Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Fixed
Priority: High
Fix Version/s: 2.5.2
Affects Version/s: 2.4.0
Component/s: Administration - Users and Groups, Security - Other
Labels:
- da-security
- security

Bug Fix Policy:
View Atlassian Server bug fix policy

Description

With "Administrator" permission I go to the global permissions page (http://<host>:7990/admin/permissions).

1. Type in the name of another user without any global permissions.
2. Select "System Administrator" as permission.
3. Press save.

Expected result:
Stash would deny me creating a "System Administrator" since I am only a "Administrator".

Actual result:
Stash allows me to create a "System Administrator".

Since I can create users I'm able to create a new user give that user "System Administrator" permissions, and then log in as that user. Thus elevating my privileges.

Attachments

Issue Links

mentioned in: Page Loading...; Page Loading...; Page Loading...

Activity

People

Assignee:: CharlesA

Reporter:: Mads Tandrup

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 02/Jul/2013 12:16 PM

Updated:: 29/Sep/2015 3:59 AM

Resolved:: 03/Jul/2013 4:40 AM