Comments on private posts can be view by anyone via RSS
|Reported by:||palotasb||Owned by:|
If you consider that comments on a private post can contain confidential information, this is a security bug or privacy/information disclosure vulnerability.
To reproduce, create a private post and try to view the post's comment feed after you've logged out. You can see the comments, but you shouldn't.
A temporary solution is to install the plugin I've attached to this ticket, but the real solution is to modify core files.