid version going forward.

If upgrading is not possible, the affected macros listed above can be individually disabled through the plugin manager.